Cure53

**Name of the Vulnerable Software and Affected Versions** DOMPurify versions 2.5.3 through 2.5.8 DOMPurify versions 3.1.3 through 3.3.1 **Description** DOMPurify contains a cross-site scripting issue that allows attackers to bypass attribute sanitization. This bypass is achieved by exploiting missing rawtext elements (noscript, xmp, noembed, noframes, iframe) within the SAFE FOR XML regular expression. Attackers can inject payloads, such as </noscript><img src=x onerror=alert(1)>, into attribute values. When the sanitized output is placed within these unprotected rawtext contexts, the JavaScript payload can be executed. **Recommendations** Update to a version of DOMPurify that includes commit 729097f.

**Name of the Vulnerable Software and Affected Versions** Docker Desktop versions prior to 4.34.3 **Description** The issue is related to a lack of output encoding or sanitization mechanism in Docker Desktop, which can be exploited by a remote attacker to execute arbitrary code by injecting it through an unsanitized GitHub source link in the Build view. This allows for remote code execution. **Recommendations** For Docker Desktop versions prior to 4.34.3, update to version 4.34.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the Build view or avoiding the use of GitHub source links until the update is applied.

Name of the Vulnerable Software and Affected Versions: Docker Desktop versions prior to 4.34.2 Description: A remote code execution (RCE) vulnerability exists via crafted extension `publisher-url`/`additional-urls` that could be abused by a malicious extension. This issue can be exploited to execute code remotely. Recommendations: For Docker Desktop versions prior to 4.34.2, update to version 4.34.2 or later to resolve the issue. As a temporary workaround, consider restricting the use of extensions or disabling the `publisher-url` and `additional-urls` features until a patch is applied.

Name of the Vulnerable Software and Affected Versions: Docker Desktop versions prior to 4.34.2 Description: A remote code execution vulnerability exists via crafted extension description or changelog, which could be exploited by a malicious extension. Recommendations: For Docker Desktop versions prior to 4.34.2, update to version 4.34.2 or later to resolve the issue. As a temporary workaround, consider disabling the use of extensions in Docker Desktop until a patch is applied. Restrict access to the extension management feature to minimize the risk of exploitation. Avoid using crafted extension descriptions or changelogs in Docker Desktop until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Docker Desktop versions 4.11.x **Description** The issue is related to a violation of trust boundaries in Docker Desktop, which can be exploited to potentially allow an attacker to elevate their privileges. This is achieved through IPC response spoofing, bypassing the --no-windows-containers flag, and may lead to Local Privilege Escalation (LPE). **Recommendations** For Docker Desktop version 4.11.x, consider disabling the IPC response feature until a patch is available to prevent potential exploitation. Restrict access to the Docker Desktop application to minimize the risk of privilege escalation. Avoid using the `--no-windows-containers` flag in affected versions until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Docker Desktop versions prior to 4.12.0 **Description** The issue is related to an argument injection to the installer in Docker Desktop on Windows, which may result in local privilege escalation. This allows an attacker to potentially elevate their privileges. **Recommendations** For Docker Desktop versions prior to 4.12.0, update to version 4.12.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the installer to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Mastodon versions prior to 3.5.9 Mastodon versions prior to 4.0.5 Mastodon versions prior to 4.1.3 **Description** The issue is related to Mastodon's handling of outgoing HTTP queries, where a timeout is set on individual read operations. A malicious server can extend the response duration indefinitely through slowloris-type attacks, keeping all Mastodon workers busy and leading to the server becoming unresponsive. **Recommendations** For versions prior to 3.5.9, update to version 3.5.9 or later. For versions prior to 4.0.5, update to version 4.0.5 or later. For versions prior to 4.1.3, update to version 4.1.3 or later.

