HIGH

Impact
Magento admin users with access to the customer media could execute code on the server.
References

https://github.com/OpenMage/magento-lts/security/advisories/GHSA-5vpv-xmcj-9q85
https://github.com/OpenMage/magento-lts/releases/tag/v19.4.22
htt…

Impact
Custom Layout enabled admin users to execute arbitrary commands via block methods.
References

https://github.com/OpenMage/magento-lts/security/advisories/GHSA-c9q3-r4rv-mjm7
https://github.com/OpenMage/magento-lts/releases/tag/v19.4.22
https://…

Cross-site Scripting (XSS) – Stored in GitHub repository modoboa/modoboa prior to 2.0.4.
References

https://nvd.nist.gov/vuln/detail/CVE-2023-0519
https://github.com/modoboa/modoboa/commit/eef9ab72b5305578a3ad7a7463bd284aa645e98b
https://huntr.dev/bou…

Improper Certificate Validation in GitHub repository pyload/pyload prior to 0.5.0b3.dev44.
References

https://nvd.nist.gov/vuln/detail/CVE-2023-0509
https://github.com/pyload/pyload/commit/a9098bdf7406e6faf9df3da6ff2d584e90c13bbb
https://huntr.dev/bou…

Cross-site Scripting (XSS) – Stored in GitHub repository modoboa/modoboa prior to 2.0.4.
References

https://nvd.nist.gov/vuln/detail/CVE-2023-0470
https://github.com/modoboa/modoboa/commit/354ab6884019009249097a7f3a1881d81ecd2fd2
https://huntr.dev/bou…

flash_tool Gem for Ruby contains a flaw that is triggered during the handling of downloaded files that contain shell characters. With a specially crafted file, a context-dependent attacker can execute arbitrary commands.
References

https://nvd.nist.go…

All versions of the package serve-lite are vulnerable to Directory Traversal due to missing input sanitization or other checks and protections employed to the req.url passed as-is to path.join().
References

https://nvd.nist.gov/vuln/detail/CVE-2022-21…

All versions of the package smartctl are vulnerable to Command Injection via the info method due to improper input sanitization.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-21810
https://security.snyk.io/vuln/SNYK-JS-SMARTCTL-3175613
https://…

Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization. This vulnerability exists due to an incomplete fix of CVE-2022-…

All versions of the package create-choo-electron are vulnerable to Command Injection via the devInstall function due to improper user-input sanitization.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-25908
https://security.snyk.io/vuln/SNYK-JS-…