Advisories for Npm/Apostrophe package

Apostrophe v3.16.1 was discovered to contain a remote code execution (RCE) vulnerability via the component uploadfs.

Apostrophe CMS versions between which allows unauthenticated remote attackers to hijack recently logged-in users' sessions.

Apostrophe CMS versions between to are vulnerable to Stored XSS where an editor uploads an SVG file that contains malicious JavaScript onto the Images module, which triggers XSS once viewed.

Versions of apostrophe prior to 2.92.0 are vulnerable to Open Redirect. The package redirected requests to third-party websites if escaped URLs followed by a trailing / were appended at the end. Recommendation Update to version 2.92.0 or later.

Versions of apostrophe prior to 2.97.1 are vulnerable to Denial of Service. The apostrophe-jobs module sets a callback for incoming jobs and doesn't clear it regardless of its status. This causes the server to accumulate callbacks, allowing an attacker to start a large number of jobs and exhaust system memory. Recommendation Upgrade to version 2.97.1 or later.