Man Yue Mo

**Name of the Vulnerable Software and Affected Versions** Sentry versions prior to 26.1.0 **Description** Sentry is a developer-first error tracking and performance monitoring tool. Versions prior to 26.1.0 have a cross-organization Insecure Direct Object Reference (IDOR) issue in the `GroupEventJsonView` endpoint. An Insecure Direct Object Reference occurs when an application uses user-supplied input to directly access objects, potentially allowing unauthorized access to data. **Recommendations** Update to version 26.1.0 or later.

Name of the Vulnerable Software and Affected Versions: Apache Doris versions prior to 2.1.8 Apache Doris versions prior to 3.0.3 Description: The issue allows application administrators to read arbitrary files from the server filesystem through path traversal, which is a type of vulnerability known as Improper Limitation of a Pathname to a Restricted Directory. This can be exploited through the REST API. Recommendations: For Apache Doris versions prior to 2.1.8, upgrade to version 2.1.8 or later to fix the issue. For Apache Doris versions prior to 3.0.3, upgrade to version 3.0.3 or later to fix the issue. As a temporary workaround, consider restricting access to the REST API to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 124.0.6367.60 Microsoft Edge (affected versions not specified) **Description** The issue is related to object corruption in WebAssembly, which could allow a remote attacker to potentially exploit object corruption via a crafted HTML page. This is due to a buffer overflow in memory. The estimated number of potentially affected devices worldwide is not specified. There is no information about real-world incidents where this issue was exploited. **Recommendations** For Google Chrome versions prior to 124.0.6367.60, update to version 124.0.6367.60 or later to resolve the issue. For Microsoft Edge, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 124.0.6367.60 Microsoft Edge (affected versions not specified) **Description** The issue is related to object corruption in the V8 JavaScript engine used by Google Chrome and Microsoft Edge browsers. It involves a memory corruption vulnerability that can be exploited by a remote attacker through a specially crafted HTML page, potentially allowing the execution of arbitrary code. The severity of this issue is considered high. **Recommendations** For Google Chrome versions prior to 124.0.6367.60, update to version 124.0.6367.60 or later to resolve the issue. For Microsoft Edge, at the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to potentially vulnerable HTML pages or disabling JavaScript execution in untrusted environments until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 115.0.5790.170 **Description** The issue is related to a type confusion in the V8 JavaScript engine, which can potentially allow a remote attacker to exploit heap corruption via a crafted HTML page. This can lead to arbitrary code execution. The Chromium security severity of this issue is High. **Recommendations** For Google Chrome versions prior to 115.0.5790.170, update to version 115.0.5790.170 or later to resolve the issue. As a temporary workaround, consider avoiding the use of crafted HTML pages that could trigger the type confusion vulnerability in the V8 engine. Restrict access to potentially vulnerable web pages to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 114.0.5735.198 **Description** The issue is related to a type confusion vulnerability in the V8 engine of Google Chrome, allowing a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability can lead to remote code execution. The Chromium security severity of this issue is High. **Recommendations** For Google Chrome versions prior to 114.0.5735.198, update to version 114.0.5735.198 or later to resolve the issue. As a temporary workaround, consider restricting access to potentially vulnerable `V8` engine components until a patch is applied. Avoid using crafted HTML pages that could exploit the type confusion vulnerability in the `V8` engine.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 111.0.5563.64 **Description** The issue is related to type confusion in the V8 JavaScript engine of Google Chrome, which can lead to heap corruption. A remote attacker can potentially exploit this issue by using a specially crafted HTML page, allowing them to execute arbitrary code. The severity of this issue is considered high. **Recommendations** For versions prior to 111.0.5563.64, update to version 111.0.5563.64 or later to resolve the issue. As a temporary workaround, consider restricting access to potentially vulnerable HTML pages until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Arm Mali GPU kernel driver versions Bifrost r0p0 through r39p0 Arm Mali GPU kernel driver versions Valhall r19p0 through r39p0 Arm Mali GPU kernel driver versions Midgard r4p0 through r32p0 **Description** The issue is related to the mishandling of GPU memory operations, allowing unprivileged users to access freed memory. This can lead to a denial of service. The estimated number of potentially affected devices is not provided. There is no information about real-world incidents where this issue was exploited. The vulnerability is related to the use of memory after it has been freed, which can be exploited by a remote attacker. **Recommendations** For versions Bifrost r0p0 through r39p0, update to a version that properly handles GPU memory operations to prevent access to freed memory. For versions Valhall r19p0 through r39p0, update to a version that properly handles GPU memory operations to prevent access to freed memory. For versions Midgard r4p0 through r32p0, update to a version that properly handles GPU memory operations to prevent access to freed memory. As a temporary workaround, consider restricting access to the GPU kernel driver to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 102.0.5005.61 **Description** The issue is related to a type confusion error in the V8 JavaScript engine of Google