Raphael

**Name of the Vulnerable Software and Affected Versions** staffwiki version 7.0.1.19219 **Description** A cross-site scripting (XSS) issue exists in staffwiki. This allows attackers to execute arbitrary Javascript in the context of a user's browser through a crafted HTTP request. The vulnerable API endpoint is `/wff cols pref.css.aspx`. Attackers can leverage this to inject malicious scripts. **Recommendations** staffwiki version 7.0.1.19219: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 128 Thunderbird versions prior to 128 **Description** The issue is related to insufficient input validation in the Form Validation Popup Handler component of the Firefox web browser. This can be exploited by a remote attacker to cause a denial of service. The vulnerability allows form validation popups to capture escape key presses, which could be used to prevent users from exiting full-screen mode by spamming form validation messages. **Recommendations** For Firefox versions prior to 128, update to version 128 or later to resolve the issue. For Thunderbird versions prior to 128, update to version 128 or later to resolve the issue. As a temporary workaround, consider disabling form validation popups in full-screen mode until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 126 **Description** The issue is related to a file dialog shown while in full-screen mode, which could result in the window remaining disabled. Additionally, there is a vulnerability associated with the failure to protect the structure of a web page, potentially allowing a remote attacker to compromise data integrity and cause a denial of service. **Recommendations** For versions prior to 126, update to version 126 or later to resolve the issue. At the moment, there is no information about additional mitigation measures for this specific vulnerability.

**Name of the Vulnerable Software and Affected Versions** Umbraco versions 10.0.0 through 10.8.0 Umbraco versions 10.8.1 is not affected, but versions prior to 12.3.4 are affected, so the correct range is: Umbraco versions 10.8.2 through 12.3.3 **Description** The issue is a cross-site scripting (XSS) vulnerability that allows attackers to bring malicious content into a website or application. This can be exploited when users are successfully logging into the Backoffice, specifically through a DOM-XSS vulnerability. **Recommendations** For Umbraco versions 10.0.0 through 10.8.0, update to version 10.8.1 to resolve the issue. For Umbraco versions 10.8.2 through 12.3.3, update to version 12.3.4 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 94 Thunderbird versions prior to 91.3 Firefox ESR versions prior to 91.3 **Description** The issue is related to incorrect limitation of visualized user interface layers, potentially allowing a remote attacker to conduct spoofing attacks by hiding requests for access to additional functionality from the user. This can be achieved by displaying a form validity message at the same time as a permission prompt, such as for geolocation, which could obscure the prompt and trick the user into granting the permission. **Recommendations** For Firefox versions prior to 94, update to version 94 or later to resolve the issue. For Thunderbird versions prior to 91.3, update to version 91.3 or later to resolve the issue. For Firefox ESR versions prior to 91.3, update to version 91.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Firefox for Android versions prior to 50 **Description** The issue affects the location bar in Firefox for Android, allowing it to be spoofed. This can be achieved by forcing a user into fullscreen mode, blocking exit from this mode, and creating a fake location bar without notifying the user. **Recommendations** For versions prior to 50, update to version 50 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** lxr-cvs (affected versions not specified) **Description** The issue concerns multiple vulnerabilities in the lxr-cvs package of the Debian GNU/Linux operating system. These vulnerabilities can be exploited remotely, potentially leading to a breach of protected information integrity. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.