Jdgregson

**Name of the Vulnerable Software and Affected Versions** json5 versions 1.0.1 and earlier json5 versions 2.2.1 and earlier **Description** The `parse` method of the json5 library does not restrict parsing of keys named ` proto `, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from `JSON5.parse`. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. **Recommendations** For json5 versions 1.0.1 and earlier, upgrade to version 1.0.2 or later. For json5 versions 2.2.1 and earlier, upgrade to version 2.2.2 or later. As a temporary workaround, consider using the `JSON.parse` method instead of `JSON5.parse` to mitigate this vulnerability. Restrict access to the `parse` method of the json5 library to minimize the risk of exploitation. Avoid using the ` proto ` key in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Microsoft Excel (affected versions not specified) Microsoft Office (affected versions not specified) Microsoft 365 Apps for Enterprise (affected versions not specified) **Description** The issue is related to errors in security settings, allowing an attacker to disclose protected information using a specially crafted file. It is a security-feature bypass vulnerability that enables attackers to affect the system. **Recommendations** For Microsoft Excel, consider restricting access to sensitive files until a fix is available. For Microsoft Office, avoid using features that rely on security settings until the issue is resolved. For Microsoft 365 Apps for Enterprise, as a temporary workaround, consider disabling any functionality that may be exploited due to the security-feature bypass vulnerability until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cloudflare Warp for Windows versions 2022.2.95.0 through 2022.3.185.0 **Description** The issue is related to an unquoted service path in Cloudflare Warp for Windows, which enables arbitrary code execution leading to privilege escalation. **Recommendations** For versions 2022.2.95.0 through 2022.3.185.0, update to version 2022.3.186.0 to resolve the issue.