Chrome, which could allow a remote attacker to exploit heap corruption via a crafted HTML page. This could potentially lead to the disclosure of protected information. **Recommendations** For versions prior to 102.0.5005.61, update to version 102.0.5005.61 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 100.0.4896.60 Microsoft Edge (affected versions not specified) **Description** The issue is related to a type confusion in the V8 JavaScript engine, which can lead to heap corruption. A remote attacker can potentially exploit this issue via a crafted HTML page, allowing them to execute arbitrary code. **Recommendations** For Google Chrome versions prior to 100.0.4896.60, update to version 100.0.4896.60 or later. For Microsoft Edge, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Qualcomm Snapdragon (affected versions not specified) Description: The issue is related to improper validation of kernel buffer address while copying information back to user buffer, which can lead to kernel memory information exposure to user space. This affects various Qualcomm Snapdragon products, including Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, and Snapdragon Wearables. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Qualcomm npu driver (affected versions not specified) Description: The issue is related to improper validation of kernel buffer address while copying information back to user buffer, which can lead to kernel memory information exposure to user space. This affects various Snapdragon products, including Auto, Compute, Consumer IOT, Industrial IOT, Mobile, Voice & Music, and Wearables. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Qualcomm Snapdragon (affected versions not specified) Description: The issue arises from improper handling of responses from firmware, potentially leading to use after free. This affects various Qualcomm Snapdragon products, including Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, and Snapdragon Wearables. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Google Chrome on Android versions prior to 91.0.4472.77 **Description** The issue is related to a use after free vulnerability in the WebAuthentication component of Google Chrome. This could allow a remote attacker who has compromised the renderer process of a user, particularly one who has saved a credit card in their Google account, to potentially exploit heap corruption via a crafted HTML page. **Recommendations** For Google Chrome on Android versions prior to 91.0.4472.77, update to version 91.0.4472.77 or later to resolve the issue. As a temporary workaround, consider avoiding the use of saved credit cards in Google accounts until the update is applied. Restrict access to potentially vulnerable WebAuthentication components to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 90.0.4430.212 **Description** The issue is related to type confusion in the V8 JavaScript engine, which can lead to heap corruption. A remote attacker can exploit this by using a specially crafted HTML page, potentially gaining access to sensitive data, disrupting data integrity, and causing a denial of service. **Recommendations** For versions prior to 90.0.4430.212, update to version 90.0.4430.212 or later to resolve the issue. As a temporary workaround, consider restricting access to potentially vulnerable HTML pages until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 87.0.4280.141 **Description** The issue is related to a use after free in the audio component, which could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page. This could impact the confidentiality, integrity, and availability of protected information. **Recommendations** For versions prior to 87.0.4280.141, update to version 87.0.4280.141 or later to resolve the issue. As a temporary workaround, consider restricting access to crafted HTML pages that could exploit the heap corruption vulnerability.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 87.0.4280.66 **Description** The issue is related to a use after free in the payments component of Google Chrome, which could allow a remote attacker who has compromised the renderer process to potentially perform a sandbox escape. This can be achieved via a crafted HTML page. The attacker may be able to execute arbitrary code. **Recommendations** For versions prior to 87.0.4280.66, update to version 87.0.4280.66 or later to resolve the issue. As a temporary workaround, consider restricting access to the payments component until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 86.0.4240.75 **Description** The issue is related to a use after free in the payments component of Google Chrome, which could allow a remote attacker to potentially perform a sandbox escape via a crafted HTML page. This could enable the attacker to bypass existing security restrictions. **Recommendations** For versions prior to 86.0.4240.75, update to version 86.0.4240.75 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 80.0.3987.162 **Description** The issue is related to a use after free in the WebAudio component, which can be exploited by a remote attacker via a crafted HTML page. This could potentially lead to heap corruption, allowing the attacker to gain unauthorized access to sensitive data, cause a denial of service, or impact data integrity. **Recommendations** For versions prior to 80.0.3987.162, update to version 80.0.3987.162 or later to resolve the issue. As a temporary workaround, consider restricting access to WebAudio functionality until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 80.0.3987.149 **Description** The issue is related to a use after free error in the audio component of Google Chrome, which can be exploited by a remote attacker to potentially access sensitive data, compromise data integrity, and cause a denial of service. This can be achieved via a crafted HTML page, allowing for heap corruption. **Recommendations** For versions prior to 80.0.3987.149, update to version 80.0.3987.149 or later to resolve the issue.