Stefan Esser

**Name of the Vulnerable Software and Affected Versions** iOS versions prior to 12.2 macOS Mojave versions prior to 10.14.4 tvOS versions prior to 12.2 watchOS versions prior to 5.2 **Description** An out-of-bounds read issue existed, leading to the disclosure of kernel memory. This issue was addressed with improved input validation. A malicious application may be able to determine kernel memory layout. **Recommendations** For iOS versions prior to 12.2, update to iOS 12.2 or later. For macOS Mojave versions prior to 10.14.4, update to macOS Mojave 10.14.4 or later. For tvOS versions prior to 12.2, update to tvOS 12.2 or later. For watchOS versions prior to 5.2, update to watchOS 5.2 or later.

**Name of the Vulnerable Software and Affected Versions** WordPress versions prior to 4.9.9 **Description** The issue is related to a CWE-20 Input Validation problem in thumbnail processing, which can lead to remote code execution. This can be exploited via thumbnail upload by an authenticated user. It may require additional plugins to be exploited, although this has not been confirmed. **Recommendations** For WordPress versions prior to 4.9.9, update to version 4.9.9 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** iOS versions prior to 11.2.5 macOS versions prior to 10.13.3 tvOS versions prior to 11.2.5 watchOS versions prior to 4.2.2 **Description** The issue involves the Kernel component and is related to a race condition. This condition allows attackers to bypass intended memory-read restrictions via a crafted app. **Recommendations** For iOS versions prior to 11.2.5, update to version 11.2.5 or later. For macOS versions prior to 10.13.3, update to version 10.13.3 or later. For tvOS versions prior to 11.2.5, update to version 11.2.5 or later. For watchOS versions prior to 4.2.2, update to version 4.2.2 or later.

**Name of the Vulnerable Software and Affected Versions** GD Graphics Library versions prior to 2.2.4 **Description** The issue is caused by an integer underflow in the GD Graphics Library, which may allow remote attackers to have an unspecified impact. This can be achieved through vectors related to decrementing variables, potentially by manipulating the number of horizontal and vertical elements in an image. **Recommendations** For versions prior to 2.2.4, update to version 2.2.4 or later to resolve the issue. At the moment, there is no information about additional mitigation measures for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apple iOS versions prior to 9.3.3 Apple OS X versions prior to 10.11.6 Apple tvOS versions prior to 9.2.2 Apple watchOS versions prior to 2.2.2 **Description** The issue allows attackers to access the process list via a crafted app that makes an API call. **Recommendations** For Apple iOS versions prior to 9.3.3, update to version 9.3.3 or later. For Apple OS X versions prior to 10.11.6, update to version 10.11.6 or later. For Apple tvOS versions prior to 9.2.2, update to version 9.2.2 or later. For Apple watchOS versions prior to 2.2.2, update to version 2.2.2 or later.

**Name of the Vulnerable Software and Affected Versions** IOHIDFamily in Apple iOS versions prior to 9.3.3 IOHIDFamily in Apple OS X versions prior to 10.11.6 IOHIDFamily in Apple tvOS versions prior to 9.2.2 IOHIDFamily in Apple watchOS versions prior to 2.2.2 **Description** The issue is related to errors in pointer dereferencing in the IOHIDFamily component. It can be exploited by a local attacker to gain privileges or cause a denial of service (NULL pointer dereference) via unspecified vectors. **Recommendations** For iOS versions prior to 9.3.3, update to version 9.3.3 or later. For OS X versions prior to 10.11.6, update to version 10.11.6 or later. For tvOS versions prior to 9.2.2, update to version 9.2.2 or later. For watchOS versions prior to 2.2.2, update to version 2.2.2 or later.

**Name of the Vulnerable Software and Affected Versions** Apple OS X versions prior to 10.11.6 **Description** The issue concerns the Graphics Drivers subsystem and can be exploited by local users to gain privileges or cause a denial of service due to memory corruption. The exploitation is possible via unspecified vectors. The vulnerability is also described as a buffer overflow in the Graphics Drivers subsystem. **Recommendations** For Apple OS X versions prior to 10.11.6, update to version 10.11.6 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** OS X versions prior to 10.11.5 **Description** The issue is related to insufficient access control in the CoreStorage component of the Mac OS X operating system. This allows an attacker to execute arbitrary code in a privileged context via a crafted app. **Recommendations** For OS X versions prior to 10.11.5, update to version 10.11.5 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Apple OS X versions prior to 10.10.4 **Description** The issue concerns the kernel in Apple OS X, which does not properly manage memory in kernel-extension APIs. This allows attackers to obtain sensitive memory-layout information via a crafted app. **Recommendations** For versions prior to 10.10.4, update to version 10.10.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** PHP versions prior to 5.4.30 PHP versions 5.5.x prior to 5.5.14 **Description** The issue is related to a "type confusion" vulnerability in the phpinfo implementation, which might allow context-dependent attackers to obtain sensitive information from process memory by using the integer data type with crafted values for the `PHP AUTH PW`, `PHP AUTH TYPE`, `PHP AUTH USER`, and `PHP SELF` variables. This could potentially be exploited in an Apache HTTP Server web-hosting environment with mod ssl and a PHP mod php, as demonstrated by reading a private SSL key. **Recommendations** For PHP versions prior to 5.4.30, update to version 5.4.30 or later. For PHP versions 5.5.x prior to 5.5.14, update to version 5.5.14 or later. As a temporary workaround, consider restricting access to sensitive information in the phpinfo output until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** PHP versions prior to 5.4.30 PHP versions 5.5.x prior to 5.5.14 **Description** The issue arises from incorrect anticipation of data structure types after unserialization in the SPL component, leading to potential remote code execution through crafted strings that trigger the use of a Hashtable destructor. This is related to "type confusion" issues in ArrayObject and SPLObjectStorage. **Recommendations** For PHP versions prior to 5.4.30, update to version 5.4.30 or later. For PHP versions 5.5.x prior to 5.5.14, update to version 5.5.14 or later.

