Sethvargo

**Name of the Vulnerable Software and Affected Versions** Exposure Notification server versions prior to V1.1.2 **Description** An attacker could prematurely expire a verification code, making it unusable by the patient, and preventing the patient from uploading their TEKs to generate exposure notifications. Users or API keys with permission to expire verification codes could have expired codes that belonged to another realm if they guessed the UUID. Verification codes can only be expired by providing their 64-bit UUID, and verification codes are already valid for a very short period of time. **Recommendations** For Exposure Notification server versions prior to V1.1.2, upgrade the server to V1.1.2 or greater.

**Name of the Vulnerable Software and Affected Versions** iOS versions prior to 11.2 **Description** The issue concerns the retrieval of exchange rates over an insecure connection. In the affected versions, exchange rates were fetched using HTTP instead of the more secure HTTPS protocol. **Recommendations** For iOS versions prior to 11.2, update to version 11.2 or later to enable HTTPS for exchange rates.