Xiaofen9

**Name of the Vulnerable Software and Affected Versions** npm-dependency-versions versions 0.3.0 and earlier **Description** The issue is related to insufficient argument checking in the npm-dependency-versions package, which can lead to command injection. An attacker can exploit this by calling dependencyVersions with a JSON object containing a `pkgs` key and shell metacharacters in a value, potentially allowing remote execution of arbitrary commands. **Recommendations** For versions 0.3.0 and earlier, consider disabling the `dependencyVersions` function until a patch is available to prevent command injection attacks. Restrict access to the `dependencyVersions` function to minimize the risk of exploitation. Avoid using the `pkgs` key in the JSON object passed to the `dependencyVersions` function until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Boost Note versions prior to 0.22.1 **Description** The issue allows remote command execution. A remote attacker may send a crafted IPC message to the exposed vulnerable `ipcRenderer` IPC interface, which invokes the `openExternal` Electron API. **Recommendations** For versions prior to 0.22.1, update to version 0.22.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the `ipcRenderer` IPC interface until a patch is available.

Name of the Vulnerable Software and Affected Versions: Camunda Modeler versions through 4.6.0 Description: The issue allows arbitrary file access. A remote attacker may send a crafted IPC message to the exposed vulnerable ipcRenderer IPC interface, which manipulates the `readFile` and `writeFile` APIs. The vendor states that the app is secured in a way that it does not allow any remote scripts to be opened, no unsafe scripts to be evaluated, and no remote sites to be browsed. Recommendations: For Camunda Modeler versions through 4.6.0, consider disabling the `ipcRenderer` IPC interface as a temporary workaround until a patch is available. Restrict access to the `readFile` and `writeFile` APIs to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Clipper versions prior to 1.0.5 Description: The issue allows remote command execution. A remote attacker may send a crafted IPC message to the exposed vulnerable `ipcRenderer` IPC interface, which invokes the `openExternal` API. Recommendations: For versions prior to 1.0.5, update to version 1.0.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the `ipcRenderer` IPC interface until a patch is available. Avoid using the `openExternal` API in the affected IPC interface until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Twinkle Tray (aka twinkle-tray) versions 1.13.3 and earlier Description: The issue allows remote command execution. A remote attacker may send a crafted IPC message to the exposed vulnerable `ipcRenderer` IPC interface, which invokes the `openExternal` API. Recommendations: For versions 1.13.3 and earlier, as a temporary workaround, consider disabling the `ipcRenderer` IPC interface until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** js-bson library version 1.1.3 and prior **Description** The issue is caused by incorrect parsing of certain JSON input, which may result in js-bson not correctly serializing BSON. This can cause unexpected application behavior, including data disclosure. **Recommendations** For js-bson library version 1.1.3 and prior, update to a version later than 1.1.3 to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** bson versions prior to 1.1.4 **Description** The issue is related to the deserialization of untrusted data in the bson package. It occurs when the package ignores an unknown value for an object's ` bsotype` or ` bsontype`, leading to incorrect serialization of the object as a document instead of the intended BSON type. This can potentially allow a remote attacker to execute arbitrary code. **Recommendations** For versions prior to 1.1.4, update to version 1.1.4 or later to resolve the issue. As a temporary workaround, consider restricting the deserialization of untrusted data to minimize the risk of exploitation. Avoid using unknown or untrusted values for an object's ` bsotype` or ` bsontype` until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** valib versions through 2.0.0 **Description** The issue allows Internal Property Tampering. A maliciously crafted JavaScript object can bypass several inspection functions provided by valib. Valib uses a built-in function (hasOwnProperty) from the unsafe user-input to examine an object. It is possible for a crafted payload to overwrite this function to manipulate the inspection results to bypass security checks. **Recommendations** For valib versions through 2.0.0, consider disabling the use of the `hasOwnProperty` function from unsafe user-input until a patch is available. Restrict access to the inspection functions provided by valib to minimize the risk of exploitation. Avoid using the `hasOwnProperty` function in the affected JavaScript objects until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** taffydb versions up to and including 2.7.3 **Description** The issue allows attackers to forge adding additional properties into user-input processed by taffy, which can allow access to any data items in the DB. Taffy sets an internal index for each data item in its DB. However, it is found that the internal index can be forged by adding additional properties into user-input. If an index is found in the query, taffyDB will ignore other query conditions and directly return the indexed data item. Moreover, the internal index is in an easily-guessable format, such as `T000002R000001`. As such, attackers can use this vulnerability to access any data items in the DB. **Recommendations** For versions up to and including 2.7.3, consider disabling the use of internal indexes until a patch is available or an alternative solution is implemented. Restrict access to sensitive data items to minimize the risk of exploitation. Avoid using the taffydb module until a maintained successor or a fixed version is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** schema-inspector versions prior to 1.6.9 **Description** A maliciously crafted JavaScript object can bypass the `sanitize()` and the `validate()` functions used within schema-inspector. **Recommendations** For versions prior to 1.6.9, update to version 1.6.9 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** kind-of versions 6.0.0 through 6.0.2 **Description** The issue is related to insufficient input validation in the kind-of library, which can be exploited by a remote attacker to cause a denial of service. Specifically, the `ctorName` in `index.js` of kind-of version 6.0.2 allows external user input to overwrite internal attributes via a conflicting name. A crafted payload can manipulate the type detection result by overwriting a built-in attribute. This can enable attackers to bypass type checking validation. **Recommendations** For kind-of versions 6.0.0 through 6.0.2, upgrade to version 6.0.3 or later.

