Windowsrcer

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 123.0.6312.58 **Description** The issue is related to inappropriate implementation in iOS, allowing a remote attacker to leak cross-origin data via a crafted HTML page. This is due to insufficient access control, which can be exploited by a remote attacker to gain unauthorized access to protected information. The estimated number of potentially affected devices worldwide is not specified. **Recommendations** For Google Chrome versions prior to 123.0.6312.58, update to version 123.0.6312.58 or later to resolve the issue. As a temporary workaround, consider restricting access to potentially vulnerable HTML pages until the update is applied. Avoid using Google Chrome for sensitive operations until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** tvOS versions prior to 17.4 macOS Sonoma versions prior to 14.4 visionOS versions prior to 1.1 iOS versions prior to 17.4 iPadOS versions prior to 17.4 watchOS versions prior to 10.4 Safari versions prior to 17.4 **Description** The issue was addressed with improved UI handling. A malicious website may exfiltrate audio data cross-origin. **Recommendations** For tvOS versions prior to 17.4, update to tvOS 17.4 to resolve the issue. For macOS Sonoma versions prior to 14.4, update to macOS Sonoma 14.4 to resolve the issue. For visionOS versions prior to 1.1, update to visionOS 1.1 to resolve the issue. For iOS versions prior to 17.4, update to iOS 17.4 to resolve the issue. For iPadOS versions prior to 17.4, update to iPadOS 17.4 to resolve the issue. For watchOS versions prior to 10.4, update to watchOS 10.4 to resolve the issue. For Safari versions prior to 17.4, update to Safari 17.4 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** iOS versions prior to 17.3 iPadOS versions prior to 17.3 Safari versions prior to 17.3 tvOS versions prior to 17.3 macOS Sonoma versions prior to 14.3 watchOS versions prior to 10.3 **Description** A logic issue was addressed with improved checks. A malicious website may cause unexpected cross-origin behavior. The issue is related to insufficient access control in WebKitGTK and WPE WebKit modules, which can allow a remote attacker to access confidential data, compromise its integrity, and cause a denial of service. **Recommendations** For iOS versions prior to 17.3, update to iOS 17.3 or later. For iPadOS versions prior to 17.3, update to iPadOS 17.3 or later. For Safari versions prior to 17.3, update to Safari 17.3 or later. For tvOS versions prior to 17.3, update to tvOS 17.3 or later. For macOS Sonoma versions prior to 14.3, update to macOS Sonoma 14.3 or later. For watchOS versions prior to 10.3, update to watchOS 10.3 or later.

**Name of the Vulnerable Software and Affected Versions** webkit2gtk versions prior to 2.42.5-0ubuntu0.22.04.2 webkit2gtk3 (affected versions not specified) Apple products (affected versions not specified) **Description** The webkit2gtk and webkit2gtk3 engines contain a type confusion flaw. This issue is actively exploited and may allow an attacker to execute arbitrary code by tricking a user into viewing a malicious website. Apple has addressed this vulnerability in iOS 17.3 and iPadOS 17.3, macOS Sonoma 14.3, tvOS 17.3, iOS 16.7.5, iPadOS 16.7.5, and macOS Monterey 12.7.3. The vulnerability exists in WebKit, the browser engine used by Safari. **Recommendations** Update webkit2gtk to version 2.42.5-0ubuntu0.22.04.2 or later. Update Apple products to the latest available versions, including iOS, iPadOS, macOS, and tvOS.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 108.0.5359.71 Microsoft Edge (affected versions not specified) **Description** The issue is related to an inappropriate implementation in Navigation, allowing a remote attacker to spoof the contents of the modal dialogue via a crafted HTML page. This can be achieved by exploiting a vulnerability associated with improperly implemented security checks for standard elements. The estimated number of potentially affected devices and details about real-world incidents are not provided. **Recommendations** For Google Chrome versions prior to 108.0.5359.71, update to version 108.0.5359.71 or later to resolve the issue. For Microsoft Edge, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft Edge (Chrome based) (affected versions not specified) **Description** The issue is related to errors in the representation of information by the user interface in Microsoft Edge's IE Mode. It may allow a remote attacker to conduct spoofing attacks. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 94.0.4606.54 **Description** The issue is related to an inappropriate implementation in Navigation in Google Chrome on Windows, which allowed a remote attacker to inject scripts or HTML into a privileged page via a crafted HTML page. This could enable the attacker to bypass existing security restrictions. **Recommendations** For versions prior to 94.0.4606.54, update to version 94.0.4606.54 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 76.0.3809.87 **Description** The issue is related to insufficient filtering in URI schemes, allowing a remote attacker to bypass navigation restrictions. This could potentially enable the execution of arbitrary JavaScript code. **Recommendations** For Google Chrome versions prior to 76.0.3809.87, update to version 76.0.3809.87 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Safari versions prior to 12.1 iOS versions prior to 12.2 tvOS versions prior to 12.2 iTunes for Windows versions prior to 12.9.4 iCloud for Windows versions prior to 7.11 **Description** A cross-origin issue existed with the fetch API, which has been addressed with improved input validation. Processing maliciously crafted web content may disclose sensitive user information. The issue is related to insufficient input validation in the WebKit display module, allowing a remote attacker to gain unauthorized access to protected information. **Recommendations** For Safari versions prior to 12.1, update to Safari 12.1 or later. For iOS versions prior to 12.2, update to iOS 12.2 or later. For tvOS versions prior to 12.2, update to tvOS 12.2 or later. For iTunes for Windows versions prior to 12.9.4, update to iTunes 12.9.4 or later. For iCloud for Windows versions prior to 7.11, update to iCloud for Windows 7.11 or later.

