Nishimunea

**Nome do software vulnerável e versões afetadas** Versões do Google Chrome anteriores à 123.0.6312.58 **Descrição** O problema está relacionado a uma interface de usuário de segurança incorreta no Google Chrome, permitindo que um invasor remoto realize spoofing da interface de usuário por meio de uma página HTML maliciosa. Isso pode ser feito explorando a limitação incorreta das camadas visualizadas da interface de usuário. O número estimado de dispositivos potencialmente afetados em todo o mundo não foi fornecido. Não há informações sobre incidentes reais em que esse problema tenha sido explorado. **Recomendações** Para versões anteriores à 123.0.6312.58, atualize para a versão 123.0.6312.58 ou posterior para resolver o problema. Como solução alternativa temporária, considere restringir o uso de páginas HTML criadas especificamente para minimizar o risco de exploração. Evite usar o Google Chrome para operações confidenciais até que o problema seja resolvido.

**Nome do software vulnerável e versões afetadas** Versões do Google Chrome anteriores à 121.0.6167.85 **Descrição** O problema está relacionado a uma interface de segurança incorreta na seção Pagamentos, permitindo que um invasor remoto possa falsificar a interface de segurança por meio de uma página HTML maliciosa. Isso poderia permitir que o invasor contornasse as restrições de segurança. A gravidade deste problema é classificada como Média. **Recomendações** Para versões do Google Chrome anteriores à 121.0.6167.85, atualize para a versão 121.0.6167.85 ou posterior para resolver o problema. Como solução temporária, considere restringir o acesso ao componente Pagamentos até que um patch seja aplicado. Evite usar páginas HTML criadas especificamente para explorar essa vulnerabilidade.

**Nome do software vulnerável e versões afetadas** Google Chrome no iOS, versões anteriores à 92.0.4515.107 **Descrição** O problema está relacionado à aplicação insuficiente de políticas no tratamento de imagens, permitindo que um invasor remoto divulgue dados entre origens por meio de uma página HTML maliciosa. Isso pode permitir que o invasor contorne restrições de segurança e obtenha acesso não autorizado a informações protegidas. **Recomendações** Para o Google Chrome em versões do iOS anteriores à 92.0.4515.107, atualize para a versão 92.0.4515.107 ou posterior para resolver o problema. Como solução temporária, considere restringir o acesso a páginas HTML potencialmente vulneráveis até que a atualização seja aplicada.

**Nome do software vulnerável e versões afetadas: Google Chrome no iOS, versões anteriores à 89.0.4389.72 Descrição: O problema está relacionado à validação insuficiente de dados no Google Chrome no iOS, o que permite que um invasor remoto divulgue dados entre origens por meio de uma página HTML maliciosa. Isso pode levar ao acesso não autorizado a informações protegidas. Recomendações: Para o Google Chrome no iOS em versões anteriores à 89.0.4389.72, atualize para a versão 89.0.4389.72 ou posterior para resolver o problema.

**Name of the Vulnerable Software and Affected Versions** Apple iOS versions prior to 10.3 Apple Safari versions prior to 10.1 **Description** The issue involves the Safari component and allows remote attackers to spoof the address bar by leveraging text input during the loading of a page. **Recommendations** For iOS versions prior to 10.3, update to version 10.3 or later. For Safari versions prior to 10.1, update to version 10.1 or later.

**Name of the Vulnerable Software and Affected Versions** iOS versions prior to 10.2 Safari versions prior to 10.0.2 iCloud versions prior to 6.1 iTunes versions prior to 12.5.4 **Description** The issue involves the WebKit component and allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via a crafted web site that uses HTTP redirects. This is related to a lack of protection for service data, which can be exploited by a remote attacker to bypass existing access restriction policies or obtain confidential information using a specially formed website. **Recommendations** For iOS versions prior to 10.2, update to version 10.2 or later. For Safari versions prior to 10.0.2, update to version 10.0.2 or later. For iCloud versions prior to 6.1, update to version 6.1 or later. For iTunes versions prior to 12.5.4, update to version 12.5.4 or later.

