SQL njection vulnerability in SunnyToo sturls before version 1.1.13, allows attackers to escalate privileges and obtain sensitive information via StUrls::hookActionDispatcher and StUrls::getInstanceId methods.

**IMPORTANT NOTICE**: DO NOT REPORT VULNERABILITIES SOLELY TO THE AUTHOR OR MARKETPLACE.

We urge you to report any vulnerabilities directly to us. Our mission is to ensure the safety and security of the PrestaShop ecosystem. Unfortunately, many module developers may not always recognize or acknowledge the vulnerabilities in their code, whether due to lack of awareness, or inability to properly evaluate the associated risk, or other reasons.

Given the rise in professional cybercrime networks actively seeking out these vulnerabilities, it's crucial that any potential threats are promptly addressed and the community is informed. The most effective method to do this is by publishing a CVE, like the one provided below.

Should you discover any vulnerabilities, **please report them to us at: report\[@\]security-presta.org** or visit https://security-presta.org for more information.

Every vulnerability report helps make the community more secure, and we are profoundly grateful for any information shared with us.

In the module “Urls” (sturls) up to version 1.1.13 from SunnyToo for PrestaShop, a guest can perform SQL injection in affected versions.

**Summary**

*   **CVE ID**: CVE-2023-46348
*   **Published at**: 2023-12-07
*   **Platform**: PrestaShop
*   **Product**: sturls
*   **Impacted release**: <= 1.1.11 (1.1.13 fixed the vulnerability - WARNING : see WARNING below)
*   **Product author**: SunnyToo
*   **Weakness**: CWE-89
*   **Severity**: critical (9.8)

**Description**

Methods StUrls::hookActionDispatcher and StUrls::getInstanceId have sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.

This exploit uses a hook Dispatcher with forged parameters so you will never know within your conventional frontend logs that it exploits this vulnerability. **You will only see “POST /” inside your conventional frontend logs.** Activating the AuditEngine of mod\_security (or similar) is the only way to get data to confirm this exploit.

WARNING : Since we noticed this vulnerability on a 1.1.13 version but the author confirm us that it only affects 1.1.11, be warned that there is maybe manufactured versions in the wild and you should check all version prior to 1.1.13.

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: none
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: high
*   **Availability**: high

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Possible malicious usage**

*   Obtain admin access
*   Remove data from the associated PrestaShop
*   Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admins’s ajax scripts
*   Rewrite SMTP settings to hijack emails

