Stof

**Name of the Vulnerable Software and Affected Versions** SheetJS Community Edition versions prior to 0.19.3 **Description** The issue is related to a Prototype Pollution vulnerability, which can be exploited by a remote attacker using a specially crafted file, potentially allowing for unauthorized actions. The SheetJS Community Edition receives over 2 million weekly downloads, and versions prior to 0.19.3 are affected. Workflows that do not read arbitrary files are unaffected. **Recommendations** For versions prior to 0.19.3, consider avoiding the use of the affected functionality until a fixed version is available. As a temporary workaround, restrict the reading of arbitrary files to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Symfony versions 2.8.0 through 2.8.50 Symfony versions 3.4.0 through 3.4.34 Symfony versions 4.2.0 through 4.2.11 Symfony versions 4.3.0 through 4.3.7 **Description** The issue is related to the UriSigner in Symfony, which is subject to timing attacks due to the lack of a constant time string comparison function when checking the signature of an URI. This could allow a remote attacker to access confidential data, compromise its integrity, and cause a denial of service. The vulnerability is related to concurrent execution and the use of a shared resource with improper synchronization. **Recommendations** For Symfony versions 2.8.0 through 2.8.50, update to a version that includes a fix for the UriSigner timing attack issue. For Symfony versions 3.4.0 through 3.4.34, update to a version that includes a fix for the UriSigner timing attack issue. For Symfony versions 4.2.0 through 4.2.11, update to a version that includes a fix for the UriSigner timing attack issue. For Symfony versions 4.3.0 through 4.3.7, update to a version that includes a fix for the UriSigner timing attack issue.