NETGEAR XR1000 devices before 1.0.0.58 are affected by denial of service.

Was this article helpful?   Yes     No

Associated CVE IDs: None 

First published: 2021-09-26

NETGEAR has released fixes for a denial of service security vulnerability on the following product models:

*   XR1000, running firmware versions prior to 1.0.0.58

NETGEAR strongly recommends that you download the latest firmware as soon as possible.

**To download the latest firmware for your NETGEAR product:**

1.  Visit NETGEAR Support.
2.  Start typing your model number in the search box, then select your model from the drop-down menu as soon as it appears.  
     If you do not see a drop-down menu, make sure that you entered your model number correctly, or select a product category to browse for your product model.
3.  Click **Downloads**.
4.  Under **Current Versions**, select the download whose title begins with **Firmware Version**. 
5.  Click **Download**.
6.  Follow the instructions in your product’s user manual, firmware release notes, or product support page to install the new firmware.

**Disclaimer**

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. NETGEAR reserves the right to change or update this document at any time. NETGEAR expects to update this document as new information becomes available.

The denial of service vulnerability remains if you do not complete all recommended steps. NETGEAR is not responsible for any consequences that could have been avoided by following the recommendations in this notification.

**Acknowledgements**

erikdejong

**Common Vulnerability Scoring System**

CVSS Rating: Medium

CVSS Score: 6.5

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

**Best Practices for Updating Firmware**

We recommend that you keep your NETGEAR devices up to date with the latest firmware. Firmware updates contain security fixes, bug fixes, and new features for your NETGEAR products. 

If your product is supported by one of our apps, using the app is the easiest way to update your firmware:

*   Orbi products: NETGEAR Orbi app
*   NETGEAR WiFi routers: NETGEAR Nighthawk app
*   Some NETGEAR Business products: NETGEAR Insight app (firmware updates through the app are available only for Insight subscribers)

If your product is not supported by one of our apps, you can always update your firmware manually by following the instructions in your product’s user manual, firmware release notes, or product support page. For more information, see Where can I find information about my NETGEAR product?.

**Contact**

We appreciate and value having security concerns brought to our attention. NETGEAR constantly monitors for both known and unknown threats. Being pro-active rather than re-active to emerging security issues is fundamental for product support at NETGEAR.

It is NETGEAR's mission to be the innovative leader in connecting the world to the internet. To achieve this mission, we strive to earn and maintain the trust of those that use NETGEAR products for their connectivity.

To report a security vulnerability, visit http://www.netgear.com/about/security/. 

If you are a NETGEAR customer with a security-related support concern, you can contact NETGEAR customer support at techsupport.security@netgear.com. 

**Revision History**

2021-09-26: Published advisory

Last Updated:10/26/2021 | Article ID: 000064158

**Was this article helpful?**Yes No

**This article applies to:**

*   Nighthawk Pro Gaming (1)
    *   XR1000

How to Find Your Model Number

**Looking for more about your product?**

Get information, documentation, videos and more for your specific product.

**Need to Contact Support?**

With NETGEAR’s round-the-clock premium support, help is just a phone call away.

**Complimentary Support**

NETGEAR provides complimentary technical support for NETGEAR products for 90 days from the original date of purchase.

Contact Support

**NETGEAR Premium Support**

**GearHead Support for Home Users**

GearHead Support is a technical support service for NETGEAR devices and all other connected devices in your home. Advanced remote support tools are used to fix issues on any of your devices. The service includes support for the following:

*   Desktop and Notebook PCs, Wired and Wireless Routers, Modems, Printers, Scanners, Fax Machines, USB devices and Sound Cards
*   Windows Operating Systems (2000, XP or Vista), MS Word, Excel, PowerPoint, Outlook and Adobe Acrobat
*   Anti-virus and Anti-Spyware: McAfee, Norton, AVG, eTrust and BitDefender

Learn More

**ProSUPPORT Services for Business Users**

NETGEAR ProSUPPORT services are available to supplement your technical support and warranty entitlements. NETGEAR offers a variety of ProSUPPORT services that allow you to access NETGEAR's expertise in a way that best meets your needs:

*   Product Installation
*   Professional Wireless Site Survey
*   Defective Drive Retention (DDR) Service

Learn More

CVE-2021-45519: Security Advisory for Denial of Service on XR1000, PSV-2021-0033 | Answer

Was this article helpful?   Yes     No

Associated CVE IDs: None 

First published: 2021-09-26

NETGEAR has released fixes for a denial of service security vulnerability on the following product models:

*   XR1000, running firmware versions prior to 1.0.0.58

NETGEAR strongly recommends that you download the latest firmware as soon as possible.

**To download the latest firmware for your NETGEAR product:**

1.  Visit NETGEAR Support.
2.  Start typing your model number in the search box, then select your model from the drop-down menu as soon as it appears.  
     If you do not see a drop-down menu, make sure that you entered your model number correctly, or select a product category to browse for your product model.
3.  Click **Downloads**.
4.  Under **Current Versions**, select the download whose title begins with **Firmware Version**. 
5.  Click **Download**.
6.  Follow the instructions in your product’s user manual, firmware release notes, or product support page to install the new firmware.

**Disclaimer**

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. NETGEAR reserves the right to change or update this document at any time. NETGEAR expects to update this document as new information becomes available.

The denial of service vulnerability remains if you do not complete all recommended steps. NETGEAR is not responsible for any consequences that could have been avoided by following the recommendations in this notification.

**Acknowledgements**

erikdejong

**Common Vulnerability Scoring System**

CVSS Rating: Medium

CVSS Score: 6.5

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

**Best Practices for Updating Firmware**

We recommend that you keep your NETGEAR devices up to date with the latest firmware. Firmware updates contain security fixes, bug fixes, and new features for your NETGEAR products. 

