Xdavidhu

**Name of the Vulnerable Software and Affected Versions** Next.js versions 16.0.1 through 16.1.6 **Description** Next.js, a React framework for building full-stack web applications, had a flaw in its development mode (`next dev`) where cross-site protection for internal websocket endpoints could incorrectly allow connections from contexts with a `Origin: null` header, even when `allowedDevOrigins` was configured. This could allow an attacker with access to attacker-controlled content to connect to the Hot Module Replacement (HMR) websocket channel and potentially interact with development websocket traffic. The issue only affects development mode. Applications without a configured `allowedDevOrigins` were also susceptible, allowing connections from any origin. The API endpoint `/ next/webpack-hmr` is involved in this issue. The `Origin` variable is a key factor in the vulnerability. **Recommendations** Next.js versions prior to 16.1.7 should be updated to version 16.1.7 or later to validate the `Origin: null` header using the same cross-site origin checks as other origins. If upgrading is not immediately possible, do not expose `next dev` to untrusted networks. As an additional measure, block websocket upgrades to the `/ next/webpack-hmr` endpoint when the `Origin` header is `null` at the proxy.

Name of the Vulnerable Software and Affected Versions: iOS versions prior to 14.5 iPadOS versions prior to 14.5 watchOS versions prior to 7.4 Description: A validation issue was addressed with improved input sanitization, allowing a local user to potentially write arbitrary files. Recommendations: For iOS versions prior to 14.5, update to iOS 14.5 or later. For iPadOS versions prior to 14.5, update to iPadOS 14.5 or later. For watchOS versions prior to 7.4, update to watchOS 7.4 or later.

**Name of the Vulnerable Software and Affected Versions** Safari versions prior to 14.1.1 tvOS versions prior to 14.6 iOS versions prior to 14.6 iPadOS versions prior to 14.6 macOS Big Sur versions prior to 11.4 watchOS versions prior to 7.5 **Description** The issue is related to a logic problem with inadequate restrictions, which may allow a malicious website to access restricted ports on arbitrary servers. This could potentially lead to unauthorized access to confidential data and disruption of its integrity. **Recommendations** For Safari version prior to 14.1.1, update to Safari 14.1.1 or later. For tvOS version prior to 14.6, update to tvOS 14.6 or later. For iOS version prior to 14.6, update to iOS 14.6 or later. For iPadOS version prior to 14.6, update to iPadOS 14.6 or later. For macOS Big Sur version prior to 11.4, update to macOS Big Sur 11.4 or later. For watchOS version prior to 7.5, update to watchOS 7.5 or later.