Narendra Bhati

Name of the Vulnerable Software and Affected Versions: Firefox for iOS versions prior to 141 Description: Sandboxed iframes on webpages could potentially allow downloads to the device, bypassing the expected sandbox restrictions declared on the parent page. Recommendations: Update Firefox for iOS to version 141 or later.

Name of the Vulnerable Software and Affected Versions: Google Chrome versions prior to 131.0.6778.69 Microsoft Edge (affected versions not specified) Description: The issue is related to an inappropriate implementation in the Autofill feature, which can allow a remote attacker to perform UI spoofing via a crafted HTML page. This can happen if the attacker convinces a user to engage in specific UI gestures. The vulnerability is associated with errors in presenting information to the user interface. Recommendations: For Google Chrome versions prior to 131.0.6778.69, update to version 131.0.6778.69 or later to resolve the issue. For Microsoft Edge, at the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider disabling the Autofill feature until a patch is available. Restrict access to potentially vulnerable modules to minimize the risk of exploitation. Avoid using the Autofill feature in affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** iOS versions prior to 17.7.1 iPadOS versions prior to 17.7.1 visionOS versions prior to 2.1 iOS versions prior to 18.1 iPadOS versions prior to 18.1 macOS Sequoia versions prior to 15.1 Safari versions prior to 18.1 **Description** This issue was addressed through improved state management. An attacker may be able to misuse a trust relationship to download malicious content. **Recommendations** For iOS versions prior to 17.7.1, update to iOS 17.7.1 or later. For iPadOS versions prior to 17.7.1, update to iPadOS 17.7.1 or later. For visionOS versions prior to 2.1, update to visionOS 2.1 or later. For iOS versions prior to 18.1, update to iOS 18.1 or later. For iPadOS versions prior to 18.1, update to iPadOS 18.1 or later. For macOS Sequoia versions prior to 15.1, update to macOS Sequoia 15.1 or later. For Safari versions prior to 18.1, update to Safari 18.1 or later.

**Name of the Vulnerable Software and Affected Versions** Apple iOS versions prior to 18.1 Apple iOS versions prior to 17.7.1 Apple iPadOS versions prior to 18.1 Apple iPadOS versions prior to 17.7.1 Apple tvOS versions prior to 18.1 Apple watchOS versions prior to 11.1 Apple visionOS versions prior to 2.1 Apple macOS Sequoia versions prior to 15.1 Apple Safari versions prior to 18.1 **Description** The issue was addressed with improved checks. Processing maliciously crafted web content may prevent Content Security Policy from being enforced. **Recommendations** For Apple iOS versions prior to 18.1, update to iOS 18.1 or later. For Apple iOS versions prior to 17.7.1, update to iOS 17.7.1 or later. For Apple iPadOS versions prior to 18.1, update to iPadOS 18.1 or later. For Apple iPadOS versions prior to 17.7.1, update to iPadOS 17.7.1 or later. For Apple tvOS versions prior to 18.1, update to tvOS 18.1 or later. For Apple watchOS versions prior to 11.1, update to watchOS 11.1 or later. For Apple visionOS versions prior to 2.1, update to visionOS 2.1 or later. For Apple macOS Sequoia versions prior to 15.1, update to macOS Sequoia 15.1 or later. For Apple Safari versions prior to 18.1, update to Safari 18.1 or later.

**Name of the Vulnerable Software and Affected Versions** Safari versions prior to 18 iOS versions prior to 17.7.1 iPadOS versions prior to 17.7.1 macOS versions prior to Sequoia 15 watchOS versions prior to 11 **Description** A custom URL scheme handling issue was addressed with improved input validation. Maliciously crafted web content may violate iframe sandboxing policy. **Recommendations** For Safari versions prior to 18, update to Safari 18 or later. For iOS versions prior to 17.7.1, update to iOS 17.7.1 or later. For iPadOS versions prior to 17.7.1, update to iPadOS 17.7.1 or later. For macOS versions prior to Sequoia 15, update to macOS Sequoia 15 or later. For watchOS versions prior to 11, update to watchOS 11 or later.