If your product is supported by one of our apps, using the app is the easiest way to update your firmware:

*   Orbi products: NETGEAR Orbi app
*   NETGEAR WiFi routers: NETGEAR Nighthawk app
*   Some NETGEAR Business products: NETGEAR Insight app (firmware updates through the app are available only for Insight subscribers)

If your product is not supported by one of our apps, you can always update your firmware manually by following the instructions in your product’s user manual, firmware release notes, or product support page. For more information, see Where can I find information about my NETGEAR product?.

**Contact**

We appreciate and value having security concerns brought to our attention. NETGEAR constantly monitors for both known and unknown threats. Being pro-active rather than re-active to emerging security issues is fundamental for product support at NETGEAR.

It is NETGEAR's mission to be the innovative leader in connecting the world to the internet. To achieve this mission, we strive to earn and maintain the trust of those that use NETGEAR products for their connectivity.

To report a security vulnerability, visit http://www.netgear.com/about/security/. 

If you are a NETGEAR customer with a security-related support concern, you can contact NETGEAR customer support at techsupport.security@netgear.com. 

**Revision History**

2021-09-26: Published advisory

Last Updated:10/26/2021 | Article ID: 000064156

**Was this article helpful?**Yes No

**This article applies to:**

*   Nighthawk Pro Gaming (1)
    *   XR1000

How to Find Your Model Number

**Looking for more about your product?**

Get information, documentation, videos and more for your specific product.

**Need to Contact Support?**

With NETGEAR’s round-the-clock premium support, help is just a phone call away.

**Complimentary Support**

NETGEAR provides complimentary technical support for NETGEAR products for 90 days from the original date of purchase.

Contact Support

**NETGEAR Premium Support**

**GearHead Support for Home Users**

GearHead Support is a technical support service for NETGEAR devices and all other connected devices in your home. Advanced remote support tools are used to fix issues on any of your devices. The service includes support for the following:

*   Desktop and Notebook PCs, Wired and Wireless Routers, Modems, Printers, Scanners, Fax Machines, USB devices and Sound Cards
*   Windows Operating Systems (2000, XP or Vista), MS Word, Excel, PowerPoint, Outlook and Adobe Acrobat
*   Anti-virus and Anti-Spyware: McAfee, Norton, AVG, eTrust and BitDefender

Learn More

**ProSUPPORT Services for Business Users**

NETGEAR ProSUPPORT services are available to supplement your technical support and warranty entitlements. NETGEAR offers a variety of ProSUPPORT services that allow you to access NETGEAR's expertise in a way that best meets your needs:

*   Product Installation
*   Professional Wireless Site Survey
*   Defective Drive Retention (DDR) Service

Learn More

CVE-2021-45517: Security Advisory for Denial of Service on XR1000, PSV-2021-0031 | Answer

Certain NETGEAR devices are affected by denial of service. This affects R6400 before 1.0.1.70, R7000 before 1.0.11.126, R6900P before 1.3.3.140, R7000P before 1.3.3.140, R8000 before 1.0.4.74, RBK852 before 3.2.10.11, RBR850 before 3.2.10.11, and RBS850 before 3.2.10.11.

Was this article helpful?   Yes     No

Associated CVE IDs: None 

First published: 2021-09-25

NETGEAR has released fixes for a denial of service security vulnerability on the following product models:

*   R6400, running firmware versions prior to 1.0.1.70
*   R7000, running firmware versions prior to 1.0.11.126
*   R6900P, running firmware versions prior to 1.3.3.140
*   R7000P, running firmware versions prior to 1.3.3.140
*   R8000, running firmware versions prior to 1.0.4.74
*   RBK852, running firmware versions prior to 3.2.10.11
*   RBR850, running firmware versions prior to 3.2.10.11
*   RBS850, running firmware versions prior to 3.2.10.11

NETGEAR strongly recommends that you download the latest firmware as soon as possible.

**To download the latest firmware for your NETGEAR product:**

1.  Visit NETGEAR Support.
2.  Start typing your model number in the search box, then select your model from the drop-down menu as soon as it appears.  
     If you do not see a drop-down menu, make sure that you entered your model number correctly, or select a product category to browse for your product model.
3.  Click **Downloads**.
4.  Under **Current Versions**, select the download whose title begins with **Firmware Version**. 
5.  Click **Download**.
6.  Follow the instructions in your product’s user manual, firmware release notes, or product support page to install the new firmware.

**Disclaimer**

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. NETGEAR reserves the right to change or update this document at any time. NETGEAR expects to update this document as new information becomes available.

The denial of service vulnerability remains if you do not complete all recommended steps. NETGEAR is not responsible for any consequences that could have been avoided by following the recommendations in this notification.

**Acknowledgements**

ling 

**Common Vulnerability Scoring System**

CVSS Rating: Medium

CVSS Score: 6.9

CVSS Vector: CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:H

**Best Practices for Updating Firmware**

We recommend that you keep your NETGEAR devices up to date with the latest firmware. Firmware updates contain security fixes, bug fixes, and new features for your NETGEAR products. 

If your product is supported by one of our apps, using the app is the easiest way to update your firmware:

*   Orbi products: NETGEAR Orbi app
*   NETGEAR WiFi routers: NETGEAR Nighthawk app
*   Some NETGEAR Business products: NETGEAR Insight app (firmware updates through the app are available only for Insight subscribers)

If your product is not supported by one of our apps, you can always update your firmware manually by following the instructions in your product’s user manual, firmware release notes, or product support page. For more information, see Where can I find information about my NETGEAR product?.

