Insufficient policy enforcement in developer tools in Google Chrome prior to 100.0.4896.88 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page.

A flaw was found in Openstack manilla owning a Ceph File system "share", which enables the owner to read/write any manilla share or entire file system. The vulnerability is due to a bug in the "volumes" plugin in Ceph Manager. This allows an attacker to compromise Confidentiality and Integrity of a file system. Fixed in RHCS 5.2 and Ceph 17.2.2.

The package otp-generator before 3.0.0 are vulnerable to Insecure Randomness due to insecure generation of random one-time passwords, which may allow a brute-force attack.

All versions of package @ianwalter/merge are vulnerable to Prototype Pollution via the main (merge) function. Maintainer suggests using @generates/merger instead.

All versions of package set-deep-prop are vulnerable to Prototype Pollution via the main functionality.

This affects all versions of package node-import. The "params" argument of module function can be controlled by users without any sanitization.b. This is then provided to the “eval” function located in line 79 in the index file "index.js".

This affects the package thenify before 3.3.1. The name argument provided to the package can be controlled by users without any sanitization, and this is provided to the eval function without any sanitization.

This affects the package properties-reader before 2.2.0.

This affects all versions of package ion-parser. If an attacker submits a malicious INI file to an application that parses it with parse , they will pollute the prototype on the application. This can be exploited further depending on the context.

This affects the package js-ini before 1.3.0. If an attacker submits a malicious INI file to an application that parses it with parse , they will pollute the prototype on the application. This can be exploited further depending on the context.

This affects all versions of package xopen. The injection point is located in line 14 in index.js in the exported function xopen(filepath)

The package ntesseract before 0.2.9 are vulnerable to Command Injection via lib/tesseract.js.

This affects all versions of package npm-help. The injection point is located in line 13 in index.js file in export.latestVersion() function.

This affects all versions of package sonar-wrapper. The injection point is located in lib/sonarRunner.js.

This affects the package conf-cfg-ini before 1.2.2. If an attacker submits a malicious INI file to an application that parses it with decode, they will pollute the prototype on the application. This can be exploited further depending on the context.

This affects all versions of package deferred-exec. The injection point is located in line 42 in lib/deferred-exec.js

This affects all versions of package google-cloudstorage-commands.

This affects all versions of package ffmpeg-sdk. The injection point is located in line 9 in index.js.

Obsidian 0.14.x and 0.15.x before 0.15.5 allows obsidian://hook-get-address remote code execution because window.open is used without checking the URL.

software/apt-lib.pl in Webmin before 1.997 lacks HTML escaping for a UI command.