Masahiro Yamada

**Name of the Vulnerable Software and Affected Versions** Microsoft Internet Explorer versions 6 through 8 **Description** An information disclosure issue exists, allowing remote attackers to perform cross-domain reading of JSON files via a crafted web site. This could enable an attacker to gain access and read the contents of JSON data files. **Recommendations** For Microsoft Internet Explorer versions 6 through 8, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** dopvSTAR* 0091 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via the HTTP Referer header, which is not properly handled during display of the access log. This is a cross-site scripting (XSS) issue. **Recommendations** For dopvSTAR* 0091, consider restricting access to the access log display to minimize the risk of exploitation. As a temporary workaround, avoid using the HTTP Referer header in the access log display until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** dopvCOMET* 0009b **Description** The issue allows remote attackers to inject arbitrary web script or HTML via the HTTP Referer header, which is not properly handled during display of the access log. This is a cross-site scripting (XSS) issue. **Recommendations** For dopvCOMET* 0009b, consider validating and sanitizing the HTTP Referer header to prevent injection of malicious scripts or HTML. As a temporary workaround, restrict access to the access log display to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** KENT-WEB ACCESS REPORT versions 5.02 and earlier **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via vectors related to tag embedding. **Recommendations** For versions 5.02 and earlier, update to a version later than 5.02 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Apple Safari versions prior to 6.0.1 **Description** The issue arises from improper handling of the Quarantine attribute of HTML documents. This allows remote attackers to read arbitrary files on a user's system by leveraging the presence of a downloaded document, but it requires user assistance. **Recommendations** For versions prior to 6.0.1, update to version 6.0.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Opera versions prior to 11.60 **Description** The issue allows remote attackers to spoof the address bar via unspecified homograph characters. **Recommendations** For Opera versions prior to 11.60, update to version 11.60 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Opera versions prior to 11.50 **Description** The issue allows remote attackers to cause a denial of service, specifically disk consumption, by utilizing invalid URLs. These invalid URLs trigger the creation of error pages, leading to the denial of service. **Recommendations** For Opera versions prior to 11.50, update to version 11.50 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: No information is available about the vulnerable software and its affected versions. Description: The issue is related to a security problem, but specific details are not provided. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apple Safari versions prior to 5.0 on Mac OS X 10.5 through 10.6 and Windows Apple Safari versions prior to 4.1 on Mac OS X 10.4 **Description** The issue is related to a cross-site scripting (XSS) vulnerability in WebKit. It allows remote attackers to inject arbitrary web script or HTML via vectors related to improper UTF-7 canonicalization and lack of termination of a quoted string in an HTML document. **Recommendations** For Apple Safari versions prior to 5.0 on Mac OS X 10.5 through 10.6 and Windows, update to version 5.0 or later. For Apple Safari versions prior to 4.1 on Mac OS X 10.4, update to version 4.1 or later.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 3.0.7 Thunderbird versions prior to 2.0.0.21 SeaMonkey versions prior to 1.1.15 **Description** The issue allows remote attackers to spoof URLs and conduct phishing attacks by decoding invisible characters when they are displayed in the location bar, causing an incorrect address to be displayed. **Recommendations** For Mozilla Firefox versions prior to 3.0.7, update to version 3.0.7 or later. For Thunderbird versions prior to 2.0.0.21, update to version 2.0.0.21 or later. For SeaMonkey versions prior to 1.1.15, update to version 1.1.15 or later.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 2.0.0.15 SeaMonkey versions prior to 1.1.10 **Description** The issue allows remote attackers to conduct cross-site scripting (XSS) attacks due to improper HTML escaping in file:// URLs in directory listings. This can be achieved via a crafted filename. **Recommendations** For Mozilla Firefox versions prior to 2.0.0.15, update to version 2.0.0.15 or later to resolve the issue. For SeaMonkey versions prior to 1.1.10, update to version 1.1.10 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Bugzilla versions 2.17.1 through 2.20.4 Bugzilla versions 2.22.x before 2.22.3 Bugzilla versions 3.x before 3.0.1 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `buildid` field in the "guided form" of the enter bug.cgi script. **Recommendations** For versions 2.17.1 through 2.20.4, update to version 2.20.5 or later. For versions 2.22.x before 2.22.3, update to version 2.22.3 or later. For versions 3.x before 3.0.1, update to version 3.0.1 or later.