In bindSelection of DatabaseUtils.java, there is a possible way to access files from other applications due to SQL injection. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

)\]}' { "commit": "23d156ed1bed6d2c2b325f0be540d0afca510c49", "tree": "f54e4f4739f4a720de25255369dd018bae3b8a54", "parents": \[ "192c7711c1adc835c06720d59ddacb86c5e32b5f" \], "author": { "name": "Krishang Garodia", "email": "krishang@google.com", "time": "Mon Jun 19 11:43:45 2023 +0000" }, "committer": { "name": "Android Build Coastguard Worker", "email": "android-build-coastguard-worker@google.com", "time": "Fri Jul 14 17:32:33 2023 +0000" }, "message": "Remove invalid surrogates during bindSelection\\n\\nTest: atest MediaProviderTests\\nBug: 223793631\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:108f736d0ec6e974c3f947e7e568845b7e039a0a)\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a48b01f78f28fc642b144c673bfcd12ae78c5a73)\\nMerged-In: I18b879f1a51394b4739225ec88b862fd6d0d5526\\nChange-Id: I18b879f1a51394b4739225ec88b862fd6d0d5526\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "55efafc7f79911ea4d1a6e57b01d745c277aaf4a", "old\_mode": 33188, "old\_path": "src/com/android/providers/media/util/DatabaseUtils.java", "new\_id": "53ecf964eef6d0a075c3af85a713744decb648f9", "new\_mode": 33188, "new\_path": "src/com/android/providers/media/util/DatabaseUtils.java" }, { "type": "modify", "old\_id": "685d897041ef04ba469574150494f0b0c1ed316d", "old\_mode": 33188, "old\_path": "tests/src/com/android/providers/media/util/DatabaseUtilsTest.java", "new\_id": "a907875898476236c1f5de7e25812fdf928509a1", "new\_mode": 33188, "new\_path": "tests/src/com/android/providers/media/util/DatabaseUtilsTest.java" } \] }

CVE-2023-35683

In hasPermissionForActivity of PackageManagerHelper.java, there is a possible way to start arbitrary components due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.

)\]}' { "commit": "09f8b0e52e45a0b39bab457534ba2e5ae91ffad0", "tree": "dbd3cd11150c6a5ea77d78e2afe420a578af4d1b", "parents": \[ "4d098abb45aa38004cc5057b6dc382a148b56f01" \], "author": { "name": "Pinyao Ting", "email": "pinyaoting@google.com", "time": "Thu Jun 01 18:12:44 2023 -0700" }, "committer": { "name": "Android Build Coastguard Worker", "email": "android-build-coastguard-worker@google.com", "time": "Fri Jul 14 17:31:09 2023 +0000" }, "message": "Fix permission issue in legacy shortcut\\n\\nWhen building legacy shortcut, Launcher calls\\nPackageManager#resolveActivity to retrieve necessary permission to\\nlaunch the intent.\\n\\nHowever, when the source app wraps an arbitrary intent within\\nIntent#createChooser, the existing logic will fail because launching\\nChooser doesn\\u0027t require additional permission.\\n\\nThis CL fixes the security vulnerability by performing the permission\\ncheck against the intent that is wrapped within.\\n\\nBug: 270152142\\nTest: manual\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c53818a16b4322a823497726ac7e7a44501b4442)\\nMerged-In: If35344c08975e35085c7c2b9b814a3c457a144b0\\nChange-Id: If35344c08975e35085c7c2b9b814a3c457a144b0\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "f42d30453b1727a5155f1bf5c56329e2c097b696", "old\_mode": 33188, "old\_path": "src/com/android/launcher3/util/PackageManagerHelper.java", "new\_id": "557d57e2d2d7efb4b310fe1bd1b8db50f9e86a71", "new\_mode": 33188, "new\_path": "src/com/android/launcher3/util/PackageManagerHelper.java" } \] }

CVE-2023-35682

In createQuickShareAction of SaveImageInBackgroundTask.java, there is a possible way to trigger a background activity launch due to an unsafe PendingIntent. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

