#vulnerability

**Why is this Chrome CVE included in the Security Update Guide?** The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. **How can I see the version of the browser?** 1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window 2. Click on **Help and Feedback** 3. Click on **About Microsoft Edge**

**Why is this Chrome CVE included in the Security Update Guide?** The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. **How can I see the version of the browser?** 1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window 2. Click on **Help and Feedback** 3. Click on **About Microsoft Edge**

**Why is this Chrome CVE included in the Security Update Guide?** The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. **How can I see the version of the browser?** 1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window 2. Click on **Help and Feedback** 3. Click on **About Microsoft Edge**

**What architecture(s) are impacted by this vulnerability?** This vulnerability impacts ARM64 only.

**What privileges could be gained by an attacker who successfully exploited the vulnerability?** An attacker who successfully exploited this vulnerability could achieve elevation of privilege and gain the ability to read the API component.

**According to the CVSS metric, Attack Vector is Local (AV:L). What does that mean for this vulnerability?** An attacker would have to have local presence on the device through malware or a malicious application to be able to exploit this vulnerability.

An issue in parse-uri v1.0.9 allows attackers to cause a Regular expression Denial of Service (ReDoS) via a crafted URL.

The Joint Cyber Defense Collaborative playbook seeks to establish a "a unified approach" on how to handle AI-related cybersecurity threats.

### Impact _What kind of vulnerability is it? Who is impacted?_ Remote code execution may be possible in web-accessible installations of Homarus in certain configurations. ### Patches _Has the problem been patched? What versions should users upgrade to?_ The issue has been patched in `islandora/crayfish:4.1.0` ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ The exploit requires making a request against the Homarus's `/convert` endpoint; therefore, the ability to exploit is much reduced if the microservice is not directly accessible from the Internet, so: Prevent general access from the Internet from hitting Homarus. Configure auth in Crayfish to be more strongly required, such that requests with `Authorization` headers that do not validate are rejected before the problematic CLI interpolation occurs. ### References _Are there any links users can visit to find out more?_ - XBOW-024-071

It's an especially brazen form of malvertising, researchers say, striking at the heart of Google's business; the tech giant says it's aware of the issue and is working quickly to address the problem.