@asyncapi/modelina is a The Model SDK for generating data models

Affected versions of this package are vulnerable to Arbitrary Code Injection when using the default presets, via the constructor() in TypeScriptGenerator.

NOTE: The maintainers advise that "it is impossible to fully guard against this, because users have access to the original raw information. However, as of version 1, if you only access the constrained models, you will not encounter this issue. Further similar situations are NOT seen as a security issue, but intended behavior."

xblock-lti-consumer is a XBlock that implements the consumer side of the LTI specification

Affected versions of this package are vulnerable to Missing Authorization in the publish_grade_on_score_update() function in signals/signals.py that allows any LTI tool that is integrated with the Open edX platform to post a grade back for any LTI XBlock, using the block location for that XBlock. The code that uploads that score to the LMS grade tables determines which XBlock to upload the grades for by reading the resource_link_id field of the associated line item, which can be controlled by an unauthorized user.

io.quarkus.resteasy.reactive:resteasy-reactive-common is a RESTEasy Reactive - Common Runtime

Affected versions of this package are vulnerable to Creation of Temporary File With Insecure Permissions via the usage of File.createTempFile() class in the FileBodyHandler serializer that causes temp files to be created with -rw-r--r-- permissions.