Design/Logic Flaw

The HTTP referrer header may be used to leak browsing history. The issue was resolved by downgrading all third party referrers to their origin. This issue is fixed in Safari 13.0.3, iTunes 12.10.2 for Windows, iCloud for Windows 10.9.2, tvOS 13.2, iOS 13.2 and iPadOS 13.2, iCloud for Windows 7.15...

Memory corruption

A memory corruption issue was addressed with improved memory handling. This issue is fixed in macOS Catalina 10.15, iOS 13.1 and iPadOS 13.1, tvOS 13, macOS Catalina 10.15.1, Security Update 2019-001, and Security Update 2019-006, watchOS 6. An application may be able to execute arbitrary code wi...

Memory corruption

A memory corruption vulnerability was addressed with improved locking. This issue is fixed in macOS Catalina 10.15.1, Security Update 2019-001, and Security Update 2019-006, watchOS 6.1, tvOS 13.2, iOS 13.2 and iPadOS 13.2. An application may be able to execute arbitrary code with kernel privileg...

Memory corruption

Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in Safari 13.0.1, iOS 13.1 and iPadOS 13.1, iCloud for Windows 10.7, iCloud for Windows 7.14, tvOS 13, watchOS 6, iTunes 12.10.1 for Windows. Processing maliciously crafted web content may lead to...

Input validation

A validation issue was addressed with improved logic. This issue is fixed in macOS Catalina 10.15, iOS 13.1 and iPadOS 13.1, tvOS 13, watchOS 6, iOS 13. A local app may be able to read a persistent account identifier...

Memory corruption

A memory corruption vulnerability was addressed with improved locking. This issue is fixed in iOS 13.1 and iPadOS 13.1, watchOS 6, tvOS 13. An application may be able to execute arbitrary code with kernel privileges...

CVE-2020-3864

CVE-2020-3864 is a logic issue where a DOM object context may not have had a unique security origin. It is fixed in Apple/software updates across multiple platforms: iCloud for Windows 7.17, iTunes for Windows 12.10.4, iCloud for Windows 10.9.2, tvOS 13.3.1, Safari 13.0.5, iOS 13.3.1 and iPadOS 1...

CVE-2020-3864

A logic issue was addressed with improved validation. This issue is fixed in iCloud for Windows 7.17, iTunes 12.10.4 for Windows, iCloud for Windows 10.9.2, tvOS 13.3.1, Safari 13.0.5, iOS 13.3.1 and iPadOS 13.3.1. A DOM object context may not have had a unique security origin...

CVE-2019-8898

CVE-2019-8898 describes an information disclosure in WebKit related to the Storage Access API. The issue could allow a malicious site to infer visited sites by a user. Apple fixed this in iOS 13.3/iPadOS 13.3, tvOS 13.3, Safari 13.0.4, and iTunes 12.10.3 for Windows, with patches applied via the ...

CVE-2019-8898

An information disclosure issue existed in the handling of the Storage Access API. This issue was addressed with improved logic. This issue is fixed in iOS 13.3 and iPadOS 13.3, tvOS 13.3, Safari 13.0.4, iTunes 12.10.3 for Windows. Visiting a maliciously crafted website may reveal sites a user ha...

CVE-2019-8901

This issue was addressed by verifying host keys when connecting to a previously-known SSH server. This issue is fixed in iOS 13.1 and iPadOS 13.1. An attacker in a privileged network position may be able to intercept SSH traffic from the “Run script over SSH” action...

CVE-2019-8901

CVE-2019-8901 affects iOS/iPadOS via the Shortcuts “Run script over SSH” flow. The root cause is improper host-key verification when connecting to a previously known SSH server, enabling an attacker in a privileged network position to intercept SSH traffic. Apple fixes are in iOS 13.1 and iPadOS ...

CVE-2019-8846

CVE-2019-8846 is a use-after-free vulnerability in WebKit-related components that can lead to arbitrary code execution when handling malicious web content. The issue was addressed with improved memory management and is fixed in several Apple platforms: tvOS 13.3, iOS/iPadOS 13.3, Safari 13.0.4, a...

CVE-2019-8846

A use after free issue was addressed with improved memory management. This issue is fixed in tvOS 13.3, iCloud for Windows 10.9, iOS 13.3 and iPadOS 13.3, Safari 13.0.4, iTunes 12.10.3 for Windows, iCloud for Windows 7.16. Processing maliciously crafted web content may lead to arbitrary code...

CVE-2019-8846

A use after free issue was addressed with improved memory management. This issue is fixed in tvOS 13.3, iCloud for Windows 10.9, iOS 13.3 and iPadOS 13.3, Safari 13.0.4, iTunes 12.10.3 for Windows, iCloud for Windows 7.16. Processing maliciously crafted web content may lead to arbitrary code...

CVE-2019-8850

CVE-2019-8850 describes an out-of-bounds read in an audio processing component. Root cause: improper input validation leading to memory disclosure when processing a maliciously crafted audio file. Affected products include Apple platforms: macOS Catalina 10.15 (and 10.15.1), iOS 13.1 / iPadOS 13....

CVE-2019-8857

The issue was addressed with improved validation when an iCloud Link is created. This issue is fixed in iOS 13.3 and iPadOS 13.3. Live Photo audio and video data may be shared via iCloud links even if Live Photo is disabled in the Share Sheet carousel...

CVE-2019-8857

The CVE-2019-8857 issue concerns the Photos component in Apple iOS/iPadOS where Live Photo audio and video data could be shared via iCloud links even when Live Photo is disabled in the Share Sheet carousel. Root cause: insufficient validation during iCloud Link creation, leading to data exposure....

CVE-2019-8856

An API issue existed in the handling of outgoing phone calls initiated with Siri. This issue was addressed with improved state handling. This issue is fixed in iOS 13.3 and iPadOS 13.3, watchOS 6.1.1, macOS Catalina 10.15.2, Security Update 2019-002 Mojave, and Security Update 2019-007 High Sierr...

CVE-2019-8856

The CVE-2019-8856 issue affects Apple’s CallKit in iOS/iPadOS, watchOS, and macOS where Siri-initiated outgoing calls could use the wrong cellular plan on devices with two active plans. Root cause: an API/state handling flaw in outgoing Siri calls. Impact: potential misrouting of calls due to inc...