Ryan Pickren

**Name of the Vulnerable Software and Affected Versions** visionOS versions prior to 1.2 **Description** The issue is related to an uncontrolled resource consumption in the WebKit component of the visionOS operating system. Exploitation of this issue may allow a remote attacker to inject arbitrary 3D objects and cause a denial-of-service. Processing web content may lead to a denial-of-service. The issue was addressed with improvements to the file handling protocol. **Recommendations** For versions prior to 1.2, update to visionOS 1.2 to resolve the issue. As a temporary workaround, consider restricting the processing of web content to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned. **Description** A CORS misconfiguration in the web-based management allows a malicious third-party web server to misuse basic information pages, potentially leading to the disclosure of device information such as CPU diagnostics. The impact is limited to a small subset of confidentiality due to the restricted amount of readable information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WAGO PFC100/PFC200 versions (affected versions not specified) WAGO CC100 versions (affected versions not specified) WAGO Edge Controller versions (affected versions not specified) WAGO Touch Panel 600 versions (affected versions not specified) **Description** The issue is related to the lack of authentication for a critical function in the web-based management interface, allowing an unauthenticated attacker to access and modify device parameters. This could lead to the full compromise of the device. The vulnerability may also allow a remote attacker to execute arbitrary code. **Recommendations** For WAGO PFC100/PFC200, consider restricting access to the configuration backend until a fix is available. For WAGO CC100, restrict access to critical functions that do not require authentication. For WAGO Edge Controller, limit the ability of unauthenticated users to read and set device parameters. For WAGO Touch Panel 600, disable remote access to the web-based management interface until the issue is resolved. As a temporary workaround, consider disabling critical functions that can be exploited by unauthenticated users until a patch is available.

**Name of the Vulnerable Software and Affected Versions** WAGO PFC100/PFC200 versions (affected versions not specified) WAGO CC100 versions (affected versions not specified) WAGO Edge Controller versions (affected versions not specified) WAGO Touch Panel 600 versions (affected versions not specified) **Description** The issue is related to the lack of authentication for a critical function in the configuration backend of the software. This could allow a remote attacker to write arbitrary data with root privileges, potentially leading to unauthenticated remote code execution and full system compromise. **Recommendations** For WAGO PFC100/PFC200, consider implementing authentication mechanisms for critical functions to prevent unauthorized access until a patch is available. For WAGO CC100, restrict access to the configuration backend to minimize the risk of exploitation. For WAGO Edge Controller, disable any functionality that allows writing arbitrary data with root privileges until a fix is provided. For WAGO Touch Panel 600, avoid using the configuration backend for sensitive operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WAGO PFC100/PFC200 versions (affected versions not specified) WAGO CC100 versions (affected versions not specified) WAGO Edge Controller versions (affected versions not specified) WAGO Touch Panel 600 versions (affected versions not specified) **Description** The configuration backend of the web-based management interface for WAGO programmable logic controllers and touch panels is vulnerable to reflected Cross-Site Scripting (XSS) attacks. This vulnerability can be exploited by a remote attacker to conduct inter-site script attacks, potentially affecting the confidentiality and integrity of the system, but with no impact on availability. **Recommendations** For WAGO PFC100/PFC200, consider disabling the web-based management interface until a patch is available. For WAGO CC100, restrict access to the configuration backend to minimize the risk of exploitation. For WAGO Edge Controller, avoid using the web-based management interface for sensitive operations until the issue is resolved. For WAGO Touch Panel 600, as a temporary workaround, consider implementing additional security measures to protect against XSS attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** macOS versions prior to 12.0.1 **Description** A logic issue was addressed with improved state management, allowing a malicious application to bypass Gatekeeper checks. This issue affects the Safari browser. **Recommendations** For macOS versions prior to 12.0.1, update to macOS Monterey 12.0.1 to resolve the issue. As a temporary workaround, consider restricting the use of Safari until the update is applied.

**Name of the Vulnerable Software and Affected Versions** macOS versions prior to 12.1 macOS Big Sur versions prior to 11.6.2 Security Update versions prior to 2021-008 Catalina **Description** A malicious OSAX scripting addition may bypass Gatekeeper checks and circumvent sandbox restrictions. This issue was addressed by disabling execution of JavaScript when viewing a scripting dictionary. **Recommendations** For macOS versions prior to 12.1, update to macOS Monterey 12.1 or later. For macOS Big Sur versions prior to 11.6.2, update to macOS Big Sur 11.6.2 or later. For Security Update versions prior to 2021-008 Catalina, apply Security Update 2021-008 Catalina or later. As a temporary workaround, consider disabling the execution of JavaScript when viewing a scripting dictionary until a patch is available.

