Michał Bentkowski

Name of the Vulnerable Software and Affected Versions: Vite versions prior to 3.2.11 Vite versions prior to 4.5.5 Vite versions prior to 5.2.14 Vite versions prior to 5.3.6 Vite versions prior to 5.4.6 Description: A DOM Clobbering vulnerability was discovered in Vite when building scripts to `cjs`/`iife`/`umd` output format. This vulnerability can lead to cross-site scripting (XSS) attacks on websites that include Vite-bundled files and allow users to inject certain scriptless HTML tags without properly sanitizing the name or id attributes. The vulnerability occurs when an attacker embeds a piece of non-script, seemingly benign HTML markups in the webpage, and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. The `document.currentScript` lookup can be shadowed by an attacker via the browser's named DOM tree element access mechanism, allowing an attacker to replace the intended script element with a malicious HTML element. This can result in the dynamic loading of scripts from an attacker-controlled server. Recommendations: For versions prior to 3.2.11, update to version 3.2.11 or later. For versions prior to 4.5.5, update to version 4.5.5 or later. For versions prior to 5.2.14, update to version 5.2.14 or later. For versions prior to 5.3.6, update to version 5.3.6 or later. For versions prior to 5.4.6, update to version 5.4.6 or later.

**Name of the Vulnerable Software and Affected Versions** Webpack versions prior to 5.94.0 **Description** A DOM Clobbering vulnerability has been discovered in Webpack's `AutoPublicPathRuntimeModule`. This vulnerability can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements are present. The DOM Clobbering gadget in the module can be exploited by an attacker who embeds a piece of non-script, seemingly benign HTML markups in the webpage and leverages the gadgets living in the existing JavaScript code to transform it into executable code. Real-world exploitation of this gadget has been observed in the Canvas LMS, which allows a XSS attack to happen through a JavaScript code compiled by Webpack. This issue can lead to cross-site scripting (XSS) on websites that include Webpack-generated files and allow users to inject certain scriptless HTML tags with improperly sanitized name or id attributes. **Recommendations** To resolve the issue, upgrade to Webpack version 5.94.0 or later. As a temporary workaround, consider restricting access to the `AutoPublicPathRuntimeModule` until a patch is available. Additionally, ensure that all user-inputted HTML tags are properly sanitized to prevent XSS attacks. Avoid using the `name` attribute in the affected API endpoints until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Firefox versions prior to 86 Description: The DOMParser API did not properly process '<noscript>' elements for escaping, which could be used as an mXSS vector to bypass an HTML Sanitizer. Recommendations: For Firefox versions prior to 86, update to version 86 or later to resolve the issue. As a temporary workaround, consider restricting the use of the DOMParser API until a patch is available. Avoid using the DOMParser API to process user-supplied HTML content that may contain '<noscript>' elements until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Bleach versions prior to 3.3.0 **Description** A mutation XSS affects users calling `bleach.clean` with specific allowed tags and the keyword argument `strip comments=False`. This issue may allow a remote attacker to impact the confidentiality and integrity of protected information. The affected tags include `svg`, `math`, `p`, `br`, `style`, `title`, `noscript`, `script`, `textarea`, `noframes`, `iframe`, or `xmp`. Note that none of these tags are in the default allowed tags and `strip comments` defaults to `True`. **Recommendations** To resolve the issue, users are encouraged to upgrade to Bleach version 3.3.0 or greater. As a temporary workaround, modify `bleach.clean` calls to at least one of: * not allow the `style`, `title`, `noscript`, `script`, `textarea`, `noframes`, `iframe`, or `xmp` tag * not allow `svg` or `math` tags * not allow `p` or `br` tags * set `strip comments=True` Additionally, a strong Content-Security-Policy without `unsafe-inline` and `unsafe-eval` `script-src`s will also help mitigate the risk.

Name of the Vulnerable Software and Affected Versions: HtmlSanitizer versions prior to 5.0.372 Description: The issue allows for a possible XSS bypass if the `<style>` tag is allowed. An attacker could craft HTML that includes script after passing through the sanitizer if the `<style>` tag has been explicitly allowed. The default settings disallow the `<style>` tag, posing no risk if it has not been explicitly allowed. Recommendations: For versions prior to 5.0.372, update to version 5.0.372 to resolve the issue. As a temporary workaround, consider removing the `<style>` tag from the set of allowed tags until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 83.0.4103.61 **Description** The issue is related to insufficient validation of untrusted input in the clipboard of Google Chrome, which can be exploited by a local attacker to inject arbitrary scripts or HTML, potentially affecting data integrity. This can be done via crafted clipboard contents. **Recommendations** For versions prior to 83.0.4103.61, update to version 83.0.4103.61 or later to resolve the issue. As a temporary workaround, consider restricting the use of the clipboard feature in Google Chrome until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 81.0.4044.92 **Description** The issue is related to insufficient validation of untrusted input in the clipboard, which can be exploited by a local attacker to bypass site isolation. This can potentially allow a remote attacker to access confidential data due to a lack of standard permission mechanisms. **Recommendations** For versions prior to 81.0.4044.92, update to version 81.0.4044.92 or later to resolve the issue. As a temporary workaround, consider restricting access to clipboard contents to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** TinyMCE versions 4.9.6 and earlier TinyMCE versions 5.1.3 and earlier **Description** A cross-site scripting (XSS) issue was discovered in the core parser, `paste` and `visualchars` plugins, allowing arbitrary JavaScript execution when inserting specially crafted content into the editor via the clipboard or APIs. **Recommendations** For TinyMCE versions 4.9.6 and earlier, upgrade to TinyMCE 4.9.7. For TinyMCE versions 5.1.3 and earlier, upgrade to TinyMCE 5.1.4. As a temporary workaround, consider disabling the impacted plugins. Manually sanitize the content using the `BeforeSetContent` event.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 79.0.3945.79 **Description** The issue is related to insufficient validation of untrusted input in Blink, allowing a local attacker to bypass the same origin policy via crafted clipboard content. This could potentially enable a remote attacker to gain unauthorized access to confidential data, cause a denial of service, and impact data integrity. **Recommendations** For versions prior to 79.0.3945.79, update to version 79.0.3945.79 or later to resolve the issue. At the moment, there is no information about additional mitigation measures for this specific vulnerability.

