Takeshi Terada

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 94 Thunderbird versions prior to 91.3 Firefox ESR versions prior to 91.3 **Description** The issue is related to the Opportunistic Encryption feature of HTTP2, which allows a connection to be upgraded to TLS while retaining the visual properties of an HTTP connection. A network attacker could exploit this by forwarding a connection from the browser to a different port, causing the browser to treat the content as same-origin with HTTP. This could allow a remote attacker to bypass security restrictions. **Recommendations** For Firefox versions prior to 94, disable the Opportunistic Encryption feature. For Thunderbird versions prior to 91.3, disable the Opportunistic Encryption feature. For Firefox ESR versions prior to 91.3, disable the Opportunistic Encryption feature.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 3.6 **Description** The issue is related to the rendering of Cascading Style Sheets, which can lead to Cross-Site Scripting (XSS) attacks. XSS is a type of attack where an attacker injects malicious scripts into a website, allowing them to steal user data or take control of the user's session. **Recommendations** For versions prior to 3.6, update to version 3.6 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Firefox for Android versions prior to 54 **Description** A security issue exists where Android intent URLs given to Firefox for Android can be used to navigate from HTTP or HTTPS URLs to local "file:" URLs. This allows for the reading of local data through a violation of same-origin policy. The issue only affects Firefox for Android and does not impact other operating systems. **Recommendations** For versions prior to 54, update to version 54 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Thunderbird versions prior to 52.1 Firefox ESR versions prior to 52.1 Firefox versions prior to 53 **Description** The issue allows for a cross-site scripting (XSS) attack when a page is loaded from an original site through a hyperlink and contains a redirect to a "data:text/html" URL. Triggering a reload will run the reloaded "data:text/html" page with its origin set incorrectly. This vulnerability is related to the failure to protect the structure of a web page, which can be exploited by a remote attacker to conduct XSS attacks by redirecting to a "data:text/html" URL. **Recommendations** For Thunderbird versions prior to 52.1, update to version 52.1 or later. For Firefox ESR versions prior to 52.1, update to version 52.1 or later. For Firefox versions prior to 53, update to version 53 or later.

**Name of the Vulnerable Software and Affected Versions** Apple iOS versions prior to 9.3.3 Safari versions prior to 9.1.2 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via a crafted HTTP/0.9 response, related to a cross-protocol cross-site scripting (XPXSS) vulnerability. This is due to the lack of protection for the web page structure in the WebKit JavaScript component. **Recommendations** For Apple iOS versions prior to 9.3.3, update to version 9.3.3 or later. For Safari versions prior to 9.1.2, update to version 9.1.2 or later.

**Name of the Vulnerable Software and Affected Versions** Apple iOS versions prior to 9.3.3 Apple Safari versions prior to 9.1.2 Apple tvOS versions prior to 9.2.2 **Description** A cross-site scripting (XSS) issue exists in the WebKit Page Loading implementation, allowing remote attackers to inject arbitrary web script or HTML via an HTTP response that specifies redirection, which is mishandled by Safari. **Recommendations** For Apple iOS versions prior to 9.3.3, update to version 9.3.3 or later. For Apple Safari versions prior to 9.1.2, update to version 9.1.2 or later. For Apple tvOS versions prior to 9.2.2, update to version 9.2.2 or later.

**Name of the Vulnerable Software and Affected Versions** Apache Struts 2 versions 2.3.20 through 2.3.28.1 **Description** The issue exists due to insufficient input validation in the Apache Struts platform. This allows a remote attacker to bypass existing access restrictions by utilizing a default method, potentially conducting redirection attacks. **Recommendations** For Apache Struts 2 versions 2.3.20 through 2.3.28.1, consider disabling the default method as a temporary workaround until a patch is available. Restrict access to sensitive areas of the application to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Safari versions prior to 9.1 iOS versions prior to 9.3 **Description** The issue is related to the lack of protection for service data in the WebKit component's XSS auditor. This allows a remote attacker to obtain sensitive information using a specially crafted URL. The problem arises from the improper handling of redirects in block mode. **Recommendations** For Safari versions prior to 9.1, update to version 9.1 or later to resolve the issue. For iOS versions prior to 9.3, update to version 9.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** PHPMailer versions prior to 5.2.14 **Description** The issue allows attackers to inject arbitrary SMTP commands via CRLF sequences in an email address to the `validateAddress` function in class.phpmailer.php or an SMTP command to the `sendCommand` function in class.smtp.php. This can be exploited by injecting line breaks into valid email addresses, which are not handled correctly in some contexts. **Recommendations** For versions prior to 5.2.14, update to version 5.2.14 or later to resolve the issue. As a temporary workaround, consider manually stripping line breaks from email addresses before passing them to PHPMailer.

