react-toast-ui is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship.

matrix-synapse is an ecosystem for open federated Instant Messaging and VoIP.

Affected versions of this package are vulnerable to Improper Validation of Specified Type of Input due to insufficient validation of device keys. An attacker can disrupt federation functionality and unpredictably break outbound federation to other homeservers by registering on the victim homeserver and submitting invalid device keys. This is only exploitable if the attacker is a registered user on the victim homeserver.

Note

Note that even though 1.138.3 and 1.139.1 fix the vulnerability, they inadvertently introduced an unrelated regression. For this reason, we recommend skipping these releases and upgrading straight to 1.138.4 and 1.139.2.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the Commerce Product Comparison Table widget when user-supplied input is injected into the Name text field of a Commerce Product. An attacker can execute arbitrary web scripts in the context of the user's browser by submitting a specially crafted payload.