**Patch from 1.1.13**

    --- 1.1.13/modules/sturls/sturls.php
    +++ XXXXXX/modules/sturls/sturls.php
    @@ -1288,7 +1288,7 @@ class StUrls extends Module
                             FROM '._DB_PREFIX_.'category_lang l
                             LEFT JOIN '._DB_PREFIX_.'category a
                             ON (a.id_category=l.id_category)
    -                        WHERE `link_rewrite` = "'.$top_parent_name.'"
    +                        WHERE `link_rewrite` = "'.pSQL($top_parent_name).'"
                             AND a.`active` = 1
                             AND `id_lang` = '.(int)$this->context->language->id
                         );
    @@ -1297,7 +1297,7 @@ class StUrls extends Module
                         FROM '._DB_PREFIX_.'category_lang l
                         LEFT JOIN '._DB_PREFIX_.'category a
                         ON (a.id_category=l.id_category)
    -                    WHERE `link_rewrite` = "'.$parent_name.'"
    +                    WHERE `link_rewrite` = "'.pSQL($parent_name).'"
                         AND a.`active` = 1'.
                         ($top_parent_name ? ' AND `id_parent` = ' . (int)$top_parent_id : '').'
                         AND `id_lang` = '.(int)$this->context->language->id
    @@ -1344,11 +1344,11 @@ class StUrls extends Module
                     ON (a.id_'.$table.'=l.id_'.$table.')
                     '.($table != 'category' ? 'INNER JOIN '._DB_PREFIX_.$table.'_shop s
                     ON (a.id_'.$table.'=s.id_'.$table.' AND s.id_shop = '.(int)$this->context->shop->id.')' : '').'
    -                WHERE `'.$field.'` = "'.$rewrite.'"
    +                WHERE `'.bqSQL($field).'` = "'.pSQL($rewrite).'"
                     AND `id_lang` = '.(int)$this->context->language->id.'
                     '.($is_id_shop ? 'AND l.id_shop='.(int)$this->context->shop->id : '').'
    -                '.($has_ref ? 'AND reference="'.$reference.'"' : '').'
    -                '.($id_parent ? 'AND id_parent IN ('.implode(',',$id_parent).')' : '').'
    +                '.($has_ref ? 'AND reference="'.pSQL($reference).'"' : '').'
    +                '.($id_parent ? 'AND id_parent IN ('.implode(',', array_map('intval', $id_parent)).')' : '').'
                     ');
                 if ($id) {
                     Configuration::updateValue($this->_prefix_st.'sha1_'.$sig, (int)$id);
    @@ -1513,7 +1513,7 @@ class StUrls extends Module
                             SELECT bl.id_st_blog FROM '._DB_PREFIX_.'st_blog_lang bl
                             INNER JOIN '._DB_PREFIX_.'st_blog_shop bs
                             ON(bl.`id_st_blog` = bs.`id_st_blog`)
    -                        WHERE link_rewrite = "'.$rewrite.'"
    +                        WHERE link_rewrite = "'.pSQL($rewrite).'"
                             AND id_lang = '.(int)Context::getContext()->language->id.'
                             AND id_shop = '.(int)$this->context->shop->id.'
                             ');
    @@ -1536,7 +1536,7 @@ class StUrls extends Module
                             SELECT l.id_st_blog_category FROM '._DB_PREFIX_.'st_blog_category_lang l
                             INNER JOIN '._DB_PREFIX_.'st_blog_category_shop s
                             ON(l.`id_st_blog_category` = s.`id_st_blog_category`)
    -                        WHERE link_rewrite = "'.$rewrite.'"
    +                        WHERE link_rewrite = "'.$pSQL($rewrite).'"
                             AND id_lang = '.(int)Context::getContext()->language->id.'
                             AND id_shop = '.(int)$this->context->shop->id.'
                             ');
    

**Other recommendations**

*   It’s recommended to upgrade to the latest version of the module **sturls**.
*   Upgrade PrestaShop to the latest version to disable multiquery executions (separated by “;”) - be warned that this functionality **WILL NOT** protect your SHOP against injection SQL which uses the UNION clause to steal data.
*   Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skills because of a design vulnerability in DBMS
*   Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

**Timeline**

Date

Action

2023-08-31

Issue discovered during a code review by TouchWeb.fr

2023-08-31

Contact Author to confirm versions scope

2023-09-09

Author confirm versions scope

2023-09-16

Author provide a patch

2023-10-17

Request a CVE ID

2023-10-23

Received CVE ID

2023-12-07

Publish this security advisory

**Links**

*   Author product page
*   National Vulnerability Database

**DISCLAIMER:** _The French Association Friends Of Presta (FOP) acts as an intermediary to help hosting this advisory. While we strive to ensure the information and advice provided are accurate, FOP cannot be held liable for any consequences arising from reported vulnerabilities or any subsequent actions taken._

CVE-2023-46348: [CVE-2023-46348] Improper neutralization of SQL parameter in SunnyToo - Urls module for PrestaShop

Unauthenticated LFI/SSRF in JCDashboards component for Joomla.

*   **_Display Real-time data_**  
    You can setup datasources that will provide real-time data to the widgets.
    
*   **_Base widgets_**  
    JcDashboards is packaged with readily available standardized widgets (over 40 and counting) that work out the box with very little setup required.
    
*   **_JoomCode widgets_**  
    Seeing as JC Dashboards is part of the wider JoomCode developer environment we have added widget integration for the majority of JoomCode components.
    
*   **_Plotalot widget_**  
    JCDashboards provides seamless Plotalot component integration for its widget, allowing the user to select Plotalot charts that have been configured in the backend to be displayed by simply selecting the corresponding chart from the list.
    
*   **_Custom layout configurations_**  
    We give our customers the ability to customize layouts to fit their given environments, be it rearranging and resizing widgets or changing font, background and panel styling.
    