**Name of the Vulnerable Software and Affected Versions** Apache Tapestry versions prior to 5.3.6 **Description** The issue allows remote attackers to cause a denial of service or execute arbitrary code via crafted serialized data, due to the reliance on client-side object storage without proper checks. **Recommendations** For versions prior to 5.3.6, update to version 5.3.6 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Symfony versions 2.3.x through 2.3.26 Symfony versions 2.4.x through 2.5.10 Symfony versions 2.6.x through 2.6.5 **Description** The issue allows remote attackers to execute arbitrary PHP code via a `language="php"` attribute of a `SCRIPT` element. Applications with ESI support enabled and using the Symfony built-in reverse proxy are vulnerable to PHP code injection. A malicious user can inject PHP code that will be executed by the server. The vulnerability comes from the use of `eval()` to execute files in the cache when they contain ESI tags, and the fact that PHP allows contents of `<script language="php">` tags to be executed. This issue can be exploited in combination with Cross-Site Scripting vulnerabilities, allowing an attacker to conduct a PHP code injection attack by passing a malicious tag in a user-submitted variable. **Recommendations** For Symfony versions 2.3.x through 2.3.26, update to version 2.3.27 or later. For Symfony versions 2.4.x through 2.5.10, update to version 2.5.11 or later. For Symfony versions 2.6.x through 2.6.5, update to version 2.6.6 or later. As a temporary workaround, consider disabling the ESI support in the Symfony built-in reverse proxy until a patch is available. Restrict access to the `HttpCache` class to minimize the risk of exploitation. Avoid using the `language` attribute in the `SCRIPT` element until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** JBoss RichFaces versions prior to 4.5.4 Tufin SecureChange (affected versions not specified) **Description** The issue allows remote attackers to inject expression language (EL) expressions and execute arbitrary Java code. This can be achieved via the `do` parameter. There is a report of this issue being used for unauthenticated remote code execution (RCE). **Recommendations** For JBoss RichFaces versions prior to 4.5.4, update to version 4.5.4 or later to resolve the issue. For Tufin SecureChange, at the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the `do` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Direct Web Remoting (DWR) versions 2.0.10 and earlier, 3.x through 3.0.RC2 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML. **Recommendations** For versions 2.0.10 and earlier, and 3.x through 3.0.RC2, update to a version later than 3.0.RC2 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Apache Struts versions prior to 2.3.20 **Description** The issue is related to the ParametersInterceptor in Apache Struts, which does not properly restrict access to the getClass method. This allows remote attackers to manipulate the ClassLoader and execute arbitrary code via a crafted request. The vulnerability exists due to an incomplete fix for a previous issue. It is related to the implementation of the getClass method, which has access control deficiencies when using the ParametersInterceptor with the class parameter. Exploitation of this vulnerability can allow a remote attacker to execute arbitrary code by sending a specially crafted request. **Recommendations** For Apache Struts versions prior to 2.3.20, update to version 2.3.20 or later to resolve the issue. As a temporary workaround, consider restricting access to the `getClass()` method via the ParametersInterceptor to minimize the risk of exploitation. Restrict access to the `class` parameter in the affected API endpoint to prevent manipulation of the ClassLoader.

**Name of the Vulnerable Software and Affected Versions** Apache Struts versions prior to 2.3.20 **Description** The issue is related to the CookieInterceptor in Apache Struts, where an incomplete fix for a previous issue has led to a vulnerability. This vulnerability allows remote attackers to manipulate the ClassLoader and execute arbitrary code via a crafted request, due to insufficient access restrictions when handling wildcard cookiesName values. The exploitation requires the application to be configured to accept all cookies, allowing access to the class parameter directly mapped to the getClass() method. **Recommendations** For Apache Struts versions prior to 2.3.20, update to version 2.3.20 or later to resolve the issue. As a temporary workaround, consider restricting access to the getClass method in the CookieInterceptor class until a patch is available. Avoid using wildcard values for the cookiesName parameter in the CookieInterceptor to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 24.0 on Android **Description** The issue allows attackers to bypass the Same Origin Policy, which can lead to cross-site scripting (XSS) attacks or the unauthorized obtaining of password or cookie information. This is achieved by using a symlink in conjunction with a file: URL for a local file. **Recommendations** For Mozilla Firefox versions prior to 24.0 on Android, update to version 24.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Apache Struts versions 2.0.0 through 2.3.15 **Description** The issue is related to the implementation of the DefaultActionMapper mechanism in Apache Struts, which is associated with insufficient input validation when processing parameters with the `redirect:` or `redirectAction:` prefix. This can be exploited by remote attackers to conduct phishing attacks via a specially crafted URL. The vulnerability allows attackers to redirect users to arbitrary web sites. **Recommendations** For Apache Struts versions 2.0.0 through 2.3.15, consider updating to a version that contains a fix for this issue, as the current version allows for easy manipulation of the information following the `redirect:` or `redirectAction:` prefix to redirect to an arbitrary location. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apache Struts versions 2.0.0 through 2.3.15 **Description** The issue is related to the improper sanitization of input data in the DefaultActionMapper mechanism of Apache Struts. This allows a remote attacker to execute arbitrary OGNL expressions by crafting parameters with specific prefixes, such as `action:`, `redirect:`, or `redirectAction:`. The vulnerability can be exploited to execute server-side code. **Recommendations** For Apache Struts versions 2.0.0 through 2.3.15, update to a version later than 2.3.15.1 to resolve the issue. As a temporary workaround, consider restricting the use of parameters with the `action:`, `redirect:`, and `redirectAction:` prefixes to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** GREE application versions prior to 1.3.3 **Description** The issue allows remote attackers to obtain sensitive information via a crafted URL, which is not properly handled during interaction with other applications. **Recommendations** For versions prior to 1.3.3, update to version 1.3.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Google Chrome version before 18.0.1025308 on Android **Description** The issue is related to improper access restriction from JavaScript code to Android APIs. This allows remote attackers to have an unspecified impact via a crafted web page. **Recommendations** For Google Chrome version before 18.0.1025308 on Android, update to version 18.0.1025308 or later to resolve the issue.