Takeshi Kaneko

**Name of the Vulnerable Software and Affected Versions** golang versions 1.15 through 1.19 **Description** The issue affects golang packages in Debian Linux. No further details are available due to the lack of information from high-priority sources. **Recommendations** For golang version 1.15, update to a version outside the affected range. For golang version 1.19, update to a version outside the affected range. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FitNesse versions prior to 20241026 **Description** A Path Traversal issue exists due to improper limitation of a pathname to a restricted directory. If exploited, an attacker may be able to determine whether a file exists at a specific path and/or obtain some part of the file contents under specific conditions. **Recommendations** For versions prior to 20241026, update to a version released on or after 20241026 to resolve the issue. As a temporary workaround, consider restricting access to sensitive files and directories to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** FitNesse versions prior to 20241026 **Description** A cross-site scripting issue exists, allowing an arbitrary script to be executed on the user's web browser if exploited. **Recommendations** For versions prior to 20241026, update to a version released after 20241026 to resolve the issue. As a temporary workaround, consider restricting access to sensitive features or input fields to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** html/template package (affected versions not specified) **Description** The issue is related to the html/template package not applying proper rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script> contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. The exploitation of this issue could allow a remote attacker to perform a cross-site scripting (XSS) attack. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Go versions prior to 1.20.8 dev-go/go-tools versions prior to 0.3.0 **Description** The issue is related to the html/template package in the Go programming language, which does not properly handle HTML-like comment tokens or hashbang "#!" comment tokens in <script> contexts. This may cause the template parser to improperly interpret the contents of <script> contexts, leading to actions being improperly escaped. As a result, it may be leveraged to perform a cross-site scripting (XSS) attack. **Recommendations** For Go versions prior to 1.20.8, upgrade to version 1.20.8 or later to resolve the issue. For dev-go/go-tools versions prior to 0.3.0, upgrade to version 0.3.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of the html/template package in <script> contexts until a patch is available.

**Name of the Vulnerable Software and Affected Versions** vm2 versions 3.9.17 and lower **Description** The issue allows a threat actor to get a read-write reference to the node `inspect` method and edit options for `console.log`, resulting in the ability to edit options for the `console.log` command. This was possible due to a flaw in vm2, a sandbox that can run untrusted code with Node's built-in modules. **Recommendations** For versions 3.9.17 and lower, upgrade to version 3.9.18 or higher. As a temporary workaround for users unable to upgrade, make the `inspect` method readonly with `vm.readonly(inspect)` after creating a vm.

**Name of the Vulnerable Software and Affected Versions** vm2 versions up to and including 3.9.17 **Description** A sandbox escape issue exists in vm2, allowing a threat actor to bypass sandbox protections and gain remote code execution rights on the host. This is achieved by abusing an unexpected creation of a host object based on the specification of `Proxy`. The vulnerability can be exploited by a remote attacker to execute arbitrary code. **Recommendations** For versions up to and including 3.9.17, upgrade to version 3.9.18 or later to patch the vulnerability. As a temporary workaround, consider restricting access to the `Proxy` specification until a patch is applied. There are no known workarounds for this vulnerability. Users are advised to upgrade to a patched version to mitigate the risk.