Ophir Lojkine

**Name of the Vulnerable Software and Affected Versions** Apple iOS versions prior to 13.6 Apple iPadOS versions prior to 13.6 Apple tvOS versions prior to 13.4.8 Apple watchOS versions prior to 6.2.8 Apple Safari versions prior to 13.1.2 Apple iTunes for Windows versions prior to 12.10.8 Apple iCloud for Windows versions prior to 11.3 and 7.20 **Description** A command injection issue existed in Web Inspector due to insufficient escaping. Copying a URL from Web Inspector may lead to command injection. This issue was addressed with improved escaping. **Recommendations** For iOS versions prior to 13.6, update to iOS 13.6 or later. For iPadOS versions prior to 13.6, update to iPadOS 13.6 or later. For tvOS versions prior to 13.4.8, update to tvOS 13.4.8 or later. For watchOS versions prior to 6.2.8, update to watchOS 6.2.8 or later. For Safari versions prior to 13.1.2, update to Safari 13.1.2 or later. For iTunes for Windows versions prior to 12.10.8, update to iTunes 12.10.8 or later. For iCloud for Windows versions prior to 11.3 and 7.20, update to iCloud for Windows 11.3 or 7.20 or later.

**Name of the Vulnerable Software and Affected Versions** Firefox ESR versions 68.7 and earlier Firefox versions prior to 76 Thunderbird versions prior to 68.8.0 **Description** The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP POST data of a request, which can be controlled by the website. If a user used the 'Copy as cURL' feature and pasted the command into a terminal, it could have resulted in the disclosure of local files. **Recommendations** For Firefox ESR versions 68.7 and earlier, update to version 68.8 or later. For Firefox versions prior to 76, update to version 76 or later. For Thunderbird versions prior to 68.8.0, update to version 68.8.0 or later. As a temporary workaround, consider avoiding the use of the 'Copy as cURL' feature until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Thunderbird versions prior to 68.6 Firefox versions prior to 74 Firefox ESR versions prior to 68.6 **Description** The 'Copy as cURL' feature in the network tab of Devtools did not properly escape the HTTP method of a request. This could be controlled by a website, potentially leading to command injection and arbitrary command execution if a user pasted the command into a terminal. **Recommendations** For Thunderbird versions prior to 68.6, update to version 68.6 or later. For Firefox versions prior to 74, update to version 74 or later. For Firefox ESR versions prior to 68.6, update to version 68.6 or later.