Łukasz Pilorz

**Name of the Vulnerable Software and Affected Versions** macOS versions prior to 10.15 watchOS versions prior to 6 iOS versions prior to 13 tvOS versions prior to 13 **Description** The issue allows for a cross site scripting attack when processing maliciously crafted web content. **Recommendations** For macOS versions prior to 10.15, update to macOS Catalina 10.15. For watchOS versions prior to 6, update to watchOS 6. For iOS versions prior to 13, update to iOS 13. For tvOS versions prior to 13, update to tvOS 13.

Name of the Vulnerable Software and Affected Versions: Roundcube Webmail versions prior to 1.3.15 Roundcube Webmail versions prior to 1.4.8 Description: The issue allows stored XSS in HTML messages during message display via a crafted SVG document. This can be exploited by a remote attacker to compromise data integrity. The problem is related to insufficient protection measures for web page structures in the Roundcube Webmail client, specifically in the wash uri function of the rcube washtml.php file. Recommendations: For versions prior to 1.3.15, update to version 1.3.15 or later. For versions prior to 1.4.8, update to version 1.4.8 or later.

**Name of the Vulnerable Software and Affected Versions** Safari versions prior to 9 **Description** The issue is related to errors in security settings, allowing a remote attacker to exploit it by using a specially crafted website to spoof the relationship between URLs and web content. This can lead to the substitution of web page content. **Recommendations** For versions prior to 9, update to version 9 or later to resolve the issue. As a temporary workaround, consider restricting access to untrusted websites to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** iOS versions prior to 9 **Description** The issue is related to how WebKit in iOS handles "Content-Disposition: attachment" HTTP headers, which could allow man-in-the-middle attackers to obtain sensitive information. Exploitation of this issue may enable a remote attacker to access protected information by conducting man-in-the-middle attacks. **Recommendations** For versions prior to 9, update to iOS version 9 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 21.0.1180.82 on iOS **Description** The issue allows remote attackers to bypass the Same Origin Policy and conduct Universal XSS (UXSS) attacks. This is achieved through certain incorrect calls to WebView methods that trigger the use of an `applewebdata:` URL, involving vectors with the `document.write` method. **Recommendations** For Google Chrome versions prior to 21.0.1180.82 on iOS, update to version 21.0.1180.82 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Apple iOS versions prior to 7 **Description** The issue allows remote attackers to conduct cross-site scripting (XSS) attacks by uploading a file, due to the failure to prevent HTML interpretation of a document served with a text/plain content type. **Recommendations** For versions prior to 7, update to version 7 or later to resolve the issue.