Pete Freitag

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 108 **Description** The issue is related to the insufficient implementation of the `unsafe-hashes` CSP directive in Firefox, allowing an attacker who can inject markup into a page protected by a Content Security Policy to potentially inject executable script. This would be constrained by the specified Content Security Policy of the document. The vulnerability may allow a remote attacker to access confidential data, compromise its integrity, and cause a denial of service. **Recommendations** For versions prior to 108, update to a version that includes the fix for this issue to prevent potential exploitation. As a temporary workaround, consider restricting the use of the Content Security Policy to minimize the risk of exploitation. Avoid using the `unsafe-hashes` directive in the Content Security Policy until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Adobe ColdFusion versions July 12 release (2018.0.0.310739) through Update 6 Adobe ColdFusion versions July 12 release (2018.0.0.310739) through Update 14 Description: The issue is related to an unrestricted file upload vulnerability in the ColdFusion interpreter. This vulnerability could allow a remote attacker to execute arbitrary code. Successful exploitation of this vulnerability may lead to arbitrary code execution. Recommendations: For Adobe ColdFusion versions July 12 release (2018.0.0.310739) through Update 6, update to a version later than Update 6 to resolve the issue. For Adobe ColdFusion versions July 12 release (2018.0.0.310739) through Update 14, update to a version later than Update 14 to resolve the issue. As a temporary workaround, consider restricting file uploads to minimize the risk of exploitation.