David Coomber

**Name of the Vulnerable Software and Affected Versions** Apple Music versions prior to 4.2.0 for Android **Description** The issue allows an attacker in a privileged network position to intercept network traffic. This was addressed by using HTTPS when sending information over the network. **Recommendations** For Apple Music versions prior to 4.2.0 for Android, update to version 4.2.0 or later to resolve the issue.

**Nome do software vulnerável e versões afetadas** Versões do Apple Music anteriores à 3.9.10 para Android **Descrição** O problema está relacionado ao gerenciamento incorreto das sessões dos protocolos TLS e SSL no aplicativo Apple Music para Android, permitindo que um invasor remoto intercepte as sessões dos usuários. Isso pode ser explorado por um usuário em uma posição privilegiada na rede para interceptar conexões SSL/TLS. O problema foi resolvido com o uso de HTTPS ao enviar informações pela rede. **Recomendações** Para versões do Apple Music anteriores à 3.9.10 para Android, atualize para a versão 3.9.10 ou posterior para resolver o problema. Como solução temporária, considere restringir o acesso à rede a fontes confiáveis até que a atualização seja aplicada.

**Nome do software vulnerável e versões afetadas: Versões do CIRA Canadian Shield anteriores à 4.0.13 Descrição: O problema está relacionado à falta de validação do certificado SSL no aplicativo CIRA Canadian Shield. Isso poderia potencialmente permitir ataques do tipo man-in-the-middle (MITM). Recomendações: Para versões anteriores à 4.0.13, atualize para a versão 4.0.13 ou posterior para resolver o problema. Como solução temporária, considere restringir o uso do aplicativo até que a atualização seja aplicada.

**Name of the Vulnerable Software and Affected Versions** Texture versions prior to 5.11.10 for iOS Texture versions prior to 4.22.0.4 for Android **Description** The issue allowed some analytics data to be sent over HTTP instead of HTTPS, potentially exposing it to interception by an attacker in a privileged network position. This could have been exploited to obtain sensitive information. **Recommendations** For Texture versions prior to 5.11.10 for iOS, update to version 5.11.10 or later. For Texture versions prior to 4.22.0.4 for Android, update to version 4.22.0.4 or later.

**Name of the Vulnerable Software and Affected Versions** MasterCard Qkr! app versions prior to 5.0.8 **Description** The issue concerns missing SSL certificate validation. It is noted that this only applies to obsolete versions from 2016 or earlier. **Recommendations** For versions prior to 5.0.8, update to version 5.0.8 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** ShoreTel Mobility Client app version 9.1.3.109 **Description** The issue is related to the failure of the ShoreTel Mobility Client app to properly validate SSL certificates provided by HTTPS connections. This could allow an attacker, in a position to perform a man-in-the-middle (MITM) attack, to obtain sensitive account information, such as login credentials. **Recommendations** For version 9.1.3.109, consider disabling the use of HTTPS connections until a patch is available that properly validates SSL certificates. Restrict access to sensitive account information to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apple Support app version 1.1 and earlier **Description** The issue involves the `Analytics` component and allows remote attackers to obtain sensitive analytics information. This is possible because the information is transmitted in cleartext HTTP to an Adobe Marketing Cloud server operated for Apple. The sensitive information that can be obtained includes details about the installation date and time. **Recommendations** For Apple Support app version 1.1 and earlier, update to version 1.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the `Analytics` component until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Acer Portal app versions prior to 3.9.4.2000 **Description** The issue allows remote attackers to perform a Man-in-the-middle attack via a crafted SSL certificate, due to improper validation of SSL certificates. **Recommendations** For versions prior to 3.9.4.2000, update to version 3.9.4.2000 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Apple Music (aka com.apple.android.music) version 1.x and earlier **Description** The issue allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate because it does not verify X.509 certificates from SSL servers. **Recommendations** For Apple Music (aka com.apple.android.music) version 1.x and earlier, update to version 2.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Kaspersky Safe Browser iOS versions prior to 1.7.0 **Description** The issue is related to the lack of verification of X.509 certificates from SSL servers, which allows man-in-the-middle attackers to obtain sensitive information via a crafted certificate. This can enable a remote attacker to gain confidential information by exploiting the vulnerability with a specially formed certificate. **Recommendations** For versions prior to 1.7.0, update to version 1.7.0 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive information when using the affected browser version until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Dell SecureWorks app version prior to 2.1 for iOS **Description** The issue allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate, due to the app not validating SSL certificates. **Recommendations** For versions prior to 2.1, update to version 2.1 or later to resolve the issue. As a temporary workaround, consider disabling the use of SSL connections in the app until a patch is available. Restrict access to sensitive information to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Internet Explorer versions 6.0 SP1 and earlier Description: The issue allows remote attackers to cause a denial of service, resulting in an application crash due to memory corruption. This is achieved through certain malformed Cascading Style Sheet (CSS) elements that trigger heap-based buffer overflows. An example of such a malformed CSS element is the "<STYLE>@;/*" string. The cause may be attributed to a missing comment terminator, potentially leading to an invalid length that triggers a large memory copy operation. Recommendations: For Internet Explorer versions 6.0 SP1 and earlier, consider disabling the processing of CSS elements until a patch is available. Restrict access to potentially malicious web content to minimize the risk of exploitation.