Codecolorist

Name of the Vulnerable Software and Affected Versions: iOS versions prior to 14.5 iPadOS versions prior to 14.5 watchOS versions prior to 7.4 tvOS versions prior to 14.5 Description: A use after free issue was addressed with improved memory management. An attacker with JavaScript execution may be able to execute arbitrary code. Recommendations: For iOS versions prior to 14.5, update to iOS 14.5 or later. For iPadOS versions prior to 14.5, update to iPadOS 14.5 or later. For watchOS versions prior to 7.4, update to watchOS 7.4 or later. For tvOS versions prior to 14.5, update to tvOS 14.5 or later.

Name of the Vulnerable Software and Affected Versions: Apple tvOS versions prior to 14.4 Apple watchOS versions prior to 7.3 Apple iOS versions prior to 14.4 Apple iPadOS versions prior to 14.4 Description: A validation issue was addressed with improved input sanitization. Processing a maliciously crafted URL may lead to arbitrary javascript code execution. Recommendations: For tvOS versions prior to 14.4, update to tvOS 14.4 to resolve the issue. For watchOS versions prior to 7.3, update to watchOS 7.3 to resolve the issue. For iOS versions prior to 14.4, update to iOS 14.4 to resolve the issue. For iPadOS versions prior to 14.4, update to iPadOS 14.4 to resolve the issue.

Name of the Vulnerable Software and Affected Versions: macOS Big Sur versions prior to 11.2 Security Update versions prior to 2021-001 Catalina Security Update versions prior to 2021-001 Mojave watchOS versions prior to 7.3 tvOS versions prior to 14.4 iOS versions prior to 14.4 iPadOS versions prior to 14.4 Description: A logic issue was addressed with improved validation. A malicious attacker with arbitrary read and write capability may be able to bypass Pointer Authentication. Recommendations: For macOS Big Sur, update to version 11.2 or later. For Security Update Catalina, apply Security Update 2021-001 or later. For Security Update Mojave, apply Security Update 2021-001 or later. For watchOS, update to version 7.3 or later. For tvOS, update to version 14.4 or later. For iOS, update to version 14.4 or later. For iPadOS, update to version 14.4 or later.

**Name of the Vulnerable Software and Affected Versions** iOS versions prior to 14.0 iPadOS versions prior to 14.0 tvOS versions prior to 14.0 **Description** A trust issue was addressed by removing a legacy API. An attacker may be able to misuse a trust relationship to download malicious content. **Recommendations** For iOS versions prior to 14.0, update to iOS 14.0 or later. For iPadOS versions prior to 14.0, update to iPadOS 14.0 or later. For tvOS versions prior to 14.0, update to tvOS 14.0 or later.

**Name of the Vulnerable Software and Affected Versions** macOS Catalina versions prior to 10.15.1 **Description** A malicious application may be able to elevate privileges due to a vulnerability in the system. The issue was addressed by removing the vulnerable code. **Recommendations** For macOS Catalina versions prior to 10.15.1, update to macOS Catalina 10.15.1 or apply Security Update 2019-001 or Security Update 2019-006 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Safari versions prior to 13.0.5 **Description** A custom URL scheme handling issue was addressed with improved input validation. Processing a maliciously crafted URL may lead to arbitrary javascript code execution. **Recommendations** For versions prior to 13.0.5, update to Safari 13.0.5 to resolve the issue. As a temporary workaround, consider avoiding the use of custom URL schemes until the update is applied.

**Name of the Vulnerable Software and Affected Versions** iOS versions prior to 12.2 macOS Mojave versions prior to 10.14.4 **Description** A malicious application may be able to overwrite arbitrary files due to insufficient checks. **Recommendations** For iOS versions prior to 12.2, update to iOS 12.2 or later. For macOS Mojave versions prior to 10.14.4, update to macOS Mojave 10.14.4 or later.

**Name of the Vulnerable Software and Affected Versions** iOS versions prior to 12.2 macOS Mojave versions prior to 10.14.4 tvOS versions prior to 12.2 **Description** A malicious application may be able to overwrite arbitrary files due to insufficient checks. **Recommendations** For iOS versions prior to 12.2, update to iOS 12.2 or later. For macOS Mojave versions prior to 10.14.4, update to macOS Mojave 10.14.4 or later. For tvOS versions prior to 12.2, update to tvOS 12.2 or later.

**Name of the Vulnerable Software and Affected Versions** iOS versions prior to 12.2 macOS Mojave versions prior to 10.14.4 **Description** A race condition was addressed with additional validation. A malicious application may be able to gain root privileges. **Recommendations** For iOS versions prior to 12.2, update to iOS 12.2 to resolve the issue. For macOS Mojave versions prior to 10.14.4, update to macOS Mojave 10.14.4 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** macOS versions prior to 10.14.4 **Description** A local user may be able to execute arbitrary shell commands due to a command injection issue in macOS TimeMachine. This allows for reliable local root privilege escalation. **Recommendations** For macOS versions prior to 10.14.4, update to macOS Mojave 10.14.4 to resolve the issue. As a temporary workaround, consider restricting access to TimeMachine until the update is applied.

**Name of the Vulnerable Software and Affected Versions** iOS versions prior to 12 macOS versions prior to 10.14 **Description** An access issue was addressed with additional sandbox restrictions. **Recommendations** For iOS versions prior to 12, update to iOS 12 or later. For macOS versions prior to 10.14, update to macOS 10.14 or later.

**Name of the Vulnerable Software and Affected Versions** VMware Fusion versions 11.x before 11.0.3 **Description** The issue is related to insufficient input validation in the VMware Fusion hypervisor interface. This can be exploited by a remote attacker to execute arbitrary JavaScript code or run arbitrary commands using the VMware Tools utility set. The vulnerability involves certain unauthenticated APIs that are accessible through a web socket, which can be exploited by tricking the host user into executing JavaScript to perform unauthorized functions on the guest machine where VMware Tools is installed. This may further be exploited to execute commands on the guest machines. **Recommendations** For versions 11.x before 11.0.3, update to version 11.0.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the unauthenticated APIs accessible through the web socket to minimize the risk of exploitation. Additionally, avoid executing JavaScript code from untrusted sources on the host machine to prevent potential exploitation of the guest machine.

**Name of the Vulnerable Software and Affected Versions** Microsoft Office (affected versions not specified) **Description** An issue exists where the Microsoft AutoUpdate application for Mac fails to properly validate updates before executing them. This can lead to an elevation of privilege. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.