**Name of the Vulnerable Software and Affected Versions** Safari version 18 visionOS version 2 watchOS version 11 macOS Sequoia version 15 iOS version 18 iPadOS version 18 tvOS version 18 **Description** A cross-origin issue existed with `iframe` elements, allowing a malicious website to exfiltrate data cross-origin. This issue was addressed with improved tracking of security origins. **Recommendations** For Safari version 18, no additional action is required as the issue is fixed. For visionOS version 2, no additional action is required as the issue is fixed. For watchOS version 11, no additional action is required as the issue is fixed. For macOS Sequoia version 15, no additional action is required as the issue is fixed. For iOS version 18, no additional action is required as the issue is fixed. For iPadOS version 18, no additional action is required as the issue is fixed. For tvOS version 18, no additional action is required as the issue is fixed. As a temporary workaround for older versions, consider disabling the use of `iframe` elements until a patch is available.

**Name of the Vulnerable Software and Affected Versions** watchOS versions prior to 11 macOS Sequoia versions prior to 15 Safari versions prior to 18 visionOS versions prior to 2 iOS versions prior to 18 iPadOS versions prior to 18 tvOS versions prior to 18 **Description** A cookie management issue was addressed with improved state management. A malicious website may exfiltrate data cross-origin. **Recommendations** For watchOS versions prior to 11, update to watchOS 11 to resolve the issue. For macOS Sequoia versions prior to 15, update to macOS Sequoia 15 to resolve the issue. For Safari versions prior to 18, update to Safari 18 to resolve the issue. For visionOS versions prior to 2, update to visionOS 2 to resolve the issue. For iOS versions prior to 18, update to iOS 18 to resolve the issue. For iPadOS versions prior to 18, update to iPadOS 18 to resolve the issue. For tvOS versions prior to 18, update to tvOS 18 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** macOS Sonoma versions prior to 14.6 Safari versions prior to 17.6 macOS Monterey versions prior to 12.7.6 macOS Ventura versions prior to 13.6.8 **Description** The issue was addressed with improved UI handling. Visiting a website that frames malicious content may lead to UI spoofing. **Recommendations** For macOS Sonoma versions prior to 14.6, update to macOS Sonoma 14.6. For Safari versions prior to 17.6, update to Safari 17.6. For macOS Monterey versions prior to 12.7.6, update to macOS Monterey 12.7.6. For macOS Ventura versions prior to 13.6.8, update to macOS Ventura 13.6.8.

