Quasar0147

**Name of the Vulnerable Software and Affected Versions** Cinny versions prior to 4.10.3 **Description** A remote authenticated attacker who shares a room with a victim and has permissions to create room emotes can cause the victim's client to send their Matrix access token to an attacker-controlled server. This happens when the victim opens the emoji or sticker picker in a room containing a malicious emote pack. The issue stems from an incorrect fallback in the `EmojiBoard` component that uses the untrusted `pack.meta.avatar` variable without validating it as an MXC URL, allowing arbitrary HTTP(S) URLs. Additionally, the service worker attaches the user's Authorization bearer token to all outbound GET requests containing the endpoints '/ matrix/client/v1/media/download' or '/ matrix/client/v1/media/thumbnail' without verifying that the request host matches the configured homeserver origin. An attacker-controlled URL containing these path fragments and permissive CORS (Cross-Origin Resource Sharing, a mechanism that allows restricted resources on a web page to be requested from another domain) will receive the victim's Authorization header. **Recommendations** Update to version 4.10.3.

**Name of the Vulnerable Software and Affected Versions** RestrictedPython versions prior to 7.3 **Description** A user can gain access to protected information indirectly via `AttributeError.obj` and the `string` module. This issue allows unauthorized access to potentially sensitive information. **Recommendations** For versions prior to 7.3, as a temporary workaround, consider removing the `string` module from `RestrictedPython.Utilities.utility builtins` if the application does not require access to it, or otherwise do not make it available in the restricted execution environment. Update to version 7.3 to fully resolve the issue.

**Name of the Vulnerable Software and Affected Versions** RestrictedPython versions prior to 5.3 RestrictedPython versions prior to 6.1 **Description** The issue allows an attacker with access to a RestrictedPython environment to write code that gets the current stack frame in a generator and then walk the stack all the way beyond the RestrictedPython invocation boundary, thus breaking out of the restricted sandbox and potentially allowing arbitrary code execution in the Python interpreter. All RestrictedPython deployments that allow untrusted users to write Python code in the RestrictedPython environment are at risk, particularly those where administrators allow untrusted users to create or edit certain object types. **Recommendations** For versions prior to 5.3, update to version 5.3 or later. For versions prior to 6.1, update to version 6.1 or later. If you cannot upgrade to the latest release, ensure the RestrictedPython environment is only available for trusted users.