**Contact**

We appreciate and value having security concerns brought to our attention. NETGEAR constantly monitors for both known and unknown threats. Being pro-active rather than re-active to emerging security issues is fundamental for product support at NETGEAR.

It is NETGEAR's mission to be the innovative leader in connecting the world to the internet. To achieve this mission, we strive to earn and maintain the trust of those that use NETGEAR products for their connectivity.

To report a security vulnerability, visit http://www.netgear.com/about/security/. 

If you are a NETGEAR customer with a security-related support concern, you can contact NETGEAR customer support at techsupport.security@netgear.com. 

**Revision History**

2021-09-25: Published advisory

Last Updated:10/13/2021 | Article ID: 000064060

**Was this article helpful?**Yes No

**This article applies to:**

*   Orbi (3)
    *   RBK852
    *   RBR850
    *   RBS850
*   Wireless AC Router (1)
    *   R6400
*   Wireless AC Router Nighthawk (4)
    *   R6900P
    *   R7000
    *   R7000P
    *   R8000

How to Find Your Model Number

**Looking for more about your product?**

Get information, documentation, videos and more for your specific product.

**Need to Contact Support?**

With NETGEAR’s round-the-clock premium support, help is just a phone call away.

**Complimentary Support**

NETGEAR provides complimentary technical support for NETGEAR products for 90 days from the original date of purchase.

Contact Support

**NETGEAR Premium Support**

**GearHead Support for Home Users**

GearHead Support is a technical support service for NETGEAR devices and all other connected devices in your home. Advanced remote support tools are used to fix issues on any of your devices. The service includes support for the following:

*   Desktop and Notebook PCs, Wired and Wireless Routers, Modems, Printers, Scanners, Fax Machines, USB devices and Sound Cards
*   Windows Operating Systems (2000, XP or Vista), MS Word, Excel, PowerPoint, Outlook and Adobe Acrobat
*   Anti-virus and Anti-Spyware: McAfee, Norton, AVG, eTrust and BitDefender

Learn More

**ProSUPPORT Services for Business Users**

NETGEAR ProSUPPORT services are available to supplement your technical support and warranty entitlements. NETGEAR offers a variety of ProSUPPORT services that allow you to access NETGEAR's expertise in a way that best meets your needs:

*   Product Installation
*   Professional Wireless Site Survey
*   Defective Drive Retention (DDR) Service

Learn More

CVE-2021-45516: Security Advisory for Denial of Service on Some Routers and WiFi Systems, PSV-2019-0115 | Answer

Certain NETGEAR devices are affected by denial of service. This affects EX7500 before 1.0.0.72, RBS40V before 2.6.1.4, RBW30 before 2.6.1.4, RBRE960 before 6.0.3.68, RBSE960 before 6.0.3.68, RBR750 before 3.2.17.12, RBR850 before 3.2.17.12, RBS750 before 3.2.17.12, RBS850 before 3.2.17.12, RBK752 before 3.2.17.12, and RBK852 before 3.2.17.12.

Was this article helpful?   Yes     No

Associated CVE IDs: None

First published: 2021-12-21

NETGEAR has released fixes for a denial of service security vulnerability on the following product models:

*   EX7500, running firmware versions prior to 1.0.0.72
*   RBS40V, running firmware versions prior to 2.6.1.4
*   RBW30, running firmware versions prior to 2.6.1.4
*   RBKE963, running firmware versions prior to 6.0.3.68
*   RBRE960, running firmware versions prior to 6.0.3.68
*   RBSE960, running firmware versions prior to 6.0.3.68
*   RBR750, running firmware versions prior to 3.2.17.12
*   RBR850, running firmware versions prior to 3.2.17.12
*   RBS750, running firmware versions prior to 3.2.17.12
*   RBS850, running firmware versions prior to 3.2.17.12
*   RBK752, running firmware versions prior to 3.2.17.12
*   RBK852, running firmware versions prior to 3.2.17.12

NETGEAR strongly recommends that you download the latest firmware as soon as possible.

**To download the latest firmware for your NETGEAR product:**

1.  Visit NETGEAR Support.
2.  Start typing your model number in the search box, then select your model from the drop-down menu as soon as it appears.  
    If you do not see a drop-down menu, make sure that you entered your model number correctly, or select a product category to browse for your product model.
3.  Click **Downloads**.
4.  Under **Current Versions**, select the download whose title begins with **Firmware Version**.
5.  Click **Download**.
6.  Follow the instructions in your product’s user manual, firmware release notes, or product support page to install the new firmware.

**Disclaimer**

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. NETGEAR reserves the right to change or update this document at any time. NETGEAR expects to update this document as new information becomes available.

The denial of service vulnerability remains if you do not complete all recommended steps. NETGEAR is not responsible for any consequences that could have been avoided by following the recommendations in this notification.

**Acknowledgements**

krouler

**Common Vulnerability Scoring System**

CVSS Rating: Medium

CVSS Score: 6.5

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

**Best Practices for Updating Firmware**

We recommend that you keep your NETGEAR devices up to date with the latest firmware. Firmware updates contain security fixes, bug fixes, and new features for your NETGEAR products.

If your product is supported by one of our apps, using the app is the easiest way to update your firmware:

*   Orbi products: NETGEAR Orbi app
*   NETGEAR WiFi routers: NETGEAR Nighthawk app
*   Some NETGEAR Business products: NETGEAR Insight app (firmware updates through the app are available only for Insight subscribers)

If your product is not supported by one of our apps, you can always update your firmware manually by following the instructions in your product’s user manual, firmware release notes, or product support page. For more information, see Where can I find information about my NETGEAR product?.

