Vovikhangcdv

**Name of the Vulnerable Software and Affected Versions** v8n versions prior to 1.5.1 **Description** The issue is related to an inefficient regular expression complexity in the `lowercase()` and `uppercase()` regex of the v8n javascript validation library. This could lead to a denial of service attack. Testing of the `lowercase()` function with a payload of 'a' + 'a'.repeat(i) + 'A' and 32 leading characters took 29443 ms to execute. The same issue happens with `uppercase()`. **Recommendations** For versions prior to 1.5.1, upgrade to version 1.5.1 or later to resolve the issue. As a temporary workaround, consider disabling the `lowercase()` and `uppercase()` functions until a patch is available. Restrict access to these functions to minimize the risk of exploitation. Avoid using the `lowercase()` and `uppercase()` functions in sensitive areas of the application until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Bookwyrm versions prior to 0.4.1 **Description** The issue concerns an open source social reading and reviewing program where versions prior to 0.4.1 did not properly sanitize HTML being rendered to users. Unprivileged users can inject scripts into user profiles, book descriptions, and statuses, potentially leading to cross-site scripting attacks on users viewing these fields. **Recommendations** For versions prior to 0.4.1, upgrade to version 0.4.1 to resolve the issue. As a temporary workaround, consider restricting access to user profiles, book descriptions, and statuses until the upgrade is applied. Avoid using the affected fields in the program until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** moment versions prior to 2.29.4 **Description** The issue is related to an inefficient parsing algorithm used in the moment JavaScript date library, specifically in the string-to-date parsing and rfc2822 parsing. This results in quadratic complexity on specific inputs, causing a noticeable slowdown with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to the moment constructor are vulnerable to (Re)DoS attacks. **Recommendations** For moment versions prior to 2.29.4, upgrade to version 2.29.4 or later. As a temporary workaround, consider limiting the length of user input to something sane, like 200 characters or less, to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Luxon versions 1.x prior to 1.38.1 Luxon versions 2.x prior to 2.5.2 Luxon versions 3.x prior to 3.2.1 Moment versions prior to 2.29.4 **Description** The issue is related to quadratic (N^2) complexity in date and time parsing on specific inputs, causing a noticeable slowdown for inputs with lengths above 10k characters. Users providing untrusted data to the affected methods are vulnerable to (Re)DoS attacks. The problem is rooted in the code that removes legacy comments from strings during rfc2822 parsing. **Recommendations** For Luxon versions 1.x prior to 1.38.1, update to version 1.38.1 or later. For Luxon versions 2.x prior to 2.5.2, update to version 2.5.2 or later. For Luxon versions 3.x prior to 3.2.1, update to version 3.2.1 or later. For Moment versions prior to 2.29.4, update to version 2.29.4 or later. As a temporary workaround, consider limiting the length of the input to something sane, like 200 characters or less, to minimize the risk of exploitation.