**Name of the Vulnerable Software and Affected Versions** Apache Cordova iOS versions prior to 4.0.0 **Description** The issue allows remote attackers to execute arbitrary plugins via a link. **Recommendations** For versions prior to 4.0.0, update to version 4.0.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Apache Cordova iOS versions prior to 4.0.0 **Description** The issue allows attackers to bypass a URL whitelist protection mechanism in an app and load arbitrary resources by leveraging unspecified methods. **Recommendations** For versions prior to 4.0.0, update to version 4.0.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Safari versions prior to 9.1 iOS versions prior to 9.3 **Description** The issue is related to insufficient access control in the WebKit component of Safari and iOS. It can be exploited by a remote attacker using a specially crafted website to bypass port restrictions. **Recommendations** For Safari versions prior to 9.1, update to version 9.1 or later to resolve the issue. For iOS versions prior to 9.3, update to version 9.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 45.0 **Description** The issue allows remote attackers to bypass the Same Origin Policy and obtain sensitive information by reading a Content Security Policy (CSP) violation report that contains path information associated with an IFRAME element. This is related to a lack of protection for service data, which can be exploited by a remote attacker to bypass existing access restriction policies or gain confidential information. **Recommendations** For versions prior to 45.0, update to version 45.0 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive information and limiting the use of IFRAME elements until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Apple iOS versions prior to 9.2 Apple OS X versions prior to 10.11.2 **Description** The issue allows man-in-the-middle attackers to bypass the HSTS protection mechanism via a crafted URL, specifically affecting the CFNetwork HTTPProtocol. **Recommendations** For Apple iOS versions prior to 9.2, update to version 9.2 or later. For Apple OS X versions prior to 10.11.2, update to version 10.11.2 or later.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 46.0.2490.71 Opera (affected versions not specified) **Description** The issue is related to the CSSFontFaceSrcValue::fetch function in the Cascading Style Sheets (CSS) implementation in Blink. This function does not use the CORS cross-origin request algorithm when a font's URL appears to be a same-origin URL. As a result, remote web servers can bypass the Same Origin Policy via a redirect. The vulnerability is associated with errors in security settings, which can be exploited by a remote attacker to circumvent existing access restriction policies. **Recommendations** For Google Chrome versions prior to 46.0.2490.71, update to version 46.0.2490.71 or later to resolve the issue. For Opera, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 46.0.2490.71 Opera (affected versions not specified) **Description** The issue is related to the Blink component in Google Chrome and concerns weaknesses in access control mechanisms. It allows a remote attacker to obtain sensitive information by exploiting the shouldTreatAsUniqueOrigin function in SecurityOrigin.cpp, which fails to ensure the origin of a LocalStorage resource is considered unique. This can be achieved via vectors involving a blob: URL. **Recommendations** For Google Chrome versions prior to 46.0.2490.71, update to version 46.0.2490.71 or later to resolve the issue. For Opera, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apple Safari versions prior to 6.2.8 Apple Safari versions 7.x prior to 7.1.8 Apple Safari versions 8.x prior to 8.0.8 iOS versions prior to 8.4.1 **Description** The issue is related to errors in security settings of the WebKit component in Safari and iOS. It may allow a remote attacker to gain access to protected information by conducting man-in-the-middle attacks and modifying the data stream between the client and server. This can be achieved by exploiting the lack of enforcement of the HTTP Strict Transport Security (HSTS) protection mechanism for Content Security Policy (CSP) report requests, allowing attackers to obtain sensitive information by sniffing the network or spoofing a report. **Recommendations** For Apple Safari versions prior to 6.2.8, update to version 6.2.8 or later. For Apple Safari versions 7.x prior to 7.1.8, update to version 7.1.8 or later. For Apple Safari versions 8.x prior to 8.0.8, update to version 8.0.8 or later. For iOS versions prior to 8.4.1, update to version 8.4.1 or later.

**Name of the Vulnerable Software and Affected Versions** Safari versions prior to 6.2.8 Safari versions 7.x prior to 7.1.8 Safari versions 8.x prior to 8.0.8 iOS versions prior to 8.4.1 **Description** The issue allows remote attackers to bypass a Content Security Policy protection mechanism. This can be achieved by using a video control in conjunction with an IMG element within an OBJECT element. The vulnerability is related to errors in security settings, which can be exploited by a remote attacker to bypass access restriction rules using embedded video content management mechanisms. **Recommendations** For Safari versions prior to 6.2.8, update to version 6.2.8 or later. For Safari versions 7.x prior to 7.1.8, update to version 7.1.8 or later. For Safari versions 8.x prior to 8.0.8, update to version 8.0.8 or later. For iOS versions prior to 8.4.1, update to version 8.4.1 or later.