**Contact**

We appreciate and value having security concerns brought to our attention. NETGEAR constantly monitors for both known and unknown threats. Being pro-active rather than re-active to emerging security issues is fundamental for product support at NETGEAR.

It is NETGEAR's mission to be the innovative leader in connecting the world to the internet. To achieve this mission, we strive to earn and maintain the trust of those that use NETGEAR products for their connectivity.

To report a security vulnerability, visit http://www.netgear.com/about/security/. 

If you are a NETGEAR customer with a security-related support concern, you can contact NETGEAR customer support at techsupport.security@netgear.com. 

**Revision History**

2021-12-21: Published advisory

Last Updated:12/21/2021 | Article ID: 000064484

**Was this article helpful?**Yes No

**This article applies to:**

*   Orbi (11)
    *   RBK752
    *   RBK852
    *   RBKE963
    *   RBR750
    *   RBR850
    *   RBRE960
    *   RBS40V
    *   RBS750
    *   RBS850
    *   RBSE960
    *   RBW30
*   Range Extender AC Nighthawk (1)
    *   EX7500

How to Find Your Model Number

**Looking for more about your product?**

Get information, documentation, videos and more for your specific product.

**Need to Contact Support?**

With NETGEAR’s round-the-clock premium support, help is just a phone call away.

**Complimentary Support**

NETGEAR provides complimentary technical support for NETGEAR products for 90 days from the original date of purchase.

Contact Support

**NETGEAR Premium Support**

**GearHead Support for Home Users**

GearHead Support is a technical support service for NETGEAR devices and all other connected devices in your home. Advanced remote support tools are used to fix issues on any of your devices. The service includes support for the following:

*   Desktop and Notebook PCs, Wired and Wireless Routers, Modems, Printers, Scanners, Fax Machines, USB devices and Sound Cards
*   Windows Operating Systems (2000, XP or Vista), MS Word, Excel, PowerPoint, Outlook and Adobe Acrobat
*   Anti-virus and Anti-Spyware: McAfee, Norton, AVG, eTrust and BitDefender

Learn More

**ProSUPPORT Services for Business Users**

NETGEAR ProSUPPORT services are available to supplement your technical support and warranty entitlements. NETGEAR offers a variety of ProSUPPORT services that allow you to access NETGEAR's expertise in a way that best meets your needs:

*   Product Installation
*   Professional Wireless Site Survey
*   Defective Drive Retention (DDR) Service

Learn More

CVE-2021-45515: Security Advisory for Denial of Service on Some Extenders and WiFi Systems, PSV-2020-0286 | Answer

The package parse-link-header before 2.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the checkHeader function.



*   **Attack Complexity**
    
    Low
    
*   **Availability**
    
    High
    

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

*   **snyk-id**
    
    SNYK-JS-PARSELINKHEADER-1582783
    
*   **published**
    
    19 Dec 2021
    
*   **disclosed**
    
    19 Dec 2021
    
*   **credit**
    
    DangKhai
    

**How to fix?**

**Overview**

**PoC**

**Details**

**References**

CVE-2021-23490: Regular Expression Denial of Service (ReDoS) in parse-link-header | CVE-2021-23490 | Snyk

lib/DatabaseLayer.py in cve-search before 4.1.0 allows regular expression injection, which can lead to ReDoS (regular expression denial of service) or other impacts.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2021-45470: Fix Regular Expression injection by jorgectf · Pull Request #629 · cve-search/cve-search

A memory corruption issue was addressed with improved memory handling. This issue is fixed in macOS High Sierra 10.13. An application may be able to execute arbitrary code with elevated privileges.

CVE-2017-13835: About the security content of macOS High Sierra 10.13

This issue was addressed with a new entitlement. This issue is fixed in macOS Mojave 10.14.6, Security Update 2019-004 High Sierra, Security Update 2019-004 Sierra, iOS 12.4, tvOS 12.4. A local user may be able to read a persistent account identifier.

Released July 22, 2019

**Bluetooth**

Available for: Apple TV 4K and Apple TV HD

Impact: An attacker in a privileged network position may be able to intercept Bluetooth traffic (Key Negotiation of Bluetooth - KNOB)

Description: An input validation issue existed in Bluetooth. This issue was addressed with improved input validation.

CVE-2019-9506: Daniele Antonioli of SUTD, Singapore, Dr. Nils Ole Tippenhauer of CISPA, Germany, and Prof. Kasper Rasmussen of University of Oxford, England

The changes for this issue mitigate CVE-2020-10135.

Entry added August 13, 2019, updated June 25, 2020

**Core Data**

Available for: Apple TV 4K and Apple TV HD

Impact: A remote attacker may be able to leak memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2019-8646: natashenka of Google Project Zero

**Core Data**

Available for: Apple TV 4K and Apple TV HD

Impact: A remote attacker may be able to cause arbitrary code execution

Description: A use after free issue was addressed with improved memory management.

CVE-2019-8647: Samuel Groß and natashenka of Google Project Zero

**Core Data**

Available for: Apple TV 4K and Apple TV HD

Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution

Description: A memory corruption issue was addressed with improved input validation.

CVE-2019-8660: Samuel Groß and natashenka of Google Project Zero

**Game Center**

Available for: Apple TV 4K and Apple TV HD

Impact: A local user may be able to read a persistent account identifier

Description: This issue was addressed with a new entitlement.

CVE-2019-8702: Min (Spark) Zheng and Xiaolong Bai of Alibaba Inc.

Entry added February 24, 2020

**Heimdal**

Available for: Apple TV 4K and Apple TV HD

Impact: An issue existed in Samba that may allow attackers to perform unauthorized actions by intercepting communications between services

Description: This issue was addressed with improved checks to prevent unauthorized actions.

