Young Min Kim

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 122 **Description** The issue is related to insufficient access control in Mozilla Firefox, allowing a remote attacker to exploit it and set an arbitrary URI in the address bar or browser history. A compromised content process could update the document URI, enabling an attacker to perform such actions. **Recommendations** For versions prior to 122, update to version 122 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive features until the update is applied.

**Name of the Vulnerable Software and Affected Versions** MuseScore (affected versions not specified) **Description** This issue allows remote attackers to execute arbitrary code on affected installations of MuseScore. User interaction is required to exploit this issue, where the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of CAP files, resulting from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this issue to execute code in the context of the current process. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 112.0.5615.49 **Description** The issue is related to insufficient validation of untrusted input in the Safe Browsing feature, allowing a remote attacker to bypass download checking via a crafted HTML page. This could potentially reveal protected information. The estimated number of affected devices and real-world incidents are not specified. **Recommendations** For versions prior to 112.0.5615.49, update to version 112.0.5615.49 or later to resolve the issue. As a temporary workaround, consider restricting access to untrusted HTML pages to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 107.0.5304.62 Microsoft Edge (affected versions not specified) **Description** The issue is related to insufficient data validation in extensions, which could allow a remote attacker who has compromised the renderer process to leak cross-origin data via a crafted extension. This could potentially lead to unauthorized access to protected information. **Recommendations** For Google Chrome versions prior to 107.0.5304.62, update to version 107.0.5304.62 or later to resolve the issue. For Microsoft Edge, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Safari versions prior to 15.6 iOS versions prior to 15.6 iPadOS versions prior to 15.6 **Description** The issue is related to improved UI handling and may cause sensitive data leakage when visiting a maliciously crafted website. **Recommendations** For Safari versions prior to 15.6, update to Safari 15.6 or later. For iOS versions prior to 15.6, update to iOS 15.6 or later. For iPadOS versions prior to 15.6, update to iPadOS 15.6 or later.

**Name of the Vulnerable Software and Affected Versions** uBlock Origin versions prior to 1.41.1 **Description** A Cross Site Scripting (XSS) issue allows remote attackers to run arbitrary code via a spoofed `MessageSender.url` to the browser renderer process. This enables attackers to execute malicious scripts, potentially leading to unauthorized actions on the affected system. **Recommendations** For versions prior to 1.41.1, update to version 1.41.1 or later to resolve the issue. As a temporary workaround, consider restricting access to potentially vulnerable websites or disabling the uBlock Origin extension until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Whale browser versions prior to 3.12.129.18 **Description** The issue concerns the devtools API in the Whale browser, which allowed extension developers to inject arbitrary JavaScript into the extension store web page via `devtools.inspectedWindow`. This led to extensions downloading and uploading when users opened the developer tool. **Recommendations** For Whale browser versions prior to 3.12.129.18, update to version 3.12.129.18 or later to resolve the issue. As a temporary workaround, consider disabling the use of the devtools API until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Whale browser versions prior to 3.12.129.18 **Description** The issue concerns the Web Request API, which allowed access to be denied to the extension store or redirected to any URL when users attempted to access the store. **Recommendations** For versions prior to 3.12.129.18, update to version 3.12.129.18 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Whale browser versions prior to 3.12.129.18 **Description** The issue allows Whale Bridge, a default extension in Whale browser, to receive any SendMessage request from the content script itself. This could lead to controlling Whale Bridge if the rendering process compromises. **Recommendations** For versions prior to 3.12.129.18, update to version 3.12.129.18 or later to resolve the issue. As a temporary workaround, consider restricting access to the Whale Bridge extension to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Whale browser versions prior to 3.12.129.18 **Description** The issue allows extensions to replace JavaScript files of the HWP viewer website, which could access local HWP files. When the HWP files are opened, the replaced script can read the files. **Recommendations** For versions prior to 3.12.129.18, update to version 3.12.129.18 or later to resolve the issue. As a temporary workaround, consider disabling the use of extensions that can replace JavaScript files of the HWP viewer website until a patch is applied. Restrict access to local HWP files when using the HWP viewer website in the Whale browser to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 98 **Description** The issue is related to the Autofill tooltips in Firefox, where the text displayed cannot be directly read by JavaScript but is rendered using page fonts. This could lead to side-channel attacks using specially crafted fonts, potentially allowing an attacker to infer the text. The vulnerability is associated with a lack of protection for sensitive data, which could enable an unauthorized party to access protected information. **Recommendations** For versions prior to 98, update to version 98 or later to resolve the issue. As a temporary workaround, consider restricting the use of Autofill tooltips until a patch is applied. Avoid using specially crafted fonts that could be used in side-channel attacks.

**Name of the Vulnerable Software and Affected Versions** Microsoft Edge (Chromium-based) (affected versions not specified) **Description** The issue is related to errors in the representation of information by the user interface. Exploitation of this issue may allow a remote attacker to conduct spoofing attacks. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Whale browser versions prior to 3.12.129.46 **Description** A Built-in extension in the Whale browser allows attackers to compromise the rendering process, which could lead to controlling browser internal APIs. **Recommendations** For versions prior to 3.12.129.46, update to version 3.12.129.46 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 97.0.4692.71 **Description** The issue is related to an inappropriate implementation in the Autofill feature of Google Chrome, which can allow a remote attacker to obtain potentially sensitive information. This can be achieved via a crafted HTML page, exploiting errors in how information is presented to the user interface. **Recommendations** For Google Chrome versions prior to 97.0.4692.71, update to version 97.0.4692.71 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Microsoft PowerShell (affected versions not specified) **Description** The issue is related to errors in the representation of information by the user interface of the PowerShell interpreter. Exploitation of this issue may allow an attacker to conduct spoofing attacks. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.