Popax21

**Name of the Vulnerable Software and Affected Versions** Astro versions prior to 6.1.10 **Description** AES-GCM encryption used to protect the confidentiality and integrity of server island props and slots parameters did not bind the ciphertext to its intended component or parameter type. This allows an attacker to replay one component's encrypted props (`p`) value as another component's slots (`s`) value, or vice versa. Because slots contain raw unescaped HTML while props may contain user-controlled values, this can lead to Cross-Site Scripting (XSS), which is a technique where malicious scripts are injected into trusted websites. This issue occurs when an application uses server islands, two different server island components share the same key name for a prop and a slot, and an attacker has full control over the value of the overlapping prop on a dynamically rendered page. **Recommendations** Update to version 6.1.10.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 133.0.6943.98 **Description** The issue is related to a use after free vulnerability in the V8 JavaScript engine, which can lead to heap corruption. This can be exploited by a remote attacker using a specially crafted HTML page, potentially allowing for arbitrary code execution or denial of service. **Recommendations** For Google Chrome versions prior to 133.0.6943.98, update to version 133.0.6943.98 or later to resolve the issue. As a temporary workaround, consider restricting access to potentially vulnerable web pages until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Chromium versions prior to 131.0.6778.264 Chromium-GOST versions prior to 134.0.6998.88-alt1 Yandex-Browser-Stable versions 24.12.4.1097-alt1 and 25.2.4.1000-alt1 **Description** A type confusion issue exists in the V8 JavaScript engine used in Google Chrome and Microsoft Edge. This flaw could allow a remote attacker to execute arbitrary code within a sandbox by crafting a malicious HTML page. The vulnerability is related to errors in how data types are handled. A proof-of-concept exploit is publicly available. **Recommendations** Chromium versions prior to 131.0.6778.264: Upgrade to version 131.0.6778.264 or later. Chromium-GOST versions prior to 134.0.6998.88-alt1: Upgrade to version 134.0.6998.88-alt1 or later. Yandex-Browser-Stable versions prior to 24.12.4.1097-alt1 and 25.2.4.1000-alt1: Upgrade to version 24.12.4.1097-alt1 or 25.2.4.1000-alt1 or later.

Name of the Vulnerable Software and Affected Versions: Google Chrome versions prior to 129.0.6668.58 Microsoft Edge versions (affected versions not specified) Description: The issue is related to a type confusion error in the V8 JavaScript engine, which can be exploited by a remote attacker using a specially crafted HTML page. This could potentially lead to heap corruption, affecting the confidentiality, integrity, and availability of protected information. Recommendations: For Google Chrome versions prior to 129.0.6668.58, update to version 129.0.6668.58 or later to resolve the issue. For Microsoft Edge, at the moment, there is no information about a newer version that contains a fix for this vulnerability.