**Name of the Vulnerable Software and Affected Versions** Firefox ESR versions prior to 68.4 Firefox versions prior to 72 **Description** The issue arises when a `<style>` tag is pasted from the clipboard into a rich text editor, and the CSS sanitizer fails to escape `<` and `>` characters. Although this does not directly result in webpage injection, it can lead to an XSS vulnerability if a webpage copies the node's innerHTML and assigns it to another innerHTML. Two WYSIWYG editors have been identified with this behavior, suggesting more may exist. **Recommendations** For Firefox ESR versions prior to 68.4, update to version 68.4 or later. For Firefox versions prior to 72, update to version 72 or later. As a temporary workaround, consider disabling the use of rich text editors that exhibit this behavior until a patch is available. Restrict access to innerHTML assignments to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Firefox ESR versions prior to 68.4 Firefox versions prior to 72 **Description** The issue arises when pasting a `<style>` tag from the clipboard into a rich text editor, causing the CSS sanitizer to incorrectly rewrite a `@namespace` rule. This could lead to injection into certain types of websites, resulting in data exfiltration. The vulnerability may allow a remote attacker to impact data integrity. **Recommendations** For Firefox ESR versions prior to 68.4, update to version 68.4 or later. For Firefox versions prior to 72, update to version 72 or later.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 80.0.3987.87 **Description** The issue is related to insufficient validation of untrusted input in the Blink component of Google Chrome, which can be exploited by a remote attacker using a specially crafted HTML page to impact data integrity. This can allow a local attacker to bypass content security policy. **Recommendations** For versions prior to 80.0.3987.87, update to version 80.0.3987.87 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 80.0.3987.87 **Description** The issue is related to insecure privilege management in the Blink component of Google Chrome. It can be exploited by a remote attacker using a specially crafted HTML page, potentially allowing access to confidential data, disrupting data integrity, and causing a denial of service. **Recommendations** For versions prior to 80.0.3987.87, update to version 80.0.3987.87 or later to resolve the issue. As a temporary workaround, consider restricting access to untrusted HTML pages to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 67.0.3396.79 **Description** The issue is related to an incorrect implementation of Content Security Policy in Google Chrome, allowing a remote attacker to bypass navigation restrictions via a crafted HTML page. This is due to the browser's failure to properly handle CRLF sequences, which can be exploited by an attacker to bypass navigation restrictions. The vulnerability affects Google Chrome and potentially other browsers like Opera, due to incorrect handling of CSP headers, allowing attackers to affect the system. **Recommendations** For Google Chrome versions prior to 67.0.3396.79, update to version 67.0.3396.79 or later to resolve the issue. For Opera, consider disabling the use of CSP headers until a patch is available. As a temporary workaround, consider restricting the use of HTML pages that could potentially exploit this issue until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 54 Firefox ESR versions prior to 52.2 Thunderbird versions prior to 52.2 **Description** The issue affects the display of certain Tibetan characters in the address bar on OS X operating systems, potentially leading to domain name spoofing attacks. This is due to the default fonts on OS X displaying some Tibetan characters as whitespace. The estimated number of potentially affected devices is not specified. **Recommendations** For Firefox versions prior to 54, update to version 54 or later. For Firefox ESR versions prior to 52.2, update to version 52.2 or later. For Thunderbird versions prior to 52.2, update to version 52.2 or later.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 42.0 Firefox ESR versions prior to 38.4 **Description** The issue allows remote attackers to bypass the Same Origin Policy for an IP address origin and conduct cross-site scripting (XSS) attacks by appending whitespace characters to an IP address string. This is related to errors in security settings. **Recommendations** For Mozilla Firefox versions prior to 42.0, update to version 42.0 or later. For Firefox ESR versions prior to 38.4, update to version 38.4 or later.

**Name of the Vulnerable Software and Affected Versions** phpMyAdmin versions 3.5.x through 3.5.8.1 phpMyAdmin versions 4.0.x through 4.0.4.1 **Description** A cross-site scripting (XSS) issue allows remote authenticated users to inject arbitrary web script or HTML via a crafted SQL query that is not properly handled during the display of row information. **Recommendations** For phpMyAdmin versions 3.5.x through 3.5.8.1, update to version 3.5.8.2 or later. For phpMyAdmin versions 4.0.x through 4.0.4.1, update to version 4.0.4.2 or later.