Vasilii Ermilov

**Name of the Vulnerable Software and Affected Versions** osm-static-maps versions prior to 3.9.0 **Description** The issue arises from user input being passed directly to a template without proper escaping, using {{{ ... }}}. This allows an attacker to inject arbitrary HTML or JavaScript code. Depending on the context, this can lead to Cross-Site Scripting (XSS) if the code is outputted as HTML on the page, or to Server-Side Request Forgery (SSRF) and Local File Read if the code is rendered on the server using puppeteer. **Recommendations** For versions prior to 3.9.0, update to version 3.9.0 or later to resolve the issue. As a temporary workaround, consider disabling the use of user input in templates until a patch is available. Restrict access to the puppeteer server to minimize the risk of SSRF and Local File Read exploitation. Avoid using the {{{ ... }}} syntax in templates until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** phantomjs-seo (affected versions not specified) **Description** The issue allows an attacker to craft a URL that will be passed to a PhantomJS instance, enabling a Server-Side Request Forgery (SSRF) attack. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** node-pdf-generator versions up to and including 0.0.6 **Description** The issue arises from a lack of user input validation and sanitization in the content given to node-pdf-generator, allowing an attacker to craft a URL that will be passed to an external server. This enables a Server-Side Request Forgery (SSRF) attack. **Recommendations** For versions up to and including 0.0.6, update to a version that includes input validation and sanitization for the content passed to node-pdf-generator. At the moment, there is no information about a newer version that contains a fix for this vulnerability.