The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. (CWE-918)   Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, do not validate the Host header of incoming HTTP/HTTPS requests.   By providing URLs to unexpected hosts or ports, attackers can make it appear that the server is sending the request, possibly bypassing access controls such as firewalls that prevent the attackers from accessing the URLs directly. The server can be used as a proxy to conduct port scanning of hosts in internal networks, use other URLs such as that can access documents on the system (using file://), or use other protocols such as gopher:// or tftp://, which may provide greater control over the contents of requests.

A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web application using this package.

Sandbox escape in the JavaScript Task feature of Google Cloud Application Integration allows an actor to execute arbitrary unsandboxed code via crafted JavaScript code executed by the Rhino engine. Effective January 24, 2025, Application Integration will no longer support Rhino as the JavaScript execution engine. No further fix actions are needed.

Cross-Site Request Forgery (CSRF) vulnerability in DigiTimber DigiTimber cPanel Integration allows Stored XSS. This issue affects DigiTimber cPanel Integration: from n/a through 1.4.6.

Missing Authorization vulnerability in Speedcomp Linet ERP-Woocommerce Integration allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Linet ERP-Woocommerce Integration: from n/a through 3.5.7.

Jenkins Bitbucket Server Integration Plugin 2.1.0 through 4.1.3 (both inclusive) allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins.

Cross-Site Request Forgery (CSRF) vulnerability in Hernan Javier Hegykozi MercadoLibre Integration allows Stored XSS.This issue affects MercadoLibre Integration: from n/a through 1.1.

The Rental and Booking Manager for Bike, Car, Dress, Resort with WooCommerce Integration – WpRently | WordPress plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘active_tab’ parameter in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Incorrect Authorization vulnerability in Drupal OhDear Integration allows Forceful Browsing.This issue affects OhDear Integration: from 0.0.0 before 2.0.4.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in S3Bubble S3Player – WooCommerce & Elementor Integration allows Stored XSS.This issue affects S3Player – WooCommerce & Elementor Integration: from n/a through 4.2.1.