Name of the Vulnerable Software and Affected Versions: iOS versions prior to 14.3 iPadOS versions prior to 14.3 Description: A logic issue was addressed with improved state management. The issue causes an enterprise application installation prompt to display the wrong domain. Recommendations: For iOS versions prior to 14.3, update to iOS 14.3 or later to resolve the issue. For iPadOS versions prior to 14.3, update to iPadOS 14.3 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: iOS versions prior to 14.4 iPadOS versions prior to 14.4 Description: A lock screen issue allowed unauthorized access to contacts on a locked device. This was possible due to inadequate state management. An attacker with physical access to the device could potentially view private contact information. Recommendations: For iOS versions prior to 14.4, update to iOS 14.4 or later to resolve the issue. For iPadOS versions prior to 14.4, update to iPadOS 14.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Safari versions prior to 13.0.5 **Description** A logic issue was addressed with improved validation. The issue involves a URL scheme that may be incorrectly ignored when determining multimedia permission for a website. **Recommendations** For versions prior to 13.0.5, update to Safari 13.0.5 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** iOS versions prior to 13.4 iPadOS versions prior to 13.4 macOS Catalina versions prior to 10.15.4 tvOS versions prior to 13.4 watchOS versions prior to 6.2 **Description** A logic issue was addressed with improved restrictions. Some websites may not have appeared in Safari Preferences. **Recommendations** For iOS versions prior to 13.4, update to iOS 13.4 or later. For iPadOS versions prior to 13.4, update to iPadOS 13.4 or later. For macOS Catalina versions prior to 10.15.4, update to macOS Catalina 10.15.4 or later. For tvOS versions prior to 13.4, update to tvOS 13.4 or later. For watchOS versions prior to 6.2, update to watchOS 6.2 or later.

**Name of the Vulnerable Software and Affected Versions** iOS versions prior to 14.0 iPadOS versions prior to 14.0 tvOS versions prior to 14.0 watchOS versions prior to 7.0 Safari versions prior to 14.0 iCloud for Windows versions prior to 11.4 and 7.21 **Description** An input validation issue was addressed with improved input validation. Processing maliciously crafted web content may lead to a cross site scripting attack. **Recommendations** For iOS versions prior to 14.0, update to iOS 14.0 or later. For iPadOS versions prior to 14.0, update to iPadOS 14.0 or later. For tvOS versions prior to 14.0, update to tvOS 14.0 or later. For watchOS versions prior to 7.0, update to watchOS 7.0 or later. For Safari versions prior to 14.0, update to Safari 14.0 or later. For iCloud for Windows versions prior to 11.4 and 7.21, update to iCloud for Windows 11.4 or later, or 7.21 or later.

**Name of the Vulnerable Software and Affected Versions** iOS versions prior to 13.5 iPadOS versions prior to 13.5 tvOS versions prior to 13.4.5 watchOS versions prior to 6.2.5 Safari versions prior to 13.1.1 iTunes versions prior to 12.10.7 for Windows iCloud for Windows versions prior to 11.2 and 7.19 **Description** The issue is related to input validation and may lead to a cross-site scripting attack when processing maliciously crafted web content. This can allow a remote attacker to perform inter-site script attacks by exploiting the vulnerability in the WebKit modules for displaying web pages. **Recommendations** For iOS versions prior to 13.5, update to iOS 13.5 or later. For iPadOS versions prior to 13.5, update to iPadOS 13.5 or later. For tvOS versions prior to 13.4.5, update to tvOS 13.4.5 or later. For watchOS versions prior to 6.2.5, update to watchOS 6.2.5 or later. For Safari versions prior to 13.1.1, update to Safari 13.1.1 or later. For iTunes versions prior to 12.10.7 for Windows, update to iTunes 12.10.7 for Windows or later. For iCloud for Windows versions prior to 11.2 and 7.19, update to iCloud for Windows 11.2 or 7.19 or later.

**Name of the Vulnerable Software and Affected Versions** Safari versions prior to 13.1 **Description** A logic issue was addressed with improved restrictions. A malicious iframe may use another website's download settings. **Recommendations** For versions prior to 13.1, update to Safari 13.1 to resolve the issue. As a temporary workaround, consider restricting the use of iframes from untrusted sources until the update is applied.