*   **_Drag 'n drop panels_**  
    The easy-to-use layout editor lets you drag and drop panels into just about any configuration you can think of.
    
*   **_Tabulated layout_**  
    Not everybody works with multiple monitor displays and so we have set JcDashboards up to able to display multiple layouts within a tabbed format. The layouts can be configured to both hide the tabs and automatically swap to the next layout in the sequence, which lets the user view multiple sets of data without having to manually work the display.
    
*   **_Comprehensive documentation_**  
    Documentation on the features and functionality of JcDashboards is available that gets updated with each new set of features.
    
*   **_Backend and frontend editing_**  
    JcDashboards makes use of Joomla's access levels which gives admins the power to not only edit layouts in the backend but gives them the opportunity to grant edit access to frontend users should the need arise.
    
*   **_Share Dashboards_**  
    You can share dashboards with non-joomla users or sites, by sharing links with secret keys provided
    
*   **_Kiosk Mode_**  
    You can configure JC Dashboards in kiosk mode with fullscreen options and setting up your rotation interval if desired.
    
*   **_Template Styles_**  
    Plenty of template styles to choose from or create your own
    

Free

**JCTables**

By JoomCode

Tables & Lists

JC Tables is a powerful and customizable Joomla! datatable component that lets you display master-detail tables, pull queries from any database, and allow user editing. JC Tables is a combination of all the best datatables out there, bringing you an extremely feature rich datatables component. Master-detail Functionality Navigation Tree Record Preview Connect to External Databases Customizable L...

Free

**JCAdminUtils**

By JoomCode

Administration

JC AdminUtils is a handy toolbox cPanel module utility for Joomla! Administrators. View your linux server health status, make notes, save code snippets, create to-do items and even configure handy shortcut URLs! Linux Server Health Info View live server health info, including: CPU Usage System Info Network Usage Disk Usage Service Status Load Average Memory Status Info Server Logins Shortcut...

CVE-2023-40630: JCDashboards, by JoomCode - Joomla Extension Directory




There is a command injection vulnerability in some ZTE mobile internet products. Due to insufficient input validation of multiple network parameters, an authenticated attacker could use the vulnerability to execute arbitrary commands.





CVE-2023-25643: Security Bulletin Details


There is a SQL injection vulnerability in some ZTE mobile internet products. Due to insufficient input validation of SMS interface parameter, an authenticated attacker could use the vulnerability to execute SQL injection and cause information leak.



CVE-2023-25651: Security Bulletin Details

A previously unknown hacker outfit called GambleForce has been attributed to a series of SQL injection attacks against companies primarily in the Asia-Pacific (APAC) region since at least September 2023.
"GambleForce uses a set of basic yet very effective techniques, including SQL injections and the exploitation of vulnerable website content management systems (CMS) to steal sensitive

Vulnerability / Data Breach

A previously unknown hacker outfit called **GambleForce** has been attributed to a series of SQL injection attacks against companies primarily in the Asia-Pacific (APAC) region since at least September 2023.

"GambleForce uses a set of basic yet very effective techniques, including SQL injections and the exploitation of vulnerable website content management systems (CMS) to steal sensitive information, such as user credentials," Singapore-headquartered Group-IB said in a report shared with The Hacker News.

The group is estimated to have targeted 24 organizations in the gambling, government, retail, and travel sectors across Australia, Brazil, China, India, Indonesia, the Philippines, South Korea, and Thailand. Six of these attacks were successful.

UPCOMING WEBINAR

Beat AI-Powered Threats with Zero Trust - Webinar for Security Professionals

Traditional security measures won't cut it in today's world. It's time for Zero Trust Security. Secure your data like never before.

Join Now

The modus operandi of GambleForce is its exclusive reliance on open-source tools like dirsearch, sqlmap, tinyproxy, and redis-rogue-getshell at different stages of the attacks with the ultimate goal of exfiltrating sensitive information from compromised networks.

Also used by the threat actor is the legitimate post-exploitation framework known as Cobalt Strike. Interestingly, the version of the tool discovered on its attack infrastructure used commands in Chinese, although the group's origins are far from clear.