**Name of the Vulnerable Software and Affected Versions** jpv (aka Json Pattern Validator) versions prior to 2.1.1 **Description** The issue allows certain internal attributes to be overwritten via a conflicting name, as demonstrated by 'constructor': {'name':'Array'}. This affects the validate() function, enabling a crafted payload to manipulate the type detection result. **Recommendations** For versions prior to 2.1.1, update to version 2.1.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Pomelo version 2.2.5 **Description** The issue allows external control of critical state data. A malicious user input can corrupt arbitrary methods and attributes in `template/game-server/app/servers/connector/handler/entryHandler.js` because certain internal attributes can be overwritten via a conflicting name. This enables a malicious attacker to manipulate internal attributes by adding additional attributes to user input. **Recommendations** For Pomelo version 2.2.5, as a temporary workaround, consider restricting user input to prevent the addition of conflicting attributes that could overwrite internal attributes in the `entryHandler.js` file. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** class-validator versions 0.10.2 through 0.13.x **Description** The `validate()` input validation in class-validator can be bypassed because certain internal attributes can be overwritten via a conflicting name. Although there is an optional `forbidUnknownValues` parameter that can reduce the risk of this bypass, it is not documented, leading most developers to configure input validation in the vulnerable default manner. This allows attackers to launch SQL Injection or XSS attacks by injecting arbitrary malicious input. **Recommendations** For class-validator versions 0.10.2 through 0.13.x, update to version 0.14.0 or later, where the default setting for `forbidUnknownValues` has been changed to `true`. As a temporary workaround, consider setting the `forbidUnknownValues` parameter to `true` to reduce the risk of input validation bypass until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Automattic Mongoose versions through 5.7.4 **Description** The issue allows attackers to bypass access control in some applications because any query object with a ` bsontype` attribute is ignored. For example, adding ` bsontype`:"a" can sometimes interfere with a query filter. This is related to Mongoose's failure to work around the ` bsontype` special case that exists in older versions of the bson parser. **Recommendations** For versions through 5.7.4, consider updating to a version that addresses this issue, as the current version allows attackers to bypass access control by exploiting the ` bsontype` attribute in query objects. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ghidra versions prior to 9.1 **Description** The issue allows path traversal in certain scenarios, potentially enabling attackers to overwrite arbitrary files. This can be achieved by using an archive with an executable file that has an initial ../ in its filename. In some cases, this could lead to arbitrary code execution if critical modules, such as the decompile module, are overwritten. **Recommendations** For versions prior to 9.1, update to version 9.1 or later to resolve the issue. As a temporary workaround, consider restricting the use of archives with executable files that have an initial ../ in their filename to minimize the risk of exploitation.