Dawid Czagan

**Name of the Vulnerable Software and Affected Versions** Apple iOS versions prior to 10 Apple OS X versions prior to 10.12 Apple tvOS versions prior to 10 Apple watchOS versions prior to 3 **Description** The issue allows remote attackers to obtain sensitive information via a crafted HTTP response due to the misparsing of the Set-Cookie header by CFNetwork. **Recommendations** For Apple iOS versions prior to 10, update to version 10 or later. For Apple OS X versions prior to 10.12, update to version 10.12 or later. For Apple tvOS versions prior to 10, update to version 10 or later. For Apple watchOS versions prior to 3, update to version 3 or later.

**Name of the Vulnerable Software and Affected Versions** D-Link DIR-600 router versions prior to 2.17b02 **Description** The issue concerns a cross-site request forgery (CSRF) vulnerability. This vulnerability allows remote attackers to hijack the authentication of administrators for various requests, including creating an administrator account, enabling remote management via a crafted configuration module to "hedwig.cgi", activating new configuration settings via a SETCFG,SAVE,ACTIVATE action to "pigwidgeon.cgi", or sending a ping via a ping action to "diagnostic.php". **Recommendations** For D-Link DIR-600 router versions prior to 2.17b02, update the firmware to version 2.17b02 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable API endpoints, such as "hedwig.cgi", "pigwidgeon.cgi", and "diagnostic.php", until a patch is available. Avoid using the vulnerable configuration module and actions, such as SETCFG,SAVE,ACTIVATE and ping, in the affected API endpoints until the issue is resolved.