NVD-CWE-noinfo

An issue was discovered in certain Apple products. macOS before 10.13.5 is affected. The issue involves the “Speech” component. It allows attackers to bypass a sandbox protection mechanism to obtain microphone access.

An issue was discovered in certain Apple products. iOS before 11.3 is affected. macOS before 10.13.4 is affected. The issue involves the “WindowServer” component. It allows attackers to bypass the Secure Input Mode protection mechanism, and log keystrokes of arbitrary apps, via a crafted app that scans key states.

An issue was discovered in certain Apple products. macOS before 10.13.3 is affected. The issue involves the “Sandbox” component. It allows bypass of a sandbox protection mechanism.

An issue was discovered in certain Apple products. iOS before 11.3 is affected. The issue involves the “Web App” component. It allows remote attackers to bypass intended restrictions on cookie persistence.

An exploitable unsafe default configuration vulnerability exists in the TURN server functionality of coTURN prior to 4.5.0.9. By default, the TURN server allows relaying external traffic to the loopback interface of its own host. This can provide access to other private services running on that host, which can lead to further attacks. An attacker can set up a relay with a loopback address as the peer on an affected TURN server to trigger this vulnerability.

An exploitable firmware update vulnerability exists in the NT9665X Chipset firmware, running on Anker Roav A1 Dashcam version RoavA1SWV1.9. The HTTP server allows for arbitrary firmware binaries to be uploaded which will be flashed upon next reboot. An attacker can send an HTTP PUT request or upgrade firmware request to trigger this vulnerability.