Wladimir Palant

**Name of the Vulnerable Software and Affected Versions** Skype Extension for Chrome (affected versions not specified) **Description** The issue is related to insufficient restrictions in the controlled area of the system, which can be exploited by a remote attacker to gain unauthorized access to protected information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Firefox for Android versions prior to 96 **Description** The issue allows navigation to some URLs that do not point to web content when scanning QR codes. This bug only affects Firefox for Android, with other operating systems being unaffected. **Recommendations** For Firefox for Android versions prior to 96, update to version 96 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Firefox for Android versions prior to 90 **Description** The issue is related to the password autofill feature in Firefox for Android, which was enabled without user interaction on insecure websites. This allowed potential unauthorized access to protected information due to insufficient access control. The problem has been corrected to require user interaction before autofill functionality enters a user's password. **Recommendations** For Firefox for Android versions prior to 90, update to version 90 or later to resolve the issue. As a temporary workaround, consider disabling the password autofill feature until the update is applied. Restrict access to sensitive information when using Firefox for Android versions prior to 90 to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 89 Firefox for Android versions prior to 89 **Description** The issue is related to insufficient authentication of data in the "Private Browsing" mode of Mozilla Firefox. It allows a remote attacker to cause a denial of service. The problem specifically affects the address bar search suggestions in private browsing mode, which were reusing session data from normal mode. This issue only affects Firefox for Android, with other operating systems being unaffected. **Recommendations** For Firefox versions prior to 89, update to version 89 or later to resolve the issue. For Firefox for Android versions prior to 89, update to version 89 or later to resolve the issue. As a temporary workaround, consider disabling the address bar search suggestions in private browsing mode until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Firefox for Android versions prior to 89 **Description** The issue is related to the incorrect cleanup or release of resources, which can be exploited by an attacker to cause a denial of service. This can happen when a website opens too many popups, causing Firefox for Android to become unstable and hard to recover. The estimated number of potentially affected devices is not specified. **Recommendations** For Firefox for Android versions prior to 89, update to version 89 or later to resolve the issue. As a temporary workaround, consider restricting the number of popups that can be opened by a website to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 88.0.1 Firefox for Android versions prior to 88.1.3 **Description** A malicious webpage could force a Firefox for Android user into executing attacker-controlled JavaScript in the context of another domain, resulting in a Universal Cross-Site Scripting issue. This issue only affects Firefox for Android, with other operating systems being unaffected. The vulnerability can be exploited by a remote attacker using a specially crafted link, allowing for a cross-site scripting (XSS) attack. **Recommendations** For Firefox versions prior to 88.0.1, update to version 88.0.1 or later. For Firefox for Android versions prior to 88.1.3, update to version 88.1.3 or later.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 88 **Description** The issue is related to a lack of escaping, allowing HTML injection when a webpage is viewed in Reader View. Although a Content Security Policy prevents direct code execution, HTML injection is still possible. This issue only affects Firefox for Android, with other operating systems being unaffected. **Recommendations** For versions prior to 88, update to version 88 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Bitdefender Total Security 2020 versions prior to 24.0.20.116 **Description** The issue is related to an Improper Input Validation vulnerability in the Safepay browser component, allowing an external, specially crafted web page to run remote commands inside the Safepay Utility process. This vulnerability can be exploited to achieve remote code execution (RCE) from any website. The vulnerability is not the first instance of a security flaw in antivirus software, as similar issues have been found in other antivirus products in the past. **Recommendations** For Bitdefender Total Security 2020 versions prior to 24.0.20.116, update to version 24.0.20.116 or later to resolve the issue. As a temporary workaround, consider restricting access to the Safepay browser component until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Kaspersky Anti-Virus versions up to 2020 Kaspersky Internet Security versions up to 2020 Kaspersky Total Security versions up to 2020 Kaspersky Free Anti-Virus versions up to 2020 Kaspersky Small Office Security versions up to 2020 Kaspersky Security Cloud versions up to 2020 **Description** The web protection component of the affected Kaspersky products contains an issue that allows a remote attacker to disable various anti-virus protection features, potentially leading to a denial of service (DoS) or bypass of security measures. This is due to insufficient input validation. **Recommendations** For Kaspersky Anti-Virus versions up to 2020, update to a version later than 2020 to resolve the issue. For Kaspersky Internet Security versions up to 2020, update to a version later than 2020 to resolve the issue. For Kaspersky Total Security versions up to 2020, update to a version later than 2020 to resolve the issue. For Kaspersky Free Anti-Virus versions up to 2020, update to a version later than 2020 to resolve the issue. For Kaspersky Small Office Security versions up to 2020, update to a version later than 2020 to resolve the issue. For Kaspersky Security Cloud versions up to 2020, update to a version later than 2020 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Kaspersky Anti-Virus versions up to 2020 Kaspersky Internet Security versions up to 2020 Kaspersky Total Security versions up to 2020 Kaspersky Free Anti-Virus versions up to 2020 Kaspersky Small Office Security versions up to 2020 Kaspersky Security Cloud versions up to 2020 **Description** The web protection component of the affected Kaspersky products contains an issue due to insufficient input validation, allowing a remote attacker to disable security features such as private browsing and anti-banner protection. **Recommendations** For Kaspersky Anti-Virus versions up to 2020, consider disabling the web protection component until a patch is available. For Kaspersky Internet Security versions up to 2020, restrict access to the web protection component to minimize the risk of exploitation. For Kaspersky Total Security versions up to 2020, avoid using the private browsing feature in the web protection component until the issue is resolved. For Kaspersky Free Anti-Virus versions up to 2020, consider temporarily disabling the anti-banner protection feature. For Kaspersky Small Office Security versions up to 2020, restrict access to the web protection component. For Kaspersky Security Cloud versions up to 2020, consider disabling the web protection component.