**Name of the Vulnerable Software and Affected Versions** iOS versions prior to 13.4 iPadOS versions prior to 13.4 tvOS versions prior to 13.4 Safari versions prior to 13.1 iTunes for Windows versions prior to 12.10.5 iCloud for Windows versions prior to 10.9.3 and 7.18 **Description** A logic issue was addressed with improved restrictions. The issue is related to incorrect association of a download's origin. Exploitation of this issue may allow a remote attacker to impact the integrity of protected information. **Recommendations** For iOS versions prior to 13.4, update to iOS 13.4 or later. For iPadOS versions prior to 13.4, update to iPadOS 13.4 or later. For tvOS versions prior to 13.4, update to tvOS 13.4 or later. For Safari versions prior to 13.1, update to Safari 13.1 or later. For iTunes for Windows versions prior to 12.10.5, update to iTunes for Windows 12.10.5 or later. For iCloud for Windows versions prior to 10.9.3 and 7.18, update to iCloud for Windows 10.9.3 or later, and 7.18 or later.

**Name of the Vulnerable Software and Affected Versions** iOS versions prior to 13.4 iPadOS versions prior to 13.4 macOS (affected versions not specified) tvOS versions prior to 13.4 Safari versions prior to 13.1 iTunes for Windows versions prior to 12.10.5 iCloud for Windows versions prior to 10.9.3 and 7.18 **Description** The issue is related to an incorrect implementation of control flow, which may allow a remote attacker to compromise the integrity of protected information due to incorrect processing of a file URL. **Recommendations** For iOS versions prior to 13.4, update to iOS 13.4 or later. For iPadOS versions prior to 13.4, update to iPadOS 13.4 or later. For tvOS versions prior to 13.4, update to tvOS 13.4 or later. For Safari versions prior to 13.1, update to Safari 13.1 or later. For iTunes for Windows versions prior to 12.10.5, update to iTunes for Windows 12.10.5 or later. For iCloud for Windows versions prior to 10.9.3 and 7.18, update to iCloud for Windows 10.9.3 or 7.18 or later.

**Name of the Vulnerable Software and Affected Versions** iOS versions prior to 13.3.1 iPadOS versions prior to 13.3.1 tvOS versions prior to 13.3.1 Safari versions prior to 13.0.5 iTunes for Windows versions prior to 12.10.4 iCloud for Windows versions prior to 11.0 iCloud for Windows versions prior to 7.17 **Description** The issue is related to multiple memory corruption problems that have been addressed with improved memory handling. Processing maliciously crafted web content may lead to arbitrary code execution. **Recommendations** For iOS versions prior to 13.3.1, update to iOS 13.3.1 or later. For iPadOS versions prior to 13.3.1, update to iPadOS 13.3.1 or later. For tvOS versions prior to 13.3.1, update to tvOS 13.3.1 or later. For Safari versions prior to 13.0.5, update to Safari 13.0.5 or later. For iTunes for Windows versions prior to 12.10.4, update to iTunes for Windows 12.10.4 or later. For iCloud for Windows versions prior to 11.0, update to iCloud for Windows 11.0 or later. For iCloud for Windows versions prior to 7.17, update to iCloud for Windows 7.17 or later.

**Name of the Vulnerable Software and Affected Versions** iCloud for Windows versions prior to 7.17 iTunes for Windows versions prior to 12.10.4 iCloud for Windows versions prior to 10.9.2 tvOS versions prior to 13.3.1 Safari versions prior to 13.0.5 iOS versions prior to 13.3.1 iPadOS versions prior to 13.3.1 **Description** A logic issue was addressed with improved validation. The issue involves a DOM object context that may not have had a unique security origin, potentially allowing attackers to affect the system. **Recommendations** For iCloud for Windows versions prior to 7.17, update to version 7.17 or later. For iTunes for Windows versions prior to 12.10.4, update to version 12.10.4 or later. For iCloud for Windows versions prior to 10.9.2, update to version 10.9.2 or later. For tvOS versions prior to 13.3.1, update to version 13.3.1 or later. For Safari versions prior to 13.0.5, update to version 13.0.5 or later. For iOS versions prior to 13.3.1, update to version 13.3.1 or later. For iPadOS versions prior to 13.3.1, update to version 13.3.1 or later.

**Name of the Vulnerable Software and Affected Versions** iOS versions prior to 12.2 **Description** A permissions issue existed in the handling of motion and orientation data, allowing a website to access sensor information without user consent. This issue was addressed with improved restrictions. **Recommendations** For iOS versions prior to 12.2, update to iOS 12.2 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** iOS versions prior to 12.2 Safari versions prior to 12.1 **Description** A logic issue was addressed with improved validation. Enabling the Safari Reader feature on a maliciously crafted webpage may lead to universal cross site scripting. **Recommendations** For iOS versions prior to 12.2, update to iOS 12.2 to resolve the issue. For Safari versions prior to 12.1, update to Safari 12.1 to resolve the issue. As a temporary workaround, consider disabling the Safari Reader feature until a patch is available.