Marcin Towalski

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 96.0.4664.45 **Description** The issue is related to a use after free in the media component, which can be exploited by a remote attacker using a crafted HTML page to potentially execute arbitrary code or exploit heap corruption. **Recommendations** For versions prior to 96.0.4664.45, update to version 96.0.4664.45 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 94.0.4606.81 Microsoft Edge (affected versions not specified) **Description** The issue is related to a heap buffer overflow in the WebRTC technology implementation in Google Chrome and Microsoft Edge, which occurs when processing HTML content. This can allow a remote attacker to execute arbitrary code or cause a denial of service by convincing a user to visit a specially crafted webpage. The attacker can exploit heap corruption via a crafted HTML page. **Recommendations** For Google Chrome versions prior to 94.0.4606.81, update to version 94.0.4606.81 or later to resolve the issue. For Microsoft Edge, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 93.0.4577.82 **Description** The issue is related to a use after free vulnerability in the Selection API component of Google Chrome and Microsoft Edge browsers, which can be exploited by a remote attacker using a specially crafted HTML page, potentially leading to heap corruption or arbitrary code execution. The attacker must convince the user to visit a malicious website to exploit this issue. **Recommendations** For Google Chrome versions prior to 93.0.4577.82, update to version 93.0.4577.82 or later to resolve the issue. As a temporary workaround, consider avoiding the use of the Selection API until a patch is available. Restrict access to malicious websites to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 92.0.4515.159 **Description** The issue is related to a use after free in WebRTC, which allowed an attacker who convinced a user to visit a malicious website to potentially exploit heap corruption via a crafted HTML page. This could allow a remote attacker to access confidential data, compromise its integrity, and cause a denial of service using a specially crafted HTML page. **Recommendations** For Google Chrome versions prior to 92.0.4515.159, update to version 92.0.4515.159 or later to resolve the issue. As a temporary workaround, consider restricting access to WebRTC functionality until a patch is applied. Avoid using crafted HTML pages that could exploit the heap corruption vulnerability.

**Name of the Vulnerable Software and Affected Versions** WebKitGTK version 2.30.4 **Description** A use-after-free vulnerability exists in the way certain events are processed for `ImageLoader` objects of WebKit. This vulnerability can be exploited by a remote attacker, allowing them to access confidential data, compromise data integrity, and cause a denial of service. A specially crafted web page can lead to a potential information leak and further memory corruption. To trigger the vulnerability, a victim must be tricked into visiting a malicious webpage. **Recommendations** For WebKitGTK version 2.30.4, consider disabling the `ImageLoader` object until a patch is available to prevent potential information leaks and memory corruption. Restrict access to malicious web pages to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WebKitGTK version 2.30.4 **Description** A use-after-free vulnerability exists in the way Webkit’s GraphicsContext handles certain events. This can lead to a potential information leak and further memory corruption when a victim visits a specially crafted web page. The vulnerability can be exploited by a remote attacker to access confidential data, compromise data integrity, and cause a denial of service. **Recommendations** For WebKitGTK version 2.30.4, update to a version with improved memory management to address the use-after-free issue. As a temporary workaround, consider restricting access to potentially malicious web pages to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 84.0.4147.125 **Description** The issue is related to an out of bounds read in the WebGL functionality, allowing a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. This could potentially impact a significant number of devices worldwide, although the exact number is not specified. **Recommendations** For Google Chrome versions prior to 84.0.4147.125, update to version 84.0.4147.125 or later to resolve the issue. As a temporary workaround, consider disabling WebGL functionality until a patch is available. Restrict access to potentially sensitive information to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** iOS versions prior to 13.3.1 iPadOS versions prior to 13.3.1 tvOS versions prior to 13.3.1 Safari versions prior to 13.0.5 iTunes for Windows versions prior to 12.10.4 iCloud for Windows versions prior to 11.0 and 7.17 **Description** The issue is related to multiple memory corruption problems that have been addressed with improved memory handling. Processing maliciously crafted web content may lead to arbitrary code execution. **Recommendations** For iOS versions prior to 13.3.1, update to iOS 13.3.1 or later. For iPadOS versions prior to 13.3.1, update to iPadOS 13.3.1 or later. For tvOS versions prior to 13.3.1, update to tvOS 13.3.1 or later. For Safari versions prior to 13.0.5, update to Safari 13.0.5 or later. For iTunes for Windows versions prior to 12.10.4, update to iTunes for Windows 12.10.4 or later. For iCloud for Windows versions prior to 11.0 and 7.17, update to iCloud for Windows 11.0 or later, and ensure version 7.17 or later is installed.

