Zhiyang Zeng

**Nome do software vulnerável e versões afetadas** Versões do Safari anteriores à 13.1.2 Versões do macOS Big Sur anteriores à 11.0.1 **Descrição** Um problema de inconsistência na interface do usuário foi corrigido com um gerenciamento de estado aprimorado. Acessar um site malicioso pode levar à falsificação da barra de endereços. **Recomendações** Para versões do Safari anteriores à 13.1.2, atualize para o Safari 13.1.2 ou posterior para resolver o problema. Para versões do macOS Big Sur anteriores à 11.0.1, atualize para o macOS Big Sur 11.0.1 ou posterior para resolver o problema.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 79.0.3945.79 **Description** The issue is related to an insufficient data validation mechanism in the external protocol handling of Google Chrome. This can be exploited by a remote attacker using a crafted HTML page, potentially affecting data integrity. **Recommendations** For versions prior to 79.0.3945.79, update to version 79.0.3945.79 or later to resolve the issue. As a temporary workaround, consider restricting access to external protocols to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** iOS versions prior to 12.2 tvOS versions prior to 12.2 Safari versions prior to 12.1 iTunes versions prior to 12.9.4 for Windows iCloud for Windows versions prior to 7.11 **Description** A memory corruption issue was addressed with improved state management. Processing maliciously crafted web content may lead to arbitrary code execution. The issue is related to a buffer overflow in the WebKit module, which can allow a remote attacker to execute arbitrary code. **Recommendations** For iOS versions prior to 12.2, update to iOS 12.2 or later. For tvOS versions prior to 12.2, update to tvOS 12.2 or later. For Safari versions prior to 12.1, update to Safari 12.1 or later. For iTunes versions prior to 12.9.4 for Windows, update to iTunes 12.9.4 for Windows or later. For iCloud for Windows versions prior to 7.11, update to iCloud for Windows 7.11 or later.

**Name of the Vulnerable Software and Affected Versions** iOS versions prior to 11.3.1 macOS versions prior to 10.13.4 Security Update 2018-001 **Description** The issue involves the `LinkPresentation` component and allows remote attackers to spoof the UI via a crafted URL in a text message. **Recommendations** For iOS versions prior to 11.3.1, update to version 11.3.1 or later. For macOS versions prior to 10.13.4 Security Update 2018-001, apply the 10.13.4 Security Update 2018-001 or later.

**Name of the Vulnerable Software and Affected Versions** Apple iOS versions prior to 11.3 **Description** The issue involves the Safari component and allows remote attackers to spoof the user interface via a crafted web site. **Recommendations** For versions prior to 11.3, update to version 11.3 or later to resolve the issue. As a temporary workaround, consider restricting access to suspicious web sites to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Safari versions prior to 11.0.1 **Description** An issue in Safari allows remote attackers to spoof the address bar via a crafted web site, involving the Safari component. **Recommendations** For versions prior to 11.0.1, update to version 11.0.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** iOS versions prior to 10.3.3 Safari versions prior to 10.1.2 iCloud versions prior to 6.2.2 on Windows iTunes versions prior to 12.6.2 on Windows tvOS versions prior to 10.2.2 **Description** The issue involves the WebKit Page Loading component and allows remote attackers to execute arbitrary code or cause a denial of service, resulting in memory corruption and application crash, via a crafted web site. **Recommendations** For iOS versions prior to 10.3.3, update to version 10.3.3 or later. For Safari versions prior to 10.1.2, update to version 10.1.2 or later. For iCloud versions prior to 6.2.2 on Windows, update to version 6.2.2 or later. For iTunes versions prior to 12.6.2 on Windows, update to version 12.6.2 or later. For tvOS versions prior to 10.2.2, update to version 10.2.2 or later.

**Name of the Vulnerable Software and Affected Versions** Safari versions prior to 10.1.1 **Description** The issue involves the Safari component and allows remote attackers to spoof the address bar via a crafted web site. **Recommendations** For versions prior to 10.1.1, update to version 10.1.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Safari versions prior to 10.1.1 **Description** An issue in Safari allows remote attackers to spoof the address bar via a crafted web site, involving the Safari component. **Recommendations** For versions prior to 10.1.1, update to version 10.1.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** MyBB versions prior to 1.8.11 **Description** The issue allows Directory Traversal via the `pathfolder` parameter in the smilie module. **Recommendations** For versions prior to 1.8.11, update to version 1.8.11 or later to resolve the issue. As a temporary workaround, consider restricting access to the smilie module until a patch is applied. Avoid using the `pathfolder` parameter in the affected module to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Serendipity version 2.0.5 **Description** The issue allows attackers to perform a Cross-Site Request Forgery (CSRF) attack, enabling them to install any themes via a GET request. **Recommendations** For Serendipity version 2.0.5, consider restricting access to theme installation functionality until a patch is available. As a temporary workaround, avoid using GET requests for theme installations to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CopySafe Web Protection plugin versions prior to 2.6 **Description** The issue allows attackers to change plugin settings due to a CSRF problem. **Recommendations** For versions prior to 2.6, update to version 2.6 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Serendipity versions 2.1-rc1 **Description** The issue is related to a Stored XSS that allows an attacker to steal an admin's cookie and other information by composing a new entry as an editor user. This is due to the lack of the serendipity event xsstrust plugin and a set config error in that plugin. **Recommendations** For Serendipity version 2.1-rc1, consider installing the serendipity event xsstrust plugin and fixing the set config error in the plugin to mitigate the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** MyBB versions prior to 1.8.11 **Description** The issue concerns the Email MyCode component, which allows for cross-site scripting (XSS) attacks. This is demonstrated through the use of an onmouseover event. **Recommendations** For versions prior to 1.8.11, update to version 1.8.11 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** MyBB versions prior to 1.8.11 **Description** The issue allows remote attackers to bypass an SSRF protection mechanism. **Recommendations** For versions prior to 1.8.11, update to version 1.8.11 or later to resolve the issue.