R4356Th

**Name of the Vulnerable Software and Affected Versions** Deno versions prior to 2.5.3 and 2.2.15 **Description** Deno, a JavaScript, TypeScript, and WebAssembly runtime, is susceptible to Command Line Injection attacks on Windows operating systems when batch files are executed. The Windows operating system implicitly uses `cmd.exe` when executing batch files, even if not explicitly specified, creating a pathway for attackers to inject malicious commands through user input. Approximately 654 systems are estimated to be affected, and over 1,300 services are found annually. The vulnerability resides in the way Deno handles the `CreateProcess()` function when executing batch files on Windows. The `CreateProcess()` function is used to create a new process, and in the case of batch files, it automatically invokes `cmd.exe`. This behavior allows attackers to inject commands into the batch file, which are then executed by `cmd.exe`. **Recommendations** Update Deno to version 2.5.3 or 2.2.15 to resolve this issue.

**Name of the Vulnerable Software and Affected Versions** parcel versions 2.0.0-alpha and earlier **Description** A security issue exists in Parcel that allows malicious websites to send XMLHTTPRequests to the application's development server and read the response, potentially leading to source code theft when developers visit these websites. This occurs during developer activity while working on a project with the Parcel dev server running. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Next.js versions 13.0.0 through 13.3.x Next.js versions 13.4 and earlier with experimental.appDir = true Next.js versions prior to 15.2.2 **Description** This issue is similar to a previously known vulnerability. When running a Next.js server locally, the WebSocket server is susceptible to Cross-site WebSocket hijacking (CSWSH) attacks. If a user visits a malicious link while the Next.js dev server is running, a bad actor may access the source code of client components. This affects applications using App Router, which was experimental in versions 13.0.0 to 13.3.x. The vulnerability allows an attacker to spy on dev activity and steal source code. **Recommendations** For Next.js versions 13.0.0 through 13.3.x, update to version 15.2.2 or later to fix the issue. For Next.js versions 13.4 and earlier with experimental.appDir = true, update to version 15.2.2 or later to fix the issue. For Next.js versions prior to 15.2.2, update to version 15.2.2 or later to fix the issue. As a temporary workaround, consider disabling the `next dev` server when not in use to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Koa versions prior to 0.21.2 Koa versions prior to 1.7.1 Koa versions prior to 2.15.4 Koa versions prior to 3.0.0-alpha.3 Description: The issue concerns a Denial-of-Service attack due to Koa using an evil regex to parse the `X-Forwarded-Proto` and `X-Forwarded-Host` HTTP headers. This can be exploited to carry out a Denial-of-Service attack, causing memory exhaustion. Recommendations: For versions prior to 0.21.2, update to version 0.21.2 or later. For versions prior to 1.7.1, update to version 1.7.1 or later. For versions prior to 2.15.4, update to version 2.15.4 or later. For versions prior to 3.0.0-alpha.3, update to version 3.0.0-alpha.3 or later. As a temporary workaround, consider restricting access to the `X-Forwarded-Proto` and `X-Forwarded-Host` HTTP headers until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Mediawiki - Apex skin versions 1.39.X through 1.39.8 Mediawiki - Apex skin versions 1.41.X through 1.41.2 Mediawiki - Apex skin versions 1.42.X through 1.42.1 **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting (XSS). This allows for Stored XSS, where an attacker can inject malicious scripts into the website, potentially affecting users who access the compromised page. **Recommendations** For Mediawiki - Apex skin versions 1.39.X through 1.39.8, update to version 1.39.9 or later. For Mediawiki - Apex skin versions 1.41.X through 1.41.2, update to version 1.41.3 or later. For Mediawiki - Apex skin versions 1.42.X through 1.42.1, update to version 1.42.2 or later.

**Name of the Vulnerable Software and Affected Versions** MediaWiki versions prior to 1.39.6 MediaWiki versions 1.40.x prior to 1.40.2 MediaWiki versions 1.41.x prior to 1.41.1 **Description** The issue is related to the UnlinkedWikibase extension in MediaWiki, where improper neutralization of input during web page creation can lead to cross-site scripting (XSS) attacks. This can allow a remote attacker to perform XSS attacks through an interface message. Error messages, stored in the `$err` variable, are not escaped before being passed to `Html::rawElement()` in the `getError()` function of the Hooks class. **Recommendations** For MediaWiki versions prior to 1.39.6, update to version 1.39.6 or later. For MediaWiki versions 1.40.x prior to 1.40.2, update to version 1.40.2 or later. For MediaWiki versions 1.41.x prior to 1.41.1, update to version 1.41.1 or later. As a temporary workaround, consider disabling the UnlinkedWikibase extension until a patch is available. Restrict access to interface messages to minimize the risk of exploitation. Avoid using error messages in the `$err` variable in the affected `getError()` function until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** MediaWiki versions prior to 1.35.5 MediaWiki versions 1.36.x prior to 1.36.3 MediaWiki versions 1.37.x prior to 1.37.1 **Description** An issue was discovered in MediaWiki that allows CSRF through MassEditRegex. **Recommendations** For MediaWiki versions prior to 1.35.5, update to version 1.35.5 or later. For MediaWiki versions 1.36.x prior to 1.36.3, update to version 1.36.3 or later. For MediaWiki versions 1.37.x prior to 1.37.1, update to version 1.37.1 or later.