Security Bulletin: Multiple Vulnerabilities in IBM Concert Software

Summary Multiple vulnerabilities were addressed in IBM Concert Software version 2.3.1 Vulnerability Details CVEID:CVE-2023-5752 DESCRIPTION: When installing a package from a Mercurial VCS URL ie "pip install hg+..." with pip prior to v23.3, the specified Mercurial revision could be used to inject...

CVE-2025-66400

A flaw was found in mdast-util-to-hast. This vulnerability allows rendered user supplied markdown Markdown code elements to appear like the rest of the page via character references. Mitigation Mitigation for this issue is either not available or the currently available options do not meet the Re...

Improper Input Sanitization

mdast-util-to-hast is vulnerable to Improper Input Sanitization. The vulnerability is due to the utility allowing multiple unprefixed classnames to be injected via character references in markdown, which allows an attacker to disguise malicious code elements so they appear as trusted parts of the...

GHSA-4FH9-H7WG-Q85M mdast-util-to-hast has unsanitized class attribute

Impact Multiple unprefixed classnames could be added in markdown source by using character references. This could make rendered user supplied markdown code elements appear like the rest of the page. The following markdown: markdown jsxss Would create If your page then applied .xss classes or...

PT-2025-48573

Name of the Vulnerable Software and Affected Versions mdast-util-to-hast versions 13.0.0 through 13.2.0 Description mdast-util-to-hast, a utility used to transform markdown to HTML, has an issue where multiple, unprefixed classnames could be added to markdown source using character references. Th...

MAL-2023-8453 Malicious code in classnames-benchmarks (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 04617c1a9f99b39025630b22b77e5338cd0a07452a2ba6384557f2308b4379e0 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in classnames-benchmarks (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 04617c1a9f99b39025630b22b77e5338cd0a07452a2ba6384557f2308b4379e0 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious Package

Overview ddc-classnames-js is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if this package...

Malicious code in ddc-classnames-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware e99acb40e304c7529f780536e9e0c06faa3d8e76d23a1d58b7573005c7b92200 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2022-2377 Malicious code in ddc-classnames-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware e99acb40e304c7529f780536e9e0c06faa3d8e76d23a1d58b7573005c7b92200 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

PAJAX < 0.5.2 Multiple Vulnerabilities

The remote host is running PAJAX, a PHP library for remote asynchronous objects in JavaScript. The version of PAJAX installed on the remote host fails to validate input to the 'pajax/pajaxcalldispatcher.php' script before using it in a PHP 'eval' function. An unauthenticated attacker can exploit...