Sohom Datta

**Name of the Vulnerable Software and Affected Versions** Go versions prior to 1.21 **Description** The issue is related to the improper handling of backticks (`) as Javascript string delimiters in templates, which can lead to the injection of arbitrary Javascript code into the Go template. This occurs when a Go template action is used within a Javascript template literal. The decision was made to disallow Go template actions from being used inside Javascript template literals due to the complexity of ES6 template literals and the potential for string interpolation. With the fix, Template.Parse returns an Error when it encounters templates like this. **Recommendations** For versions prior to 1.21, users can re-enable the previous behavior using the GODEBUG flag jstmpllitinterp=1, but this should be used with caution as backticks will now be escaped. It is recommended to update to Go 1.21 or later to resolve the issue. As a temporary workaround, consider avoiding the use of Go template actions within Javascript template literals to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 111.0.5563.64 Microsoft Edge (affected versions not specified) **Description** The issue is related to insufficient policy enforcement in the Resource Timing API, which can be exploited by a remote attacker to obtain potentially sensitive information. This can be achieved through a specially crafted HTML page. The estimated number of potentially affected devices is not provided. **Recommendations** For Google Chrome versions prior to 111.0.5563.64, update to version 111.0.5563.64 or later to resolve the issue. For Microsoft Edge, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** jpeg-js versions prior to 0.4.4 **Description** The issue allows a Denial of Service (DoS) where a particular piece of input will cause the program to enter an infinite loop and never return. **Recommendations** For versions prior to 0.4.4, update to version 0.4.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 100 **Description** The Performance API in Firefox did not properly hide whether a request for a cross-origin resource has observed redirects, leading to a potential information disclosure. This issue may allow a remote attacker to gain unauthorized access to protected information. **Recommendations** For versions prior to 100, update to version 100 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive information until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 100.0.4896.60 Microsoft Edge (affected versions not specified) **Description** The issue is related to an inappropriate implementation in the Resource Timing API, which can be exploited by a remote attacker to leak cross-origin data via a crafted HTML page. This can allow an attacker to gain unauthorized access to protected information. **Recommendations** For Google Chrome versions prior to 100.0.4896.60, update to version 100.0.4896.60 or later to resolve the issue. For Microsoft Edge, at the moment, there is no information about a newer version that contains a fix for this vulnerability.