**Name of the Vulnerable Software and Affected Versions** Mastodon versions 1.3 through 3.5.8 Mastodon versions 4.0.0 through 4.0.4 Mastodon versions 4.1.0 through 4.1.2 **Description** The issue is related to the processing of oEmbed data in Mastodon, which can allow an attacker to bypass HTML sanitization and include arbitrary HTML in oEmbed preview cards. This can introduce a vector for cross-site scripting (XSS) payloads that can be rendered in the user's browser when a preview card for a malicious link is clicked through. An attacker can use carefully crafted oEmbed data to exploit this issue. **Recommendations** For Mastodon versions 1.3 through 3.5.8, update to version 3.5.9 or later. For Mastodon versions 4.0.0 through 4.0.4, update to version 4.0.5 or later. For Mastodon versions 4.1.0 through 4.1.2, update to version 4.1.3 or later. As a temporary workaround, consider restricting the use of oEmbed preview cards until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Mastodon versions 3.5.0 through 3.5.8 Mastodon versions 4.0.0 through 4.0.4 Mastodon versions 4.1.0 through 4.1.2 **Description** The issue arises from a flaw in the media processing code, allowing attackers to create arbitrary files at any location using carefully crafted media files. This can lead to Denial of Service and arbitrary Remote Code Execution. The vulnerability is caused by an error in input validation when handling directory traversal sequences. **Recommendations** For Mastodon versions 3.5.0 through 3.5.8, update to version 3.5.9 or later. For Mastodon versions 4.0.0 through 4.0.4, update to version 4.0.5 or later. For Mastodon versions 4.1.0 through 4.1.2, update to version 4.1.3 or later. As a temporary workaround, consider restricting access to the media processing code until a patch is applied. Avoid using the media file handler component until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Sanitize versions 3.0.0 through 6.0.2 **Description** The issue is related to the Sanitize HTML and CSS sanitizer, which can be exploited by an attacker using carefully crafted input to sneak arbitrary HTML and CSS through the sanitizer. This could result in cross-site scripting or other undesired behavior when the malicious HTML and CSS are rendered in a browser. The exploitation is possible when Sanitize is configured to use the built-in "relaxed" config or when using a custom config that allows `style` elements and one or more CSS at-rules. **Recommendations** For Sanitize versions 3.0.0 through 6.0.2, consider the following: - Upgrade to Sanitize version 6.0.2 or later, which performs additional escaping of CSS in `style` element content. - Use a Sanitize config that doesn't allow `style` elements. - Use a Sanitize config that doesn't allow CSS at-rules. - Manually escape the character sequence `</` as `</` in `style` element content.

**Name of the Vulnerable Software and Affected Versions** Thunderbird versions prior to 78.9.1 **Description** The issue is related to the incorrect verification of OpenPGP cryptographic signatures in Thunderbird. If a user has previously imported someone's OpenPGP key and the key owner has extended the validity period of their key, but the updated key has not been imported, an attacker can send an email with a crafted version of the key containing an invalid subkey. This could cause Thunderbird to attempt to use the invalid subkey, resulting in a failure to send encrypted emails to the key owner. **Recommendations** For Thunderbird versions prior to 78.9.1, update to version 78.9.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Thunderbird ESR versions prior to 52.8 Thunderbird versions prior to 52.8 **Description** The issue allows an attacker to spoof the filename of an attachment, potentially leading to a user opening a remote attachment that is a different file type than expected. This is due to insufficient input validation. **Recommendations** For Thunderbird ESR versions prior to 52.8, update to version 52.8 or later. For Thunderbird versions prior to 52.8, update to version 52.8 or later.

**Name of the Vulnerable Software and Affected Versions** Thunderbird ESR versions prior to 52.8 Thunderbird versions prior to 52.8 **Description** The issue arises due to insufficient input validation, allowing a remote attacker to cause a denial of service by sending crafted message headers, which can cause the Thunderbird process to hang. **Recommendations** For Thunderbird ESR versions prior to 52.8, update to version 52.8 or later. For Thunderbird versions prior to 52.8, update to version 52.8 or later.

**Name of the Vulnerable Software and Affected Versions** Thunderbird versions prior to 52.5.2 **Description** The issue allows RSS fields to inject new lines into the created email structure, thereby modifying the message body. **Recommendations** For versions prior to 52.5.2, update to version 52.5.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Thunderbird versions prior to 52.5.2 **Description** The issue allows crafted CSS in an RSS feed to leak and reveal local path strings, potentially containing user names. **Recommendations** For versions prior to 52.5.2, update to version 52.5.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Thunderbird versions prior to 52.5.2 **Description** The issue allows execution of JavaScript in the parsed RSS feed when viewed as a website. This can occur through different viewing options, such as "View -> Feed article -> Website" or the standard "View -> Feed article -> default format". **Recommendations** For versions prior to 52.5.2, update to version 52.5.2 or later to resolve the issue.