Martin Bajanik

**Name of the Vulnerable Software and Affected Versions** macOS versions prior to 15.6 **Description** Processing maliciously crafted web content may lead to universal cross site scripting due to improved state management. **Recommendations** Update to macOS version 15.6.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 108.0.5359.71 **Description** The issue is related to an inappropriate implementation in DevTools, which allowed an attacker to bypass file access restrictions. This could be achieved by convincing a user to install a malicious extension and using a crafted HTML page. The exploitation of this issue may allow a remote attacker to modify files. **Recommendations** For Google Chrome versions prior to 108.0.5359.71, update to version 108.0.5359.71 or later to resolve the issue. As a temporary workaround, consider restricting the installation of extensions to trusted sources and avoiding the use of crafted HTML pages.

**Name of the Vulnerable Software and Affected Versions** WebKitGTK and WPE WebKit versions prior to the fixed version Safari versions prior to 15.3 iOS versions prior to 15.3 iPadOS versions prior to 15.3 watchOS versions prior to 8.4 tvOS versions prior to 15.3 macOS Monterey versions prior to 12.2 **Description** The issue is related to a cross-origin problem in the IndexDB API, which has been addressed with improved input validation. This problem may allow a remote attacker to gain unauthorized access to protected information. A website may be able to track sensitive user information. **Recommendations** For WebKitGTK and WPE WebKit, update to a version that includes the fix for the IndexDB API issue. For Safari, update to version 15.3 or later. For iOS, update to version 15.3 or later. For iPadOS, update to version 15.3 or later. For watchOS, update to version 8.4 or later. For tvOS, update to version 15.3 or later. For macOS Monterey, update to version 12.2 or later. As a temporary workaround, consider restricting access to the IndexDB API until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Safari versions prior to 15.2 tvOS versions prior to 15.2 macOS Monterey versions prior to 12.1 iOS versions prior to 15.2 iPadOS versions prior to 15.2 watchOS versions prior to 8.3 **Description** A race condition was addressed with improved state handling. Processing maliciously crafted web content may lead to arbitrary code execution. The issue is related to errors in synchronization when using shared resources in WebKitGTK and WPE WebKit modules for displaying web pages. **Recommendations** For Safari version prior to 15.2, update to version 15.2 or later. For tvOS version prior to 15.2, update to version 15.2 or later. For macOS Monterey version prior to 12.1, update to version 12.1 or later. For iOS version prior to 15.2, update to version 15.2 or later. For iPadOS version prior to 15.2, update to version 15.2 or later. For watchOS version prior to 8.3, update to version 8.3 or later.

**Name of the Vulnerable Software and Affected Versions** Node.js versions prior to 6.15.0 Node.js versions prior to 8.14.0 Node.js versions prior to 10.14.0 Node.js versions prior to 11.3.0 **Description** The issue concerns hostname spoofing in the URL parser for the javascript protocol. If a Node.js application uses `url.parse()` to determine the URL hostname, that hostname can be spoofed by using a mixed case "javascript:" protocol, such as "javAscript:". This affects security decisions made about the URL based on the hostname, which may be incorrect. Other protocols are not affected by this issue. **Recommendations** For versions prior to 6.15.0, update to version 6.15.0 or later. For versions prior to 8.14.0, update to version 8.14.0 or later. For versions prior to 10.14.0, update to version 10.14.0 or later. For versions prior to 11.3.0, update to version 11.3.0 or later.