Seongil Wi

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 122 Firefox ESR versions prior to 115.7 Thunderbird versions prior to 115.7 **Description** The issue is related to errors in security settings, allowing a remote attacker to bypass security restrictions and modify the Content Security Policy (CSP) in isolated iframe environments of Mozilla Firefox, Firefox ESR, and the Thunderbird email client. Specifically, when a parent page loads a child in an iframe with `unsafe-inline`, the parent Content Security Policy could override the child Content Security Policy. **Recommendations** For Firefox versions prior to 122, update to version 122 or later to resolve the issue. For Firefox ESR versions prior to 115.7, update to version 115.7 or later to resolve the issue. For Thunderbird versions prior to 115.7, update to version 115.7 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `unsafe-inline` attribute in iframes to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** vm2 versions prior to 3.9.15 **Description** The issue is related to the incorrect handling of objects in memory by the Error.prepareStackTrace object in the vm2 library of the NPM package manager. This can allow a remote attacker to bypass sandbox protections and gain remote code execution rights on the host running the sandbox. The `Error.prepareStackTrace` function is vulnerable when handling host objects passed in case of unhandled async errors. **Recommendations** For versions prior to 3.9.15, update to version 3.9.15 or later to patch the vulnerability. As a temporary workaround, consider restricting access to the `Error.prepareStackTrace` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** ICEcoder version 8.0 **Description** A reflected XSS issue was identified in the multipe-results.php page due to insufficient sanitization of the `replace` variable. This allows arbitrary Javascript code to be executed, potentially enabling remote attackers to perform cross-site scripting attacks. **Recommendations** For ICEcoder version 8.0, consider disabling access to the multipe-results.php page or restricting the use of the `replace` variable until a patch is available. Additionally, ensure proper sanitization of user input to prevent exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.