Sofianeelhor

**Name of the Vulnerable Software and Affected Versions** jsPDF versions prior to 4.2.1 **Description** jsPDF is a JavaScript library used to generate PDF documents. A flaw exists where user-controlled arguments within the `createAnnotation` method can allow the injection of arbitrary PDF objects, including JavaScript actions. If unsanitized input is provided to the `createAnnotation` method, specifically the `color` parameter, malicious code can be injected. This injected code may execute when the PDF is opened or interacted with. An example attack vector involves crafting a payload that, when used as the `color` value in `createAnnotation`, can trigger the execution of arbitrary commands, such as `calc.exe`. **Recommendations** Versions prior to 4.2.1 should be updated to version 4.2.1 or later. Sanitize user input before passing it to the `createAnnotation` method.

**Name of the Vulnerable Software and Affected Versions** GLPI Inventory Plugin versions prior to 1.6.6 **Description** The GLPI Inventory Plugin manages network discovery, inventory, software deployment, and data collection for GLPI agents. Prior to version 1.6.6, unsanitized user input could lead to an SQL injection when generating reports, requiring appropriate permissions. The `reports` functionality is susceptible to this issue due to improper handling of user-supplied data. **Recommendations** Upgrade to GLPI Inventory Plugin version 1.6.6 or later.

**Name of the Vulnerable Software and Affected Versions** jsPDF versions prior to 4.2.1 **Description** jsPDF, a JavaScript library used for generating PDFs, contains a flaw where insufficient sanitization of user-controlled input within the `options` argument of the `output` function allows attackers to inject arbitrary HTML, including scripts, into the browser context when a generated PDF is opened. This can lead to the execution of malicious code within the victim's browser, potentially allowing attackers to extract or modify sensitive information. The vulnerability affects the `"pdfobjectnewwindow"`, `"pdfjsnewwindow"`, and `"dataurlnewwindow"` overloads, specifically impacting the `pdfObjectUrl`, `pdfJsUrl`, and `filename` options. An example attack vector involves crafting a malicious payload within the `filename` option to inject a script tag. **Recommendations** Upgrade to jsPDF version 4.2.1 or sanitize user input before passing it to the `output` method.

**Name of the Vulnerable Software and Affected Versions** Feathersjs versions 5.0.0 through 5.0.41 **Description** Feathersjs is a framework used for building web APIs and real-time applications. An unauthenticated attacker can exploit a flaw in the OAuth callback functionality by sending a specially crafted GET request to the `/oauth/:provider/callback` API endpoint. The vulnerability arises from a fallback mechanism in the OAuth service's authentication process, which relies on request query parameters (`params.query`) when Grant's session or state responses are empty. This allows an attacker to forge a profile within the query string and obtain a valid access token for an existing user without interacting with the OAuth provider. The vulnerability occurs because the attacker never initiates an OAuth authorize flow, resulting in an empty Grant session and triggering the fallback mechanism. **Recommendations** Update Feathersjs to version 5.0.42 or later.

**Name of the Vulnerable Software and Affected Versions** Feathersjs versions 5.0.0 through 5.0.41 **Description** Feathersjs is a framework used for building web APIs and real-time applications. Socket.IO clients can send arbitrary JavaScript objects as the `id` argument to any service method (get, patch, update, remove). The transport layer does not validate the type of this argument. When using the MongoDB adapter, these objects are passed to the `getObjectId()` function and used directly in MongoDB queries as operators. Sending `{$ne: null}` as the `id` can match all documents within a collection. **Recommendations** Update to version 5.0.42 or later.

**Name of the Vulnerable Software and Affected Versions** SCEditor versions prior to 3.2.1 **Description** SCEditor is a lightweight WYSIWYG BBCode and XHTML editor. A lack of sanitisation of configuration options passed to the `sceditor.create()` function allows an attacker who can control these options—such as `emoticons` and `charset`—to trigger a cross-site scripting (XSS) attack. The issue occurs because configuration options are not properly validated, enabling malicious code injection. A proof of concept demonstrates the exploitation using the `emoticons` option to inject an onerror event handler. **Recommendations** Update to version 3.2.1 or later.

**SandboxJS and Affected Versions** SandboxJS versions prior to 0.8.29 **Description** SandboxJS, a JavaScript sandboxing library, is susceptible to a sandbox escape issue. This occurs because of the ability to shadow the `hasOwnProperty` method on a sandbox object, which disables prototype whitelist enforcement during property access. This allows direct access to blocked prototype properties like ` proto `, potentially leading to host `Object.prototype` pollution and cross-sandbox impact. The issue was reproducible on Node `v23.9.0`. The root cause is the direct use of `a.hasOwnProperty(b)` within the `prototypeAccess` function, which can be controlled by an attacker if the sandboxed object shadows `hasOwnProperty`. This bypasses whitelist checks. The vulnerability can be exploited to achieve remote code execution (RCE) through host gadget exploitation and prototype pollution. Specifically, the `hasOwnProperty` bypass allows for the mutation of `Object.prototype`, potentially leading to the execution of arbitrary commands. **Recommendations** Update SandboxJS to version 0.8.29 or later.