Smoke-Wolf

**Name of the Vulnerable Software and Affected Versions** Zen Browser versions prior to 1.19.9b **Description** Zen Browser includes a Mozilla Application Resource (MAR) updater (`org.mozilla.updater`) that lacks cryptographic signature verification. Because the updater binary contains no verification code and the MAR files contain no signatures, the defense-in-depth mechanism provided by MAR signing is absent. If the update server or GitHub release pipeline is compromised, an attacker could deliver arbitrary unsigned code to users through the auto-update mechanism. **Recommendations** Update to version 1.19.9b.

**Name of the Vulnerable Software and Affected Versions** Tookie versions prior to 4.1fix **Description** An issue exists in the `modules/modules.py` file where the `write txt()`, `write csv()`, `write json()`, and `scan file()` helper functions open output files using the `open(f"{user}.<ext>")` method. The `user` variable, which is sourced from the `-u` CLI flag or a `-U` usernames file, is not sanitized. A username containing path-separator sequences such as `..`, `/`, ``, or an absolute path allows the tool to write scan output to any arbitrary path where the invoking user has write permissions. **Recommendations** Update to version 4.1fix.