William Tantiono

**Name of the Vulnerable Software and Affected Versions** perfood/couch-auth versions <= 0.21.2 **Description** A host header injection vulnerability exists in the NPM package of perfood/couch-auth. By sending a specially crafted host header in the email change confirmation request, it is possible to trigger a Server-Side Template Injection (SSTI) which can be leveraged to run limited commands or leak server-side information. **Recommendations** For perfood/couch-auth versions <= 0.21.2, consider disabling the email change confirmation feature until a patch is available. Restrict access to the vulnerable module to minimize the risk of exploitation. Avoid using the `host` header in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Stock-Forecaster versions <=01-04-2020 **Description** A vulnerability exists that allows for SQL injection. By sending a specially crafted `stock-symbol` parameter to the "portofolio()" endpoint, it is possible to trigger an SQL injection in the application. As a result, the attacker will be able to access user data or manipulate the software behavior. **Recommendations** For Stock-Forecaster versions <=01-04-2020, as a temporary workaround, consider disabling the "portofolio()" endpoint until a patch is available. Restrict access to the `stock-symbol` parameter in the affected endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.