Joshua Graham

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 73 Firefox versions prior to ESR68.5 **Description** The issue allows command line arguments to be injected during Firefox invocation as a shell handler for certain unsupported file types. This requires Firefox to be configured as the default handler for a given file type and for a file downloaded to be opened in a third-party application that insufficiently sanitizes URL data. In such a situation, clicking a link in the third-party application could be used to retrieve and execute files whose location was supplied through command line arguments. This issue only affects Windows operating systems when Firefox is configured as the default handler for non-default file types. **Recommendations** For Firefox versions prior to 73, update to version 73 or later to resolve the issue. For Firefox versions prior to ESR68.5, update to version ESR68.5 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Microsoft Browsers (affected versions not specified) **Description** A security feature bypass issue exists due to the failure of Microsoft Browsers to validate the correct Security Zone for specific URLs. This could allow an attacker to cause a user to access a URL in a less restricted Internet Security Zone than intended, potentially bypassing existing security restrictions. The vulnerability is related to deficiencies in the security mechanisms when checking URLs, which can be exploited by a remote attacker to bypass security limitations. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 66 Firefox ESR versions prior to 60.6 Thunderbird versions prior to 60.6 **Description** A vulnerability was discovered where specific command line arguments are not properly discarded during Firefox invocation as a shell handler for URLs. This could be used to retrieve and execute files whose location is supplied through these command line arguments if Firefox is configured as the default URI handler for a given URI scheme in third party applications and these applications insufficiently sanitize URL data. The issue only affects Windows operating systems. **Recommendations** For Firefox versions prior to 66, update to version 66 or later to resolve the issue. For Firefox ESR versions prior to 60.6, update to version 60.6 or later to resolve the issue. For Thunderbird versions prior to 60.6, update to version 60.6 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Microsoft Edge in Microsoft Windows 10 versions Gold, 1511, 1607, 1703, 1709, and Windows Server 2016 Description: The issue allows an attacker to access information from one domain and inject it into another domain, due to how Microsoft Edge enforces cross-domain policies. An elevation of privilege vulnerability exists when Microsoft Edge does not properly enforce cross-domain policies. Recommendations: For Microsoft Edge in Microsoft Windows 10 versions Gold, 1511, 1607, 1703, 1709, and Windows Server 2016, update to a version that properly enforces cross-domain policies to prevent elevation of privilege. At the moment, there is no information about a newer version that contains a fix for this vulnerability.