CVE-2018-16860: Isaac Boukris and Andrew Bartlett of the Samba Team and Catalyst

**Image Processing**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing a maliciously crafted image may lead to a denial of service

Description: A denial of service issue was addressed with improved validation.

CVE-2019-8668: an anonymous researcher

Entry added October 8, 2019

**libxslt**

Available for: Apple TV 4K and Apple TV HD

Impact: A remote attacker may be able to view sensitive information

Description: A stack overflow was addressed with improved input validation.

CVE-2019-13118: found by OSS-Fuzz

**Profiles**

Available for: Apple TV 4K and Apple TV HD

Impact: A malicious application may be able to restrict access to websites

Description: A validation issue existed in the entitlement verification. This issue was addressed with improved validation of the process entitlement.

CVE-2019-8698: Luke Deshotels, Jordan Beichler, and William Enck of North Carolina State University; Costin Carabaș and Răzvan Deaconescu of University POLITEHNICA of Bucharest

**Quick Look**

Available for: Apple TV 4K and Apple TV HD

Impact: An attacker may be able to trigger a use-after-free in an application deserializing an untrusted NSDictionary

Description: This issue was addressed with improved checks.

CVE-2019-8662: natashenka and Samuel Groß of Google Project Zero

**Siri**

Available for: Apple TV 4K and Apple TV HD

Impact: A remote attacker may be able to leak memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2019-8646: natashenka of Google Project Zero

**UIFoundation**

Available for: Apple TV 4K and Apple TV HD

Impact: Parsing a maliciously crafted office document may lead to an unexpected application termination or arbitrary code execution

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2019-8657: riusksk of VulWar Corp working with Trend Micro's Zero Day Initiative

**WebKit**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing maliciously crafted web content may lead to universal cross site scripting

Description: A logic issue existed in the handling of document loads. This issue was addressed with improved state management.

CVE-2019-8690: Sergei Glazunov of Google Project Zero

**WebKit**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing maliciously crafted web content may lead to universal cross site scripting

Description: A logic issue existed in the handling of synchronous page loads. This issue was addressed with improved state management.

CVE-2019-8649: Sergei Glazunov of Google Project Zero

**WebKit**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing maliciously crafted web content may lead to universal cross site scripting

Description: A logic issue was addressed with improved state management.

CVE-2019-8658: akayn working with Trend Micro's Zero Day Initiative

**WebKit**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: Multiple memory corruption issues were addressed with improved memory handling.

CVE-2019-8644: G. Geshev working with Trend Micro's Zero Day Initiative

CVE-2019-8666: Zongming Wang (王宗明) and Zhe Jin (金哲) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd.

CVE-2019-8669: akayn working with Trend Micro's Zero Day Initiative

CVE-2019-8671: Apple

CVE-2019-8672: Samuel Groß of Google Project Zero

CVE-2019-8673: Soyeon Park and Wen Xu of SSLab at Georgia Tech

CVE-2019-8676: Soyeon Park and Wen Xu of SSLab at Georgia Tech

CVE-2019-8677: Jihui Lu of Tencent KeenLab

CVE-2019-8678: Anthony Lai (@darkfloyd1014) of Knownsec, Ken Wong (@wwkenwong) of VXRL, Jeonghoon Shin (@singi21a) of Theori, Johnny Yu (@straight\_blast) of VX Browser Exploitation Group, Chris Chan (@dr4g0nfl4me) of VX Browser Exploitation Group, Phil Mok (@shadyhamsters) of VX Browser Exploitation Group, Alan Ho (@alan\_h0) of Knownsec, Byron Wai of VX Browser Exploitation, P1umer of ADLab of Venustech

CVE-2019-8679: Jihui Lu of Tencent KeenLab

CVE-2019-8680: Jihui Lu of Tencent KeenLab

CVE-2019-8681: G. Geshev working with Trend Micro Zero Day Initiative

CVE-2019-8683: lokihardt of Google Project Zero

CVE-2019-8684: lokihardt of Google Project Zero

CVE-2019-8685: akayn, Dongzhuo Zhao working with ADLab of Venustech, Ken Wong (@wwkenwong) of VXRL, Anthony Lai (@darkfloyd1014) of VXRL, and Eric Lung (@Khlung1) of VXRL

CVE-2019-8686: G. Geshev working with Trend Micro's Zero Day Initiative

CVE-2019-8687: Apple

CVE-2019-8688: Insu Yun of SSLab at Georgia Tech

CVE-2019-8689: lokihardt of Google Project Zero

Entry updated September 11, 2019

CVE-2019-8702: About the security content of tvOS 12.4

This issue was addressed with improved entitlements. This issue is fixed in watchOS 6, tvOS 13, macOS Catalina 10.15, iOS 13. An application may be able to gain elevated privileges.

Released September 24, 2019

**AppleFirmwareUpdateKext**

Available for: Apple TV 4K and Apple TV HD

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption vulnerability was addressed with improved locking.

CVE-2019-8747: Mohamed Ghannam (@\_simo36)

Entry added October 29, 2019

**Audio**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved state management.

CVE-2019-8706: Yu Zhou of Ant-Financial Light-Year Security Lab

Entry added October 29, 2019

**Audio**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing a maliciously crafted audio file may disclose restricted memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2019-8850: Anonymous working with Trend Micro Zero Day Initiative

Entry added December 4, 2019

**CFNetwork**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing maliciously crafted web content may lead to a cross site scripting attack

Description: This issue was addressed with improved checks.

CVE-2019-8753: Łukasz Pilorz of Standard Chartered GBS Poland

Entry added October 29, 2019

**CoreAudio**

Available for: Apple TV 4K and Apple TV HD

Impact: Playing a malicious audio file may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved input validation.

