Rudloff

**Name of the Vulnerable Software and Affected Versions** Orejime versions prior to 2.3.2 **Description** Orejime, a consent manager focusing on accessibility, had a flaw where malicious code could be executed on HTML elements it handled. This occurred because the software, prior to version 2.3.2, would execute `javascript:` code embedded within data attributes when processing consent related to a purpose. Specifically, the software would convert `data-href` attributes into `href` attributes, triggering the code execution. This issue primarily affects setups where HTML code can be injected into pages. The vulnerable process involves transforming data attributes into unprefixed attributes. **Recommendations** Update to version 2.3.2 or later. As a workaround, sanitize attributes that could contain executable code outside of Orejime.

**Name of the Vulnerable Software and Affected Versions** Symfony versions 2.0.0 through 4.4.50 Symfony versions 5.0.0 through 5.4.30 Symfony versions 6.0.0 through 6.3.7 **Description** The issue exists due to some Twig filters in CodeExtension using `is safe=html` but not ensuring their input is safe. This could allow a remote attacker to disclose protected information, perform phishing attacks, and conduct drive-by downloads. Symfony now escapes the output of the affected filters to resolve the issue. **Recommendations** For Symfony versions 2.0.0 through 4.4.50, update to version 4.4.51 or later. For Symfony versions 5.0.0 through 5.4.30, update to version 5.4.31 or later. For Symfony versions 6.0.0 through 6.3.7, update to version 6.3.8 or later. As a temporary workaround, consider restricting the use of the affected Twig filters in CodeExtension until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** AllTube versions prior to 3.0.3 **Description** AllTube is an HTML front end for youtube-dl. An attacker could craft a special HTML page to trigger either an open redirect attack or a Server-Side Request Forgery attack, depending on how AllTube is configured. The impact is mitigated by the fact that the SSRF attack is only possible when the `stream` option is enabled in the configuration, which is disabled by default. **Recommendations** For versions prior to 3.0.3, update to version 3.0.3 to fix the vulnerability. Additionally, if using a custom version of youtube-dl, apply the patch to disable its generic extractor to prevent potential vulnerability. If the `stream` option is enabled, consider disabling it until the issue is resolved.