Tlsbollei

**Name of the Vulnerable Software and Affected Versions** @xmldom/xmldom versions prior to 0.8.13 @xmldom/xmldom versions prior to 0.9.10 xmldom versions 0.6.0 and earlier **Description** The software allows attacker-controlled processing instruction (PI) data to be serialized into XML without validating or neutralizing the PI-closing sequence `?>`. This occurs because the `createProcessingInstruction()` function stores the `data` variable directly without validation, and the serializer subsequently concatenates this data verbatim. An attacker can use the `?>` sequence to terminate the processing instruction prematurely and inject arbitrary XML nodes into the serialized output, potentially altering the structure and meaning of the generated XML documents. **Recommendations** For @xmldom/xmldom versions prior to 0.8.13 and 0.9.10, update to version 0.8.13 or 0.9.10 and explicitly pass the `{ requireWellFormed: true }` option to the `serializeToString()` function to enable validation that prevents the injection of `?>` sequences. For xmldom versions 0.6.0 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** jq (affected versions not specified) **Description** The ` strindices` builtin in `src/builtin.c` passes arguments to `jv string indexes()` in `src/jv.c` without verifying they are strings. Because `jv string indexes()` relies on `assert()` checks that are removed in release builds compiled with `-DNDEBUG`, an attacker can cause a crash by providing input such as ` strindices(0)`. Additionally, by crafting a numeric value with an IEEE-754 bit pattern that maps to a specific pointer, a controlled pointer dereference and limited memory read/probe primitive can be achieved. This affects deployments that evaluate untrusted filters against a release build. **Recommendations** Apply the fix provided in commit fdf8ef0f0810e3d365cdd5160de43db46f57ed03.