**Name of the Vulnerable Software and Affected Versions** PHP versions prior to 5.3.28 PHP versions 5.4.x prior to 5.4.23 PHP versions 5.5.x prior to 5.5.7 **Description** The issue arises from the improper parsing of notBefore and notAfter timestamps in X.509 certificates by the asn1 time to time t function. This can lead to memory corruption, allowing remote attackers to execute arbitrary code or cause a denial of service. The vulnerability is caused by a buffer overflow in the OpenSSL library used by PHP. **Recommendations** For PHP versions prior to 5.3.28, update to version 5.3.28 or later. For PHP versions 5.4.x prior to 5.4.23, update to version 5.4.23 or later. For PHP versions 5.5.x prior to 5.5.7, update to version 5.5.7 or later.

**Name of the Vulnerable Software and Affected Versions** Apple iOS version 6.1.3 **Description** The issue allows remote attackers to trigger the installation of arbitrary applications via a download-manifest `itms-services://` URL. This is possible because the software does not follow redirects during the determination of the hostname to display in an installation dialog, leveraging an open redirect vulnerability within a trusted domain. **Recommendations** For Apple iOS version 6.1.3, consider restricting access to `itms-services://` URLs until a fix is available. As a temporary workaround, avoid using the `itms-services://` protocol in trusted domains to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Apple Mac OS X version 10.8.x **Description** The issue is related to the posix spawn system call in the XNU kernel, which does not properly validate data for file actions and port actions. This allows local users to cause a denial of service (panic) by providing a size value that is inconsistent with a header count field. Additionally, it enables local users to obtain sensitive information from kernel heap memory by using a certain size value in conjunction with a crafted buffer. **Recommendations** For Apple Mac OS X version 10.8.x, consider applying configuration changes to restrict access to the posix spawn system call until a patch is available. As a temporary workaround, avoid using the posix spawn system call with crafted buffers to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apple iOS versions 5.x through 6.1.3 **Description** The issue is related to the `get xattrinfo` function in the XNU kernel, which does not properly validate the header of an AppleDouble file. This could allow local users to cause a denial of service, potentially resulting in memory corruption, or have other unspecified impacts by using an invalid file on an msdosfs filesystem. **Recommendations** For Apple iOS versions 5.x through 6.1.3, consider restricting access to msdosfs filesystems to minimize the risk of exploitation until a patch is available. As a temporary workaround, avoid using invalid AppleDouble files on affected devices.

**Name of the Vulnerable Software and Affected Versions** dyld in Apple iOS versions 5.1.x through 6.1.3 **Description** A stack-based buffer overflow issue exists in the openSharedCacheFile function in dyld.cpp, which can be exploited by attackers using a long string in the `DYLD SHARED CACHE DIR` environment variable, making it easier to conduct untethering attacks. **Recommendations** For dyld in Apple iOS versions 5.1.x through 6.1.3, consider restricting access to the `DYLD SHARED CACHE DIR` environment variable to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apple Mac OS X version 10.8.x **Description** The issue concerns the mach port space info function in the XNU kernel, which fails to initialize a certain structure member. This allows local users to obtain sensitive information from kernel heap memory by making a crafted call. **Recommendations** For Apple Mac OS X version 10.8.x, update to a version that includes the fix for this issue to prevent local users from obtaining sensitive information from kernel heap memory.

**Name of the Vulnerable Software and Affected Versions** libc in Apple iOS versions 6.1.3 libc in Apple Mac OS X versions 10.8.x **Description** The issue allows local users to bypass cookie randomization by executing a program with a call-path beginning with the stack-guard= substring. This can be demonstrated by an iOS untethering attack or an attack against a setuid Mac OS X program. **Recommendations** For Apple iOS version 6.1.3, update to a newer version that contains a fix for this issue. For Apple Mac OS X version 10.8.x, update to a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Piwik versions prior to 1.1 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, which can lead to multiple cross-site scripting (XSS) vulnerabilities. **Recommendations** For versions prior to 1.1, update to version 1.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Piwik versions prior to 1.1 **Description** The issue allows remote attackers to bypass intended geolocation and logging functionality. This can be achieved by either using a private address behind a proxy server or by spoofing the `X-Forwarded-For` HTTP header. **Recommendations** For versions prior to 1.1, update to version 1.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the `Piwik Common::getIP` function until a patch is available. Avoid relying on the `X-Forwarded-For` header for geolocation and logging purposes until the issue is resolved.