Michal Bentkowski

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 102.0.5005.61 **Description** The issue exists due to insufficient validation of untrusted input in the Data Transfer component of Google Chrome. This allows a remote attacker to bypass the same origin policy via a crafted clipboard content, potentially disclosing protected information. The attacker can exploit this issue by using a specially crafted web page. **Recommendations** For versions prior to 102.0.5005.61, update to version 102.0.5005.61 or later to resolve the issue. As a temporary workaround, consider restricting access to the Data Transfer component until a patch is applied. Avoid using the clipboard content in the affected API endpoint until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Sanitize versions 3.0.0 through 5.2.0 Description: The issue is related to insufficient protection measures in the Sanitize library for Ruby, allowing a remote attacker to access confidential data, compromise its integrity, and cause a denial of service. Specifically, when using Sanitize's "relaxed" config or a custom config that allows certain elements, some content in `math` or `svg` elements may not be sanitized correctly. This can lead to cross-site scripting (XSS) or other undesired behavior when rendered in a browser, especially if the config allows elements like `iframe`, `math`, `noembed`, `noframes`, `noscript`, `plaintext`, `script`, `style`, `svg`, or `xmp`. Recommendations: For Sanitize versions 3.0.0 through 5.2.0, update to version 5.2.1 to resolve the issue. As a temporary workaround, consider restricting the use of Sanitize's "relaxed" config or custom configs that allow potentially vulnerable HTML elements until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Microsoft Edge (affected versions not specified) **Description** The issue is related to a spoofing vulnerability that occurs when Microsoft Edge does not properly parse HTTP content. This could allow a remote attacker to conduct spoofing attacks by redirecting users to a specially crafted website, which could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services. To exploit this issue, the user must click a specially crafted URL. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.