Name of the Vulnerable Software and Affected Versions: Safari versions prior to 12.0.2 iOS versions prior to 12.1.1 tvOS versions prior to 12.1.1 iTunes versions prior to 12.9.2 for Windows Description: A logic issue related to state management may disclose sensitive user information when processing maliciously crafted web content. This issue allows attackers to obtain sensitive user information via maliciously crafted web content. Recommendations: For Safari versions prior to 12.0.2, update to Safari 12.0.2 or later. For iOS versions prior to 12.1.1, update to iOS 12.1.1 or later. For tvOS versions prior to 12.1.1, update to tvOS 12.1.1 or later. For iTunes versions prior to 12.9.2 for Windows, update to iTunes 12.9.2 for Windows or later.

**Name of the Vulnerable Software and Affected Versions** Apple iOS versions prior to 12.1.3 Apple iCloud for Windows versions prior to 7.10 Apple iTunes for Windows versions prior to 12.9.3 Apple Safari versions prior to 12.0.3 Apple tvOS versions prior to 12.1.2 **Description** A logic issue was addressed with improved state management. Processing maliciously crafted web content may disclose sensitive user information. **Recommendations** For iOS versions prior to 12.1.3, update to iOS 12.1.3 or later. For iCloud for Windows versions prior to 7.10, update to iCloud for Windows 7.10 or later. For iTunes for Windows versions prior to 12.9.3, update to iTunes 12.9.3 for Windows or later. For Safari versions prior to 12.0.3, update to Safari 12.0.3 or later. For tvOS versions prior to 12.1.2, update to tvOS 12.1.2 or later.

**Name of the Vulnerable Software and Affected Versions** Microsoft Edge (affected versions not specified) **Description** An information disclosure issue exists in the way Microsoft Edge handles cross-origin requests. This could allow an attacker to determine the origin of all web pages in the affected browser. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Windows Media Player versions prior to the fixed version Windows 7 Windows Server 2012 R2 Windows RT 8.1 Windows Server 2008 Windows Server 2019 Windows Server 2012 Windows 8.1 Windows Server 2016 Windows Server 2008 R2 Windows 10 Windows 10 Servers **Description** The issue is related to the improper disclosure of file information by Windows Media Player, allowing a remote attacker to determine the presence of files on a disk using a specially crafted hyperlink. This can lead to the exposure of sensitive information. **Recommendations** For Windows Media Player, update to a version that includes the fix for this issue. For Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers, apply the recommended patch or update to prevent exploitation. As a temporary workaround, consider restricting access to Windows Media Player until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Windows Media Player versions prior to the fixed version Windows 7 Windows Server 2012 R2 Windows RT 8.1 Windows Server 2008 Windows Server 2019 Windows Server 2012 Windows 8.1 Windows Server 2016 Windows Server 2008 R2 Windows 10 Windows 10 Servers **Description** The issue is related to errors in the mechanisms for processing objects in memory in the Windows Media Player component of the Windows operating system. Exploitation of this issue may allow a remote attacker to access confidential information using a specially crafted hyperlink. It is an information disclosure vulnerability that exists when Windows Media Player improperly discloses file information. **Recommendations** For Windows Media Player, update to the latest version to resolve the issue. For Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers, apply the recommended security updates to fix the vulnerability. As a temporary workaround, consider restricting access to sensitive information and files that can be accessed through Windows Media Player until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Microsoft Edge (affected versions not specified) **Description** An information disclosure issue exists due to the incorrect handling of a filtered response type by the Microsoft Edge Fetch API. This could allow a remote attacker to disclose protected information. Specifically, an attacker could use this issue to read the URL of a cross-origin request. If websites do not securely populate the URL with confidential information, it could lead to information disclosure. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 62 Firefox ESR versions prior to 60.2 Thunderbird versions prior to 60.2.1 **Description** A same-origin policy violation exists, allowing the theft of cross-origin URL entries. This occurs when a page uses a meta http-equiv="refresh" to cause a redirection to another site, exploiting the performance.getEntries() function. This could enable data theft. **Recommendations** For Firefox versions prior to 62, update to version 62 or later to resolve the issue. For Firefox ESR versions prior to 60.2, update to version 60.2 or later to resolve the issue. For Thunderbird versions prior to 60.2.1, update to version 60.2.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Internet Explorer 11 Microsoft Edge **Description** An elevation of privilege issue exists in Microsoft browsers, allowing sandbox escape. This could enable an attacker to elevate privileges on an affected system. The vulnerability by itself does not allow arbitrary code execution but could be used in combination with another vulnerability to run arbitrary code. **Recommendations** For Internet Explorer 11, update to a version that includes the fix for this issue. For Microsoft Edge, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to sensitive areas of the system to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Internet Explorer 11 Microsoft Edge Internet Explorer 10 **Description** The issue is related to errors in the implementation of cross-frame interaction in Microsoft browsers. It allows a remote attacker to disclose protected information using a specially crafted web page. An attacker who successfully exploits this issue could obtain browser frame or window state from a different domain. **Recommendations** For Internet Explorer 11, update to a version that properly restricts cross-frame interaction. For Microsoft Edge, update to a version that properly restricts cross-frame interaction. For Internet Explorer 10, update to a version that properly restricts cross-frame interaction. As a temporary workaround, consider restricting access to sensitive information when using affected browsers until a patch is available.