**Name of the Vulnerable Software and Affected Versions** Kaspersky Anti-Virus versions up to 2020 Kaspersky Internet Security versions up to 2020 Kaspersky Total Security versions up to 2020 Kaspersky Free Anti-Virus versions up to 2020 Kaspersky Small Office Security versions up to 2020 Kaspersky Security Cloud versions up to 2020 **Description** The web protection component of the affected Kaspersky products was vulnerable to remote disclosure of various information about the user's system, including Windows version, product version, and host unique ID. This issue is related to the lack of protection for service data, which could allow a remote attacker to disclose protected information. **Recommendations** For Kaspersky Anti-Virus versions up to 2020, update to a version later than 2020 to resolve the issue. For Kaspersky Internet Security versions up to 2020, update to a version later than 2020 to resolve the issue. For Kaspersky Total Security versions up to 2020, update to a version later than 2020 to resolve the issue. For Kaspersky Free Anti-Virus versions up to 2020, update to a version later than 2020 to resolve the issue. For Kaspersky Small Office Security versions up to 2020, update to a version later than 2020 to resolve the issue. For Kaspersky Security Cloud versions up to 2020, update to a version later than 2020 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 69 Firefox ESR versions prior to 68.1 **Description** The issue is related to Content Security Policy (CSP) directives that use hash-based sources. If such a directive is defined with an empty string as input, it allows the execution of any javascript: URIs, potentially bypassing CSP permissions and enabling malicious JavaScript content to run. This could allow a remote attacker to execute arbitrary code. **Recommendations** For Firefox versions prior to 69, update to version 69 or later to resolve the issue. For Firefox ESR versions prior to 68.1, update to version 68.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Kaspersky Anti-Virus versions up to 2019 Kaspersky Internet Security versions up to 2019 Kaspersky Total Security versions up to 2019 Kaspersky Free Anti-Virus (affected versions not specified) Kaspersky Small Office Security (affected versions not specified) **Description** The issue is related to information disclosure in Kaspersky antivirus products. It could potentially disclose a unique Product ID by forcing the victim to visit a specially crafted webpage, such as via clicking a phishing link. This could allow a remote attacker to reveal protected information using a specially formed web page. The flaw may have allowed online trackers to identify users without using browser cookies. **Recommendations** For Kaspersky Anti-Virus versions up to 2019, update to a version later than 2019 to resolve the issue. For Kaspersky Internet Security versions up to 2019, update to a version later than 2019 to resolve the issue. For Kaspersky Total Security versions up to 2019, update to a version later than 2019 to resolve the issue. For Kaspersky Free Anti-Virus, at the moment, there is no information about a newer version that contains a fix for this vulnerability. For Kaspersky Small Office Security, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Firefox ESR versions prior to 52.8 Firefox versions prior to 60 PDF.js versions prior to 2.0.550 **Description** The issue is related to errors in code generation management in the PDF Viewer component of Firefox ESR and Firefox browsers. It allows a remote attacker to execute arbitrary code using a specially crafted PDF file. The PDF viewer does not sufficiently sanitize PostScript calculator functions, enabling malicious JavaScript to be injected through a crafted PDF file. This JavaScript can then be run with the permissions of the PDF viewer by its worker. **Recommendations** For Firefox ESR versions prior to 52.8, update to version 52.8 or later. For Firefox versions prior to 60, update to version 60 or later. For PDF.js versions prior to 2.0.550, update to version 2.0.550 or later.