**Name of the Vulnerable Software and Affected Versions** Microsoft Edge (Chromium-based) (affected versions not specified) **Description** The issue is related to errors in the representation of information by the user interface. Exploitation of this issue may allow a remote attacker to conduct spoofing attacks. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft Edge for iOS (affected versions not specified) **Description** The issue is related to errors in the representation of information by the user interface. It may allow a remote attacker to conduct spoofing attacks. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** visionOS versions prior to 1.2 macOS Sonoma versions prior to 14.5 Safari versions prior to 17.5 **Description** The issue allows a website's permission dialog to persist after navigation away from the site. This was addressed with improved checks. **Recommendations** For visionOS versions prior to 1.2, update to visionOS 1.2 to resolve the issue. For macOS Sonoma versions prior to 14.5, update to macOS Sonoma 14.5 to resolve the issue. For Safari versions prior to 17.5, update to Safari 17.5 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Samsung Internet versions prior to 25.0.0.41 **Description** The issue is related to improper privilege management, allowing local attackers to bypass protection for cookies. This enables them to access sensitive information without proper authorization. **Recommendations** For versions prior to 25.0.0.41, update to version 25.0.0.41 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive cookies until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Microsoft Edge for Android (Chromium-based) (affected versions not specified) **Description** The issue is related to errors in handling files, specifically cookies, which can allow a remote attacker to gain unauthorized access to protected information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft Edge (affected versions not specified) **Description** The issue is related to a lack of protection for sensitive data in Microsoft Edge, allowing a remote attacker to disclose protected information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 123 **Description** The issue is related to errors in processing SameSite cookies when opening a website using the "firefox://" protocol handler. This could allow a remote attacker to impact the integrity of protected information. **Recommendations** For versions prior to 123, update to a version that contains a fix for this issue. As a temporary workaround, consider restricting the use of the `firefox://` protocol handler until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Microsoft Edge for Android (affected versions not specified) **Description** The issue is related to insufficient access control in Microsoft Edge for Android, which could allow a remote attacker to disclose protected information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 121.0.6167.85 Microsoft Edge (affected versions not specified) **Description** The issue is related to insufficient policy enforcement in the Security UI of Google Chrome and Microsoft Edge browsers, which can be exploited by a remote attacker to leak protected information. This can be achieved via a crafted HTML page, allowing the attacker to disclose cross-origin data. **Recommendations** For Google Chrome versions prior to 121.0.6167.85, update to version 121.0.6167.85 or later to resolve the issue. For Microsoft Edge, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Safari versions prior to 17 iOS versions prior to 17 iPadOS versions prior to 17 watchOS versions prior to 10 macOS Sonoma versions prior to 14 **Description** A window management issue was addressed with improved state management. Visiting a website that frames malicious content may lead to UI spoofing. **Recommendations** For Safari versions prior to 17, update to Safari 17 to resolve the issue. For iOS versions prior to 17, update to iOS 17 to resolve the issue. For iPadOS versions prior to 17, update to iPadOS 17 to resolve the issue. For watchOS versions prior to 10, update to watchOS 10 to resolve the issue. For macOS Sonoma versions prior to 14, update to macOS Sonoma 14 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** iOS versions prior to 15.7.8 iPadOS versions prior to 15.7.8 iOS versions prior to 16.6 iPadOS versions prior to 16.6 tvOS versions prior to 16.6 macOS Ventura versions prior to 13.5 Safari versions prior to 16.6 watchOS versions prior to 9.6 **Description** The issue is related to errors in security settings, allowing a website to bypass Same Origin Policy. This could enable a remote attacker to circumvent existing security restrictions. **Recommendations** For iOS versions prior to 15.7.8, update to iOS 15.7.8 or later. For iPadOS versions prior to 15.7.8, update to iPadOS 15.7.8 or later. For iOS versions prior to 16.6, update to iOS 16.6 or later. For iPadOS versions prior to 16.6, update to iPadOS 16.6 or later. For tvOS versions prior to 16.6, update to tvOS 16.6 or later. For macOS Ventura versions prior to 13.5, update to macOS Ventura 13.5 or later. For Safari versions prior to 16.6, update to Safari 16.6 or later. For watchOS versions prior to 9.6, update to watchOS 9.6 or later.

**Name of the Vulnerable Software and Affected Versions** WebKitGTK versions prior to the fixed version WPE WebKit versions prior to the fixed version iOS versions prior to 16.6 iPadOS versions prior to 16.6 watchOS versions prior to 9.6 tvOS versions prior to 16.6 macOS Ventura versions prior to 13.5 **Description** A logic issue was addressed with improved restrictions. Processing web content may lead to arbitrary code execution. This issue is caused by a buffer overflow in the web page display modules of WebKitGTK and WPE WebKit. **Recommendations** For WebKitGTK, update to a version that includes the fix for this issue. For WPE WebKit, update to a version that includes the fix for this issue. For iOS, update to version 16.6 or later. For iPadOS, update to version 16.6 or later. For watchOS, update to version 9.6 or later. For tvOS, update to version 16.6 or later. For macOS Ventura, update to version 13.5 or later.