Pedro Batista

**Name of the Vulnerable Software and Affected Versions** Escargot version 4.0.0 **Description** A Segmentation Fault issue in the Samsung Open Source Escargot JavaScript engine allows remote attackers to cause a denial of service via crafted input. **Recommendations** For Escargot version 4.0.0, at the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Telegram WebK versions prior to 2.0.0 (488) **Description** A Cross-Site Scripting (XSS) flaw in Telegram WebK allows attackers to gain full account access, potentially jeopardizing data and cryptowallets. The issue stems from the Mini App system and can be exploited via a malicious Mini Web App using the `postMessage` `web app open link` event type. **Recommendations** For versions prior to 2.0.0 (488), update the web app to version 2.0.0 (488) or later for protection. As a temporary workaround, consider restricting the use of Mini Web Apps until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a string overflow in the SCPI genpd driver of the Linux kernel. Without bound checks for `scpi pd->name`, it could result in a buffer overflow when copying the SCPI device name from the corresponding device tree node, as the name string is set at a maximum size of 30. This could be fixed by using `devm kasprintf` to allocate the string buffer dynamically. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Thunderbird versions prior to 91.4.0 **Description** The issue is related to Thunderbird unexpectedly enabling JavaScript in the composition area, which could be used as a stepping stone to further an attack with other vulnerabilities. The JavaScript execution context was limited to this area and did not receive chrome-level privileges. This vulnerability is associated with insecure privilege management, allowing a remote attacker to bypass JavaScript execution restrictions. **Recommendations** For versions prior to 91.4.0, update to version 91.4.0 or later to resolve the issue. As a temporary workaround, consider disabling JavaScript execution in the composition area until a patch is available. Restrict access to sensitive features in the composition area to minimize the risk of exploitation.