CVE-2019-8592: riusksk of VulWar Corp working with Trend Micro's Zero Day Initiative

Entry added November 6, 2019

**CoreCrypto**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing a large input may lead to a denial of service

Description: A denial of service issue was addressed with improved input validation.

CVE-2019-8741: Nicky Mouha of NIST

Entry added October 29, 2019

**CoreAudio**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing a maliciously crafted movie may result in the disclosure of process memory

Description: A memory corruption issue was addressed with improved validation.

CVE-2019-8705: riusksk of VulWar Corp working with Trend Micro's Zero Day Initiative

Entry added October 8, 2019

**Foundation**

Available for: Apple TV 4K and Apple TV HD

Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2019-8746: natashenka and Samuel Groß of Google Project Zero

Entry added October 29, 2019

**IOUSBDeviceFamily**

Available for: Apple TV 4K and Apple TV HD

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2019-8718: Joshua Hill and Sem Voigtländer

Entry added October 29, 2019

**Kernel**

Available for: Apple TV 4K and Apple TV HD

Impact: An application may be able to gain elevated privileges

Description: This issue was addressed with improved entitlements.

CVE-2019-8703: an anonymous researcher

Entry added March 16, 2021

**Kernel**

Available for: Apple TV 4K and Apple TV HD

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption vulnerability was addressed with improved locking.

CVE-2019-8740: Mohamed Ghannam (@\_simo36)

Entry added October 29, 2019

**Kernel**

Available for: Apple TV 4K and Apple TV HD

Impact: A local app may be able to read a persistent account identifier

Description: A validation issue was addressed with improved logic.

CVE-2019-8809: Apple

Entry added October 29, 2019

**Kernel**

Available for: Apple TV 4K and Apple TV HD

Impact: An application may be able to execute arbitrary code with system privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2019-8712: Mohamed Ghannam (@\_simo36)

Entry added October 29, 2019

**Kernel**

Available for: Apple TV 4K and Apple TV HD

Impact: A malicious application may be able to determine kernel memory layout

Description: A memory corruption issue existed in the handling of IPv6 packets. This issue was addressed with improved memory management.

CVE-2019-8744: Zhuo Liang of Qihoo 360 Vulcan Team

Entry added October 29, 2019

**Kernel**

Available for: Apple TV 4K and Apple TV HD

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved state management.

CVE-2019-8709: derrek (@derrekr6) derrek (@derrekr6)

Entry added October 29, 2019

**Kernel**

Available for: Apple TV 4K and Apple TV HD

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2019-8717: Jann Horn of Google Project Zero

Entry added October 8, 2019

**Kernel**

Available for: Apple TV 4K and Apple TV HD

Impact: A malicious application may be able to determine kernel memory layout

Description: The issue was addressed with improved permissions logic.

CVE-2019-8780: Siguza

Entry added October 8, 2019

**Keyboards**

Available for: Apple TV 4K and Apple TV HD

Impact: A local user may be able to leak sensitive user information

Description: An authentication issue was addressed with improved state management.

CVE-2019-8704: 王 邦 宇 (wAnyBug.Com) of SAINTSEC

**libxml2**

Available for: Apple TV 4K and Apple TV HD

Impact: Multiple issues in libxml2

Description: Multiple memory corruption issues were addressed with improved input validation.

CVE-2019-8749: found by OSS-Fuzz

CVE-2019-8756: found by OSS-Fuzz

Entry added October 8, 2019

**libxslt**

Available for: Apple TV 4K and Apple TV HD

Impact: Multiple issues in libxslt

Description: Multiple memory corruption issues were addressed with improved input validation.

CVE-2019-8750: found by OSS-Fuzz

Entry added October 29, 2019

**mDNSResponder**

Available for: Apple TV 4K and Apple TV HD

Impact: An attacker in physical proximity may be able to passively observe device names in AWDL communications

Description: This issue was resolved by replacing device names with a random identifier.

CVE-2019-8799: David Kreitschmann and Milan Stute of Secure Mobile Networking Lab at Technische Universität Darmstadt

Entry added October 29, 2019

**UIFoundation**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing a maliciously crafted text file may lead to arbitrary code execution

Description: A buffer overflow was addressed with improved bounds checking.

CVE-2019-8745: riusksk of VulWar Corp working with Trend Micro's Zero Day Initiative

Entry added October 8, 2019

**UIFoundation**

Available for: Apple TV 4K and Apple TV HD

Impact: An application may be able to execute arbitrary code with system privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2019-8831: riusksk of VulWar Corp working with Trend Micro's Zero Day Initiative

Entry added November 18, 2019

**WebKit**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing maliciously crafted web content may lead to universal cross site scripting

Description: A logic issue was addressed with improved state management.

CVE-2019-8625: Sergei Glazunov of Google Project Zero

CVE-2019-8719: Sergei Glazunov of Google Project Zero

CVE-2019-8764: Sergei Glazunov of Google Project Zero

Entry added October 8, 2019, updated October 29, 2019

**WebKit**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: Multiple memory corruption issues were addressed with improved memory handling.