The attack chains entail the abuse of victims' public-facing applications of victims by exploiting SQL injections as well as the exploitation of CVE-2023-23752, a medium-severity flaw in Joomla CMS, to gain unauthorized access to a Brazilian company.

It's currently not known how GambleForce leverages the stolen information. The cybersecurity firm said it also took down the adversary's command-and-control (C2) server and notified the identified victims.

"Web injections are among the oldest and most popular attack vectors," Nikita Rostovcev, senior threat analyst at Group-IB, said.

"And the reason being is that sometimes developers overlook the importance of input security and data validation. Insecure coding practices, incorrect database settings, and outdated software create a fertile environment for SQL injection attacks on web applications."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Hacker Group 'GambleForce' Tageting APAC Firms Using SQL Injection Attacks

IBM i Access Client Solutions 1.1.2 through 1.1.4 and 1.1.4.3 through 1.1.9.3 could allow an attacker to obtain a decryption key due to improper authority checks.  IBM X-Force ID:  268270.

  

**Summary**

IBM i Access Client Solutions is vulnerable to remote code execution due to a flaw which fails to authenticate the origin of a serialized object (CVE-2023-45185), and insecurely storing passwords by allowing the password encryption key to be retrieved (CVE-2023-45184) or decoded using a brute force attack (CVE-2023-45182). IBM has addressed these CVEs by providing a fix to IBM i Access Client Solutions as described in the remediation/fixes section.

**Vulnerability Details**

**CVEID:**   CVE-2023-45184  
**DESCRIPTION:**   IBM i Access Client Solutions could allow an attacker to obtain a decryption key due to improper authority checks.  
CVSS Base score: 6.2  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268270 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2023-45182  
**DESCRIPTION:**   IBM i Access Client Solutions is vulnerable to having its key for an encrypted password decoded. By somehow gaining access to the encrypted password, a local attacker could exploit this vulnerability to obtain the password to other systems.  
CVSS Base score: 7.1  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268265 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)

**CVEID:**   CVE-2023-45185  
**DESCRIPTION:**   IBM i Access Client Solutions could allow an attacker to execute remote code. Due to improper authority checks the attacker could perform operations on the PC under the user's authority.  
CVSS Base score: 7.4  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268273 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L)

**Affected Products and Versions**

Affected Product(s)

Version(s)

IBM i Access Family

1.1.2 - 1.1.4,  
1.1.4.3 - 1.1.9.3

**Remediation/Fixes**

The issue can be fixed by upgrading to version 1.1.9.4 or later.   See IBM i Access Client Solutions updates for the latest version available.

Product(s)

Version(s)

Remediation/Fix/Instructions

IBM i Access Client Solutions

1.1.2 - 1.1.4,  
1.1.4.3 - 1.1.9.3

The current version of IBM i Access Client Solutions is available at Downloads.

Or you may download it from the general IBM i software site at  
Entitled Systems Support (ESS).

**Workarounds and Mitigations**

None.

**References**

Off

**Acknowledgement**

The vulnerability was reported to IBM by Michał Majchrowicz and Maksymilian Kubiak \[AFINE Team\].

**Change History**

08 Dec 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSRQKY","label":"IBM i Access Client Solutions"},"Component":"","Platform":\[{"code":"PF025","label":"Platform Independent"}\],"Version":"All","Edition":"","Line of Business":{"code":"LOB66","label":"Technology Lifecycle Services"}}\]

CVE-2023-45184: Security Bulletin: IBM i Access Client Solutions is vulnerable to remote code execution and failing to secure passwords due to multiple vulnerabilities

SQL Injection vulnerability in functions/point_list.php in Common Services soliberte before v4.3.03 allows attackers to obtain sensitive information via the lat and lng parameters.

**IMPORTANT NOTICE**: DO NOT REPORT VULNERABILITIES SOLELY TO THE AUTHOR OR MARKETPLACE.

We urge you to report any vulnerabilities directly to us. Our mission is to ensure the safety and security of the PrestaShop ecosystem. Unfortunately, many module developers may not always recognize or acknowledge the vulnerabilities in their code, whether due to lack of awareness, or inability to properly evaluate the associated risk, or other reasons.