**Name of the Vulnerable Software and Affected Versions** Thunderbird versions prior to 52.8 Thunderbird ESR versions prior to 52.8 Firefox versions prior to 60 Firefox ESR versions prior to 52.8 **Description** The issue is related to the manipulation of the `baseURI` property of the theme element, allowing sites to bypass security checks on permissions to install lightweight themes. This could enable a malicious site to install a theme without user interaction, potentially containing offensive or embarrassing images. The vulnerability is associated with errors in processing permissions. **Recommendations** For Thunderbird versions prior to 52.8, update to version 52.8 or later. For Thunderbird ESR versions prior to 52.8, update to version 52.8 or later. For Firefox versions prior to 60, update to version 60 or later. For Firefox ESR versions prior to 52.8, update to version 52.8 or later.

**Name of the Vulnerable Software and Affected Versions** Firefox ESR versions prior to 52.8 Firefox versions prior to 60 **Description** The issue allows a malicious site to bypass same-origin protections for the PDF viewer, potentially intercepting messages meant for the viewer. This could enable the site to retrieve PDF files restricted to viewing by an authenticated user on a third-party website. The vulnerability is also described as being due to insufficient input validation in the Capture Handler component of Firefox ESR and Firefox browsers, which could allow a remote attacker to elevate their privileges. **Recommendations** For Firefox ESR versions prior to 52.8, update to version 52.8 or later. For Firefox versions prior to 60, update to version 60 or later.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 60 **Description** The issue is related to the web console and JavaScript debugger not properly sanitizing output, which can lead to displaying internal chrome pages as active hyperlinks. This could allow malicious sites to trick users into clicking on "javascript:" links, potentially leading to unauthorized access to protected information. **Recommendations** For versions prior to 60, update to version 60 or later to resolve the issue. As a temporary workaround, consider restricting access to the web console and JavaScript debugger to minimize the risk of exploitation. Avoid clicking on suspicious links, especially those starting with "chrome:" or "javascript:".

**Name of the Vulnerable Software and Affected Versions** Firefox ESR versions prior to 45.6 Firefox versions prior to 50.1 **Description** The Pocket toolbar button in Firefox does not verify the origin of incoming events, allowing content from other origins to fire events and inject content and commands into the Pocket context. This issue does not affect users with e10s enabled. **Recommendations** For Firefox ESR versions prior to 45.6, update to version 45.6 or later to resolve the issue. For Firefox versions prior to 50.1, update to version 50.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Firefox ESR versions prior to 45.6 Firefox versions prior to 50.1 **Description** The issue allows HTML tags received from the Pocket server to be processed without sanitization, enabling any JavaScript code to be executed in the "about:pocket-saved" page. This gives the code access to Pocket's messaging API through HTML injection. **Recommendations** For Firefox ESR versions prior to 45.6, update to version 45.6 or later. For Firefox versions prior to 50.1, update to version 50.1 or later.

**Name of the Vulnerable Software and Affected Versions** Bugzilla versions 2.16rc1 through 4.4.11 Bugzilla versions 4.5.1 through 5.0.2 **Description** A cross-site scripting (XSS) issue exists in the dependency graphs of Bugzilla, allowing remote attackers to inject arbitrary web script or HTML. This enables attackers to execute malicious scripts on the victim's browser, potentially leading to unauthorized actions or data theft. **Recommendations** For Bugzilla versions 2.16rc1 through 4.4.11, update to a version outside of this range to resolve the issue. For Bugzilla versions 4.5.1 through 5.0.2, update to a version outside of this range to resolve the issue. As a temporary workaround, consider restricting access to the dependency graphs feature until a patch is available.