Yagebu

**Name of the Vulnerable Software and Affected Versions** Fava versions prior to 1.22 **Description** The issue concerns reflected cross-site scripting (XSS) due to the lack of escaping of error messages that contain the `time` and `filter` parameters in verbatim. This allows for the injection of malicious scripts, potentially leading to unauthorized actions on behalf of the user. **Recommendations** For versions prior to 1.22, update to version 1.22 or later to resolve the issue. As a temporary workaround, consider restricting access to the `time` and `filter` parameters in error messages until a patch is available. Avoid using the parameters `time` and `filter` in a way that could lead to the injection of malicious scripts in error messages.

**Name of the Vulnerable Software and Affected Versions** beancount/fava versions prior to 1.22.2 **Description** The issue concerns a Cross-site Scripting (XSS) - Reflected vulnerability. The `query string` parameter of Fava is vulnerable to reflected cross-site scripting, allowing an attacker to modify any information that the user is able to modify. **Recommendations** For versions prior to 1.22.2, update to version 1.22.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the `query string` parameter to minimize the risk of exploitation.