Given the rise in professional cybercrime networks actively seeking out these vulnerabilities, it's crucial that any potential threats are promptly addressed and the community is informed. The most effective method to do this is by publishing a CVE, like the one provided below.

Should you discover any vulnerabilities, **please report them to us at: report\[@\]security-presta.org** or visit https://security-presta.org for more information.

Every vulnerability report helps make the community more secure, and we are profoundly grateful for any information shared with us.

In the module “soliberte” for PrestaShop, an attacker can perform a SQL injection from >= 4.0.0 and < 4.3.03. Release 4.3.03 fixed this security issue.

**Summary**

*   **CVE ID**: CVE-2023-40921
*   **Published at**: 2023-12-12
*   **Advisory source**: Friends-Of-Presta.org
*   **Platform**: PrestaShop
*   **Product**: soliberte
*   **Impacted release**: >= 4.0.0 and < 4.3.03 (4.3.03 fixed issue)
*   **Product author**: Common Services
*   **Weakness**: CWE-89
*   **Severity**: critical (9.8)

**Description**

Before 4.3.03, a sensitive SQL calls in file functions/point_list.php can be executed with a trivial http call and exploited to forge a blind SQL injection throught the POST or GET submitted lat and lng variables.

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: none
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: high
*   **Availability**: high

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Possible malicious usage**

*   Technical and personal data leaks
*   Obtain admin access
*   Remove all data of the linked PrestaShop
*   Display sensitives tables to front-office to unlock potential admin’s ajax scripts of modules protected by token on the ecosystem

**Patch**

    --- a/modules/soliberte/classes/socolissimo.class.php
    +++ b/modules/soliberte/classes/socolissimo.class.php
    @@ -822,7 +822,7 @@ class So_Colissimo extends Module
            public function lookup_latlng($lat, $lng, $limiter = 30)
            {
                    $countDeactivateCarrier = 0;
    -               $formula = "(6366*acos(cos(radians('$lat'))*cos(radians(`lat`))*cos(radians(`lng`) -radians('$lng'))+sin(radians('$lat'))*sin(radians(`lat`))))";
    +               $formula = "(6366*acos(cos(radians('" . (float)$lat . "'))*cos(radians(`lat`))*cos(radians(`lng`) -radians('" . (float)$lng . "'))+sin(radians('" . (float)$lat . "'))*sin(radians(`lat`)))>
                    // meme principe que chmod pour savoir lesquels ne sont pas a inclure dans la recherche
                    if (!Configuration::get('SOLIBERTE_BPR'))
                            $countDeactivateCarrier += 4;
    @@ -899,8 +899,8 @@ class So_Colissimo extends Module
                    {
                            case $this->_retrait :
                                    if ($lat)
    -                                       $formula = "(6366*acos(cos(radians('$lat'))*cos(radians(`lat`))*cos(radians(`lng`) -radians('$lng'))+sin(radians('$lat'))*sin(radians(`lat`))))";
    -                               $sql = 'select `id`, `libelle`, `adresse1`, `adresse2`, `lieudit`, `indice`, `code_postal`, `commune`, `lat`, `lng`, `mobilite_reduite`, `type`, `poids` '.
    +                                       $formula = "(6366*acos(cos(radians('" . (float)$lat . "'))*cos(radians(`lat`))*cos(radians(`lng`) -radians('" . (float)$lng . "'))+sin(radians('" . (float) $lat . >
    +                               $sql = 'select `id`, `libelle`, `adresse1`, `adresse2`, `lieudit`, `indice`, `code_postal`, `commune`, `la t`, `lng`, `mobilite_reduite`, `type`, `poids` '.
                                            ($lat ? ', '.$formula.' as distance ' : '').
                                            ' from '.$this->_retrait.' where id = "'.(int)$pr_id.'"';
                                    $tab = 0;
    

**Other recommandations**

*   Upgrade PrestaShop to the latest version to disable multiquery execution (separated by “;”) - be warned that this functionality **WILL NOT** protect your SHOP against injection SQL which uses the UNION clause to steal data.
*   Change the default database prefix ps_ by a new longer arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skills because of a design vulnerability in DBMS
*   Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against these set of rules.