**Name of the Vulnerable Software and Affected Versions** Apple iOS versions prior to 13.3 Apple iPadOS versions prior to 13.3 Apple tvOS versions prior to 13.3 Apple Safari versions prior to 13.0.4 Apple iTunes for Windows versions prior to 12.10.3 Apple iCloud for Windows versions prior to 10.9 and prior to 7.16 **Description** A use after free issue was addressed with improved memory management. Processing maliciously crafted web content may lead to arbitrary code execution. **Recommendations** For iOS versions prior to 13.3, update to iOS 13.3 or later. For iPadOS versions prior to 13.3, update to iPadOS 13.3 or later. For tvOS versions prior to 13.3, update to tvOS 13.3 or later. For Safari versions prior to 13.0.4, update to Safari 13.0.4 or later. For iTunes for Windows versions prior to 12.10.3, update to iTunes 12.10.3 or later. For iCloud for Windows versions prior to 10.9 and prior to 7.16, update to iCloud for Windows 10.9 or later and ensure version 7.16 or later is installed.

**Name of the Vulnerable Software and Affected Versions** LEADTOOLS version 20.0.2019.3.15 **Description** A heap out of bounds write issue exists in the UI tag parsing functionality of the DICOM image format. This can be triggered by a specially crafted DICOM image, potentially allowing code execution. An attacker can exploit this by crafting a DICOM image to cause an offset beyond the bounds of a heap allocation to be written. **Recommendations** For LEADTOOLS version 20.0.2019.3.15, consider avoiding the use of specially crafted DICOM images until a fix is available. As a temporary workaround, restrict the processing of DICOM images from untrusted sources to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Accusoft ImageGear version 19.3.0 **Description** An exploitable out-of-bounds write issue exists in the `TIFdecodethunderscan` function of the `igcore19d.dll` library. This can be triggered by a specially crafted TIFF file, causing an out-of-bounds write and potentially resulting in remote code execution. An attacker must provide a malformed file to the victim to exploit this issue. **Recommendations** For Accusoft ImageGear version 19.3.0, consider avoiding the use of the `TIFdecodethunderscan` function in the `igcore19d.dll` library until a patch is available. As a temporary workaround, restrict the handling of TIFF files from untrusted sources to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Microsoft Edge (affected versions not specified) **Description** An information disclosure issue exists due to Microsoft Edge's improper handling of objects in memory. This could allow an attacker to obtain information that could be used to further compromise the user's system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft Edge (affected versions not specified) **Description** An information disclosure issue exists due to Microsoft Edge's improper handling of objects in memory. This could allow an attacker to obtain information that could be used to further compromise the user's system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Microsoft Edge (affected versions not specified) Description: A remote code execution issue exists due to improper memory object access. This could lead to memory corruption, allowing an attacker to execute arbitrary code as the current user. If the user has administrative rights, the attacker could gain control of the system, enabling them to install programs, modify or delete data, or create new accounts with full rights. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft Edge (affected versions not specified) **Description** An information disclosure issue exists due to Microsoft Edge's improper handling of objects in memory. This could allow a remote attacker to gain unauthorized access to protected information, potentially obtaining details to further compromise the user's system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Microsoft Edge versions in Microsoft Windows 10 1703 through 1709 Description: An information disclosure issue exists due to how Microsoft Edge handles objects in memory. This could allow an attacker to obtain information that could be used to further compromise the user's system. The issue is related to improper handling of objects in memory by Microsoft Edge. Recommendations: For Microsoft Edge in Microsoft Windows 10 1703 and 1709, at the moment, there is no information about a newer version that contains a fix for this issue.