Snyk Security Database

electerm is an open-sourced terminal/ssh/telnet/serialport/sftp client

Affected versions of this package are vulnerable to Unsafe Dependency Resolution via the runWidget function. An attacker can achieve arbitrary code execution by supplying crafted input that exploits path traversal to load and execute malicious JavaScript files from the filesystem through the renderer process. This is only exploitable if an attacker is able to execute JavaScript in the renderer process, such as through a malicious plugin or a cross-site scripting flaw in the embedded webview.

open-webui is an Open WebUI

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the process that previews Excel file attachments using the sheet_to_html function. An attacker can execute arbitrary scripts in the context of the victim's browser by uploading a crafted XLSX file containing malicious payloads, which are then rendered unsanitized in the DOM when the preview feature is used. This is only exploitable if a user opens and previews the malicious file attachment in a chat.

Affected versions of this package are vulnerable to Insufficient Session Expiration in the DSF FHIR and BPE Servers with enabled OIDC authentication due to the lack of session timeout enforcement in OIDC browser sessions. An attacker can gain unauthorized access to a user's session by using the same browser after the original user has logged in and left the session active.