CVE-2019-8707: an anonymous researcher working with Trend Micro's Zero Day Initiative, cc working with Trend Micro Zero Day Initiative

CVE-2019-8710: found by OSS-Fuzz

CVE-2019-8726: Jihui Lu of Tencent KeenLab

CVE-2019-8728: Junho Jang of LINE Security Team and Hanul Choi of ABLY Corporation

CVE-2019-8733: Sergei Glazunov of Google Project Zero

CVE-2019-8734: found by OSS-Fuzz

CVE-2019-8735: G. Geshev working with Trend Micro Zero Day Initiative

CVE-2019-8743: zhunki from Codesafe Team of Legendsec at Qi'anxin Group

CVE-2019-8751: Dongzhuo Zhao working with ADLab of Venustech

CVE-2019-8752: Dongzhuo Zhao working with ADLab of Venustech

CVE-2019-8763: Sergei Glazunov of Google Project Zero

CVE-2019-8765: Samuel Groß of Google Project Zero

CVE-2019-8766: found by OSS-Fuzz

CVE-2019-8773: found by OSS-Fuzz

Entry added October 8, 2019, updated October 29, 2019

**WebKit**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing maliciously crafted web content may lead to universal cross site scripting

Description: A validation issue was addressed with improved logic.

CVE-2019-8762: Sergei Glazunov of Google Project Zero

Entry added November 18, 2019

**WebKit**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved validation.

CVE-2020-9932: Dongzhuo Zhao working with ADLab of Venustech

Entry added July 28, 2020

**Wi-Fi**

Available for: Apple TV 4K and Apple TV HD

Impact: A device may be passively tracked by its Wi-Fi MAC address

Description: A user privacy issue was addressed by removing the broadcast MAC address.

CVE-2019-8854: Ta-Lun Yen of UCCU Hacker and FuriousMacTeam of the United States Naval Academy and the Mitre Cooperation

Entry added December 4, 2019

CVE-2019-8703: About the security content of tvOS 13

A use after free issue was addressed with improved memory management. This issue is fixed in macOS Catalina 10.15.4, Security Update 2020-002 Mojave, Security Update 2020-002 High Sierra. A malicious application may be able to execute arbitrary code with kernel privileges.

Released March 24, 2020

**Accounts**

Available for: macOS Catalina 10.15.3

Impact: A sandboxed process may be able to circumvent sandbox restrictions

Description: A logic issue was addressed with improved restrictions.

CVE-2020-9772: Allison Husain of UC Berkeley

Entry added May 21, 2020

**Apple HSSPI Support**

Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.3

Impact: An application may be able to execute arbitrary code with system privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2020-3903: Proteas of Qihoo 360 Nirvan Team

Entry updated May 1, 2020

**AppleGraphicsControl**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.3

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: Multiple memory corruption issues were addressed with improved state management.

CVE-2020-3904: Proteas of Qihoo 360 Nirvan Team

**AppleMobileFileIntegrity**

Available for: macOS Catalina 10.15.3

Impact: An application may be able to use arbitrary entitlements

Description: This issue was addressed with improved checks.

CVE-2020-3883: Linus Henze (pinauten.de)

**Bluetooth**

Available for: macOS Catalina 10.15.3

Impact: An attacker in a privileged network position may be able to intercept Bluetooth traffic

Description: An issue existed with the use of a PRNG with low entropy. This issue was addressed with improved state management.

CVE-2020-6616: Jörn Tillmanns (@matedealer) and Jiska Classen (@naehrdine) of Secure Mobile Networking Lab

Entry added May 21, 2020

**Bluetooth**

Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.3

Impact: A malicious application may be able to determine kernel memory layout

Description: A memory corruption issue was addressed with improved validation.

CVE-2020-9853: Yu Wang of Didi Research America

Entry added May 21, 2020

**Bluetooth**

Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.3

Impact: A local user may be able to cause unexpected system termination or read kernel memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2020-3907: Yu Wang of Didi Research America

CVE-2020-3908: Yu Wang of Didi Research America

CVE-2020-3912: Yu Wang of Didi Research America

CVE-2020-9779: Yu Wang of Didi Research America

Entry updated September 21, 2020

**Bluetooth**

Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.3

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved input validation.

CVE-2020-3892: Yu Wang of Didi Research America

CVE-2020-3893: Yu Wang of Didi Research America

CVE-2020-3905: Yu Wang of Didi Research America

**Bluetooth**

Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6

Impact: An application may be able to read restricted memory

Description: A validation issue was addressed with improved input sanitization.

CVE-2019-8853: Jianjun Dai of Qihoo 360 Alpha Lab

**Call History**

Available for: macOS Catalina 10.15.3

Impact: A malicious application may be able to access a user's call history

Description: This issue was addressed with a new entitlement.

CVE-2020-9776: Benjamin Randazzo (@\_\_\_\_benjamin)

**CoreBluetooth**

Available for: macOS Catalina 10.15.3

Impact: A remote attacker may be able to leak sensitive user information

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2020-9828: Jianjun Dai of Qihoo 360 Alpha Lab

Entry added May 13, 2020

**CoreFoundation**

Available for: macOS Catalina 10.15.3

Impact: A malicious application may be able to elevate privileges

Description: A permissions issue existed. This issue was addressed with improved permission validation.

CVE-2020-3913: Timo Christ of Avira Operations GmbH & Co. KG

**CoreText**

Available for: macOS Catalina 10.15.3

Impact: Processing a maliciously crafted text message may lead to application denial of service

Description: A validation issue was addressed with improved input sanitization.

CVE-2020-9829: Aaron Perris (@aaronp613), an anonymous researcher, an anonymous researcher, Carlos S Tech, Sam Menzies of Sam’s Lounge, Sufiyan Gouri of Lovely Professional University, India, Suleman Hasan Rathor of Arabic-Classroom.com

Entry added May 21, 2020

**CUPS**

Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.3

Impact: An application may be able to gain elevated privileges

Description: A memory corruption issue was addressed with improved validation.

CVE-2020-3898: Stephan Zeisberg (github.com/stze) of Security Research Labs (srlabs.de)

Entry added April 8, 2020

**FaceTime**

Available for: macOS Catalina 10.15.3

Impact: A local user may be able to view sensitive user information

Description: A logic issue was addressed with improved state management.

