Erling Ellingsen

**Name of the Vulnerable Software and Affected Versions** iOS versions prior to 10.3 **Description** The issue concerns the Safari Reader component and is due to the lack of protection for the web page structure. This allows a remote attacker to conduct a Universal XSS (UXSS) attack using a specially crafted website. UXSS stands for Universal Cross-Site Scripting, which is a type of attack that allows an attacker to inject malicious scripts into a website, potentially affecting all users of the site. **Recommendations** For iOS versions prior to 10.3, update to a version 10.3 or later to resolve the issue. As a temporary workaround, consider avoiding the use of the Safari Reader component until a patch is available. Restrict access to specially crafted web sites to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** iOS versions prior to 10.2 Safari versions prior to 10.0.2 **Description** The issue involves the Safari Reader component, which allows remote attackers to conduct UXSS attacks via a crafted web site. This is due to the lack of protection for the web page structure. The exploitation of this issue may allow a remote attacker to conduct UXSS attacks using a specially formed web site. **Recommendations** For iOS versions prior to 10.2, update to version 10.2 or later to resolve the issue. For Safari versions prior to 10.0.2, update to version 10.0.2 or later to resolve the issue. As a temporary workaround, consider disabling the Safari Reader component until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Safari versions prior to 10 Apple iOS versions prior to 10 **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML via a crafted web site. This is also referred to as "Universal XSS (UXSS)". **Recommendations** For Safari versions prior to 10, update to version 10 or later to resolve the issue. For Apple iOS versions prior to 10, update to version 10 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Safari versions prior to 9 **Description** The issue is related to errors in security settings, allowing a remote attacker to exploit it by using a specially crafted website to spoof the relationship between URLs and web content. This can lead to the substitution of web page content. **Recommendations** For versions prior to 9, update to version 9 or later to resolve the issue. As a temporary workaround, consider restricting access to untrusted websites to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** iOS versions prior to 9 **Description** The issue concerns the document.cookie API implementation in the CFNetwork Cookies subsystem in WebKit, allowing remote attackers to bypass an intended single-cookie restriction. **Recommendations** For versions prior to 9, update to iOS version 9 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Apple Safari versions prior to 6.0.5 **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML via vectors involving IFRAME elements. **Recommendations** For versions prior to 6.0.5, update to version 6.0.5 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Apple iOS versions prior to 6 **Description** The issue concerns the CFNetwork component in Apple iOS, which fails to properly identify the host portion of a URL. This allows remote attackers to obtain sensitive information by constructing an HTTP request with an incorrect hostname derived from a malformed URL. **Recommendations** For versions prior to 6, update to a version 6 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Apple iOS versions prior to 5.1 **Description** The issue allows remote attackers to obtain sensitive information via a malformed URL. This occurs due to improper construction of request headers during URL parsing. **Recommendations** For versions prior to 5.1, update to iOS version 5.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Apple Mac OS X versions 10.7.x through 10.7.2 **Description** The issue allows remote attackers to obtain sensitive information via a malformed URL, due to improper construction of request headers during URL parsing. **Recommendations** For Apple Mac OS X versions 10.7.x through 10.7.2, update to version 10.7.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Apple iOS versions prior to 5.0.1 **Description** The issue allows remote attackers to obtain sensitive information via a crafted DNS hostname, due to the `libinfo` component not properly formulating domain-name queries. **Recommendations** For Apple iOS versions prior to 5.0.1, update to version 5.0.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Apple iOS versions prior to 5.0.1 Apple Mac OS X versions prior to 10.7.2 **Description** The issue allows remote attackers to trigger visits to unintended web sites and transmit cookies to unintended web sites via a crafted http or https URL, due to improper URL parsing. **Recommendations** For Apple iOS versions prior to 5.0.1, update to version 5.0.1 or later. For Apple Mac OS X versions prior to 10.7.2, update to version 10.7.2 or later.