Vsevolod Kokorin

Name of the Vulnerable Software and Affected Versions: Google Chrome versions prior to 131.0.6778.69 Microsoft Edge (affected versions not specified) Description: The issue is related to an inappropriate implementation in Extensions in Google Chrome and a vulnerability in the Blink rendering module in Microsoft Edge and Google Chrome browsers. This vulnerability is associated with incorrectly implemented security checks for standard elements. Exploitation of the vulnerability may allow a remote attacker to bypass site isolation via a crafted Chrome Extension or affect the integrity of protected information using a specially crafted web page. Recommendations: For Google Chrome versions prior to 131.0.6778.69, update to version 131.0.6778.69 or later to resolve the issue. For Microsoft Edge, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Google Chrome versions prior to 130.0.6723.69 Microsoft Edge (affected versions not specified) Description: The issue is related to an inappropriate implementation in Extensions, allowing a remote attacker to bypass site isolation via a crafted Chrome Extension. This could potentially allow an attacker to bypass security restrictions. An exploit for this issue is available, with a proof-of-concept demonstrating the bypass of site isolation. The exploit involves a web service worker intercepting a request and responding with arbitrary content. Recommendations: For Google Chrome versions prior to 130.0.6723.69, update to version 130.0.6723.69 or later to resolve the issue. For Microsoft Edge, at the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting the use of extensions to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** mysql2 versions prior to 3.9.4 **Description** The issue is related to the `readCodeFor` function in the mysql2 package, which is vulnerable to Remote Code Execution (RCE) due to improper validation of the `supportBigNumbers` and `bigNumberStrings` values. This allows a remote attacker to execute arbitrary code. **Recommendations** For versions prior to 3.9.4, update to version 3.9.4 or later to resolve the issue. As a temporary workaround, consider disabling the `readCodeFor` function until a patch is available. Restrict access to the mysql2 package to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** mysql2 versions prior to 3.9.4 **Description** The issue is related to Prototype Poisoning due to insecure results object creation and improper user input sanitization passed through `parserFn` in `text parser.js` and `binary parser.js`. **Recommendations** For versions prior to 3.9.4, update to version 3.9.4 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `parserFn` function in `text parser.js` and `binary parser.js` until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** mysql2 versions prior to 3.9.3 **Description** The issue is related to Improper Input Validation through the `keyFromFields` function, resulting in cache poisoning. An attacker can inject a colon `:` character within a value of the attacker-crafted key. **Recommendations** For versions prior to 3.9.3, update to version 3.9.3 or later to resolve the issue. As a temporary workaround, consider restricting the input to the `keyFromFields` function to prevent the injection of malicious characters.

**Name of the Vulnerable Software and Affected Versions** sanitize-html versions prior to 2.12.1 **Description** The issue allows for Information Exposure when the style attribute is permitted on the backend, enabling an attacker to enumerate files in the system, including project dependencies. This could be exploited to gather details about the file system structure and dependencies of the targeted server. **Recommendations** For versions prior to 2.12.1, update to version 2.12.1 or later to resolve the issue. As a temporary workaround, consider disabling the style attribute when using sanitize-html on the backend to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 119.0.6045.105 **Description** The issue is related to an inappropriate implementation in the Payments component of Google Chrome, allowing a remote attacker to bypass XSS preventions via a malicious file. This can enable the attacker to circumvent security restrictions and gain unauthorized access to protected information. The Chromium security severity of this issue is rated as High. **Recommendations** For Google Chrome versions prior to 119.0.6045.105, update to version 119.0.6045.105 or later to resolve the issue. As a temporary workaround, consider restricting access to the Payments component until a patch is applied. Avoid using potentially vulnerable features in the affected versions until the issue is resolved.