Linus Särud

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 101 **Description** The issue is related to incorrect handling of HTML comment tags by the browser's HTML parser, potentially allowing a remote attacker to conduct cross-site scripting attacks. This could be exploited when user-controlled data is placed within HTML comments on a webpage, enabling the attacker to escape the comments. **Recommendations** For Firefox versions prior to 101, update to version 101 or later to resolve the issue. As a temporary workaround, consider restricting the use of user-controlled data within HTML comments to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Firefox ESR versions prior to 60.8 Firefox versions prior to 68 Thunderbird versions prior to 60.8 **Description** The issue is related to an error in parsing page content, which can cause properly sanitized user input to be misinterpreted. This can lead to XSS hazards on websites under certain circumstances. The vulnerability may allow a remote attacker to execute arbitrary code. **Recommendations** For Firefox ESR versions prior to 60.8, update to version 60.8 or later. For Firefox versions prior to 68, update to version 68 or later. For Thunderbird versions prior to 60.8, update to version 60.8 or later.

**Name of the Vulnerable Software and Affected Versions** iOS versions prior to 12.2 tvOS versions prior to 12.2 Safari versions prior to 12.1 iTunes for Windows versions prior to 12.9.4 iCloud for Windows versions prior to 7.11 WebKitGTK (affected versions not specified) WPE WebKit (affected versions not specified) **Description** A logic issue was addressed with improved validation, which may allow a malicious website to execute scripts in the context of another website. The issue is related to insecure privilege management in WebKitGTK and WPE WebKit modules, which can be exploited by a remote attacker using a specially crafted web page to execute arbitrary code. **Recommendations** For iOS versions prior to 12.2, update to iOS 12.2 or later. For tvOS versions prior to 12.2, update to tvOS 12.2 or later. For Safari versions prior to 12.1, update to Safari 12.1 or later. For iTunes for Windows versions prior to 12.9.4, update to iTunes 12.9.4 or later. For iCloud for Windows versions prior to 7.11, update to iCloud for Windows 7.11 or later. For WebKitGTK and WPE WebKit, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Safari versions prior to 11.1 **Description** The issue involves the WebKit component and allows remote attackers to inject arbitrary web script or HTML via a crafted URL, which is a cross-site scripting (XSS) vulnerability. **Recommendations** For versions prior to 11.1, update to version 11.1 or later to resolve the issue. As a temporary workaround, consider restricting access to potentially malicious URLs to minimize the risk of exploitation.