CVE-2020-3881: Yuval Ron, Amichai Shulman and Eli Biham of Technion - Israel Institute of Technology

**Intel Graphics Driver**

Available for: macOS Catalina 10.15.3

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2020-3886: Proteas

Entry added March 16, 2021

**Intel Graphics Driver**

Available for: macOS Catalina 10.15.3

Impact: A malicious application may disclose restricted memory

Description: An information disclosure issue was addressed with improved state management.

CVE-2019-14615: Wenjian HE of Hong Kong University of Science and Technology, Wei Zhang of Hong Kong University of Science and Technology, Sharad Sinha of Indian Institute of Technology Goa, and Sanjeev Das of University of North Carolina

**IOHIDFamily**

Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.3

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A memory initialization issue was addressed with improved memory handling.

CVE-2020-3919: Alex Plaskett of F-Secure Consulting

Entry updated May 21, 2020

**IOThunderboltFamily**

Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6

Impact: An application may be able to gain elevated privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2020-3851: Xiaolong Bai and Min (Spark) Zheng of Alibaba Inc. and Luyi Xing of Indiana University Bloomington

**iTunes**

Available for: macOS Catalina 10.15.3

Impact: A malicious application may be able to overwrite arbitrary files

Description: This issue was addressed by removing the vulnerable code.

CVE-2020-3896: Christoph Falta

Entry added March 16, 2021

**Kernel**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.3

Impact: An application may be able to read restricted memory

Description: A memory initialization issue was addressed with improved memory handling.

CVE-2020-3914: pattern-f (@pattern\_F\_) of WaCai

**Kernel**

Available for: macOS Catalina 10.15.3

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: Multiple memory corruption issues were addressed with improved state management.

CVE-2020-9785: Proteas of Qihoo 360 Nirvan Team

**libxml2**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.3

Impact: Multiple issues in libxml2

Description: A buffer overflow was addressed with improved bounds checking.

CVE-2020-3909: LGTM.com

CVE-2020-3911: found by OSS-Fuzz

**libxml2**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.3

Impact: Multiple issues in libxml2

Description: A buffer overflow was addressed with improved size validation.

CVE-2020-3910: LGTM.com

**Mail**

Available for: macOS High Sierra 10.13.6, macOS Catalina 10.15.3

Impact: A remote attacker may be able to cause arbitrary javascript code execution

Description: An injection issue was addressed with improved validation.

CVE-2020-3884: Apple

**Printing**

Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.3

Impact: A malicious application may be able to overwrite arbitrary files

Description: A path handling issue was addressed with improved validation.

CVE-2020-3915: An anonymous researcher working with iDefense Labs (https://vcp.idefense.com/), HyungSeok Han (DaramG) @Theori working with TrendMicro’s Zero Day Initiative

Entry added May 1, 2020

**Safari**

Available for: macOS Catalina 10.15.3

Impact: A user's private browsing activity may be unexpectedly saved in Screen Time

Description: An issue existed in the handling of tabs displaying picture in picture video. The issue was corrected with improved state handling.

CVE-2020-9775: Andrian (@retroplasma), Marat Turaev, Marek Wawro (futurefinance.com) and Sambor Wawro of STO64 School Krakow Poland

Entry added May 13, 2020

**Sandbox**

Available for: macOS Catalina 10.15.3

Impact: A user may gain access to protected parts of the file system

Description: This issue was addressed with a new entitlement.

CVE-2020-9771: Csaba Fitzl (@theevilbit) of Offensive Security

Entry added May 21, 2020

**Sandbox**

Available for: macOS Catalina 10.15.3

Impact: A local user may be able to view sensitive user information

Description: An access issue was addressed with additional sandbox restrictions.

CVE-2020-3918: an anonymous researcher, Augusto Alvarez of Outcourse Limited

Entry added April 8, 2020, updated May 21, 2020

**sudo**

Available for: macOS Catalina 10.15.3

Impact: An attacker may be able to run commands as a non-existent user

Description: This issue was addressed by updating to sudo version 1.8.31.

CVE-2019-19232

**sysdiagnose**

Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6

Impact: An application may be able to trigger a sysdiagnose

Description: This issue was addressed with improved checks

CVE-2020-9786: Dayton Pidhirney (@\_watbulb) of Seekintoo (@seekintoo)

Entry added April 4, 2020

**TCC**

Available for: macOS Mojave 10.14.6, macOS Catalina 10.15.3

Impact: A maliciously crafted application may be able to bypass code signing enforcement

Description: A logic issue was addressed with improved restrictions.

CVE-2020-3906: Patrick Wardle of Jamf

**Time Machine**

Available for: macOS Catalina 10.15.3

Impact: A local user may be able to read arbitrary files

Description: A logic issue was addressed with improved state management.

CVE-2020-3889: Lasse Trolle Borup of Danish Cyber Defence

**Vim**

Available for: macOS Catalina 10.15.3

Impact: Multiple issues in Vim

Description: Multiple issues were addressed by updating to version 8.1.1850.

CVE-2020-9769: Steve Hahn of LinkedIn

**WebKit**

Available for: macOS Catalina 10.15.3

Impact: Some websites may not have appeared in Safari Preferences

Description: A logic issue was addressed with improved restrictions.

CVE-2020-9787: Ryan Pickren (ryanpickren.com)

Entry added April 8, 2020

**WebKit**

Available for: macOS Catalina 10.15.3

Impact: Processing maliciously crafted web content may lead to a cross site scripting attack

Description: An input validation issue was addressed with improved input validation.

CVE-2020-3902: Yiğit Can YILMAZ (@yilmazcanyigit)

Entry added July 28, 2020

Tag

#dos