**Timeline**

Date

Action

2023-08-12

Vunlnerability found during a audit by 202 ecommerce

2023-08-16

Contact PrestaShop addons teams to get the scope

2023-09-18

PrestaShop addons teams confirm the issue and supply a fixed release

2023-08-15

Request a CVE ID

2023-08-25

Received CVE ID

2023-12-12

Publication of this advisory

**Links**

*   Author product page
*   National Vulnerability Database

**DISCLAIMER:** _The French Association Friends Of Presta (FOP) acts as an intermediary to help hosting this advisory. While we strive to ensure the information and advice provided are accurate, FOP cannot be held liable for any consequences arising from reported vulnerabilities or any subsequent actions taken._

CVE-2023-40921: [CVE-2023-40921] Improper neutralization of a SQL parameter in deprecated soliberte module from Common Services for PrestaShop

Improper authentication in some Zoom clients before version 5.16.5 may allow an authenticated user to conduct a denial of service via network access.

**Zoom Clients - Improper Authentication**

*   Bulletin: ZSB-23062
*   CVEID: CVE-2023-49646
*   CVSS Severity: Medium
*   CVSS Score: 5.4
*   CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Description:

 Improper authentication in some Zoom clients before version 5.16.5 may allow an authenticated user to conduct a denial of service via network access.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

*   Zoom Desktop Client for Windows before version 5.16.5
*   Zoom Desktop Client for macOS before version 5.16.5
*   Zoom Mobile App for iOS before version 5.16.5
*   Zoom Mobile App for Android before version 5.16.5
*   Zoom Desktop Client for Linux before version 5.16.5
*   Zoom VDI Client before version 5.16.5 (excluding 5.14.14 and 5.15.12)
*   Zoom SDKs before version 5.16.5

Source:

Reported by Zoom Offensive Security Team.

**Subscribe for updates**

Please provide your individual email address to receive notification of future Zoom Security Bulletins. (Note: Email aliases will not receive these notifications.)

CVE-2023-49646: ZSB 23062

Path traversal in Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom SDKs for Windows may allow an authenticated user to conduct an escalation of privilege via network access.

**Zoom Desktop Client for Windows, Zoom VDI Client for Windows and Zoom SDKs for Windows - Path Traversal**

*   Bulletin: ZSB-23059
*   CVEID: CVE-2023-43586
*   CVSS Severity: High
*   CVSS Score: 7.3
*   CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N

Description:

Path traversal in Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom SDKs for Windows may allow an authenticated user to conduct an escalation of privilege via network access.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

*   Zoom Desktop Client for Windows before version 5.16.5
*   Zoom VDI Client before version 5.16.0 (excluding 5.14.14 and 5.15.12)
*   Zoom Video SDK for Windows before version 5.16.5
*   Zoom Meeting SDK for Windows before version 5.16.5

Source:

Reported by shmoul.

**Subscribe for updates**

Please provide your individual email address to receive notification of future Zoom Security Bulletins. (Note: Email aliases will not receive these notifications.)

CVE-2023-43586: ZSB 23059

Improper access control in Zoom Mobile App for iOS and Zoom SDKs for iOS before version 5.16.5 may allow an authenticated user to conduct a disclosure of information via network access.

**Zoom Mobile App for iOS and SDKs for iOS - Improper Access Control**

*   Bulletin: ZSB-23058
*   CVEID: CVE-2023-43585
*   CVSS Severity: High
*   CVSS Score: 7.1
*   CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L

Description:

Improper access control in Zoom Mobile App for iOS and Zoom SDKs for iOS before version 5.16.5 may allow an authenticated user to conduct a disclosure of information via network access.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

*   Zoom Mobile App for iOS before version 5.16.5
*   Zoom Video SDK for iOS before version 5.16.5
*   Zoom Meeting SDK for iOS before version 5.16.5
*   Zoom Meeting SDK for Android before version 5.16.0

Source:

Reported by Zoom Offensive Security Team.

**Subscribe for updates**

Please provide your individual email address to receive notification of future Zoom Security Bulletins. (Note: Email aliases will not receive these notifications.)

Tag

#auth