)\]}' { "commit": "109e58b62dc9fedcee93983678ef9d4931e72afa", "tree": "7ef156a2d1225c1cb3d43620732bf609091ed48a", "parents": \[ "05b1ada4ed1326d7ad781142f4fff0de70dffeff" \], "author": { "name": "Miranda Kephart", "email": "mkephart@google.com", "time": "Fri Apr 28 10:58:46 2023 -0400" }, "committer": { "name": "Android Build Coastguard Worker", "email": "android-build-coastguard-worker@google.com", "time": "Fri Jul 14 17:30:22 2023 +0000" }, "message": "\[DO NOT MERGE\] Update quickshare intent rather than recreating\\n\\nCurrently, we extract the quickshare intent and re-wrap it as a new\\nPendingIntent once we get the screenshot URI. This is insecure as\\nit leads to executing the original with SysUI\\u0027s permissions, which\\nthe app may not have. This change switches to using Intent.fillin\\nto add the URI, keeping the original PendingIntent and original\\npermission set.\\n\\nBug: 278720336\\nTest: manual (to test successful quickshare), atest\\nSaveImageInBackgroundTaskTest (to verify original pending intent\\nunchanged)\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:02938e8ccae910d96578475a19dff0a5e746b03d)\\nMerged-In: Icad3d5f939fcfb894e2038948954bc2735dbe326\\nChange-Id: Icad3d5f939fcfb894e2038948954bc2735dbe326\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "50ee1f7ba97aabd377d1838b2cb3e17c46a909c9", "old\_mode": 33188, "old\_path": "packages/SystemUI/src/com/android/systemui/screenshot/SaveImageInBackgroundTask.java", "new\_id": "f4a257fdd3ec7b6b5c97b8e6252f6ddf7059ddcc", "new\_mode": 33188, "new\_path": "packages/SystemUI/src/com/android/systemui/screenshot/SaveImageInBackgroundTask.java" }, { "type": "modify", "old\_id": "5b6e5ce95b1483c83098f72fa5cb7051bb92425d", "old\_mode": 33188, "old\_path": "packages/SystemUI/src/com/android/systemui/screenshot/ScreenshotController.java", "new\_id": "5928c9ec608589e9b245e5a4950db5077bb75c2c", "new\_mode": 33188, "new\_path": "packages/SystemUI/src/com/android/systemui/screenshot/ScreenshotController.java" }, { "type": "modify", "old\_id": "f703058f4a0fb6251bcf51e099b79bb58d1e82a2", "old\_mode": 33188, "old\_path": "packages/SystemUI/src/com/android/systemui/screenshot/SmartActionsReceiver.java", "new\_id": "ecc13ee747c8b4e116310436832ba03599c137c6", "new\_mode": 33188, "new\_path": "packages/SystemUI/src/com/android/systemui/screenshot/SmartActionsReceiver.java" }, { "type": "add", "old\_id": "0000000000000000000000000000000000000000", "old\_mode": 0, "old\_path": "/dev/null", "new\_id": "03f8c93942184a59caa0ba86a737fa45e043b24e", "new\_mode": 33188, "new\_path": "packages/SystemUI/tests/src/com/android/systemui/screenshot/SaveImageInBackgroundTaskTest.kt" } \] }

CVE-2023-35676

In loadMediaResumptionControls of MediaResumeListener.kt, there is a possible way to play and listen to media files played by another user on the same device due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

)\]}' { "commit": "c1cf4b9746c9641190730172522324ccd5b8c914", "tree": "8d25b1a0e76a99f4ad4862e72c3841c6d75925b4", "parents": \[ "f810d81839af38ee121c446105ca67cb12992fc6" \], "author": { "name": "Beth Thibodeau", "email": "ethibodeau@google.com", "time": "Thu Jun 22 18:26:44 2023 -0500" }, "committer": { "name": "Duy Truong", "email": "duytruong@google.com", "time": "Wed Jul 19 17:51:46 2023 -0700" }, "message": "Improve user handling when querying for resumable media\\n\\n- Before trying to query recent media from a saved component, check\\n whether the current user actually has that component installed\\n- Track user when creating the MediaBrowser, in case the user changes\\n before the MBS returns a result\\n\\nTest: atest MediaResumeListenerTest\\nBug: 284297711\\n(cherry picked from commit e566a250ad61e269119b475c7ebdae6ca962c4a7)\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d61741288b4d7614e4677428aac6418f6f1d79f0)\\nMerged-In: I838ff0e125acadabc8436a00dbff707cc4be6249\\nChange-Id: I838ff0e125acadabc8436a00dbff707cc4be6249\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "cc06b6c678794756e09fb5a2915727137f21fc48", "old\_mode": 33188, "old\_path": "packages/SystemUI/src/com/android/systemui/media/MediaResumeListener.kt", "new\_id": "bad87de438e5f4c5e6154f606bd673e1ebc21bab", "new\_mode": 33188, "new\_path": "packages/SystemUI/src/com/android/systemui/media/MediaResumeListener.kt" }, { "type": "modify", "old\_id": "40a5653a15a0e4d787714c00a042d64f3b868a4a", "old\_mode": 33188, "old\_path": "packages/SystemUI/src/com/android/systemui/media/ResumeMediaBrowser.java", "new\_id": "018697f772e0024ea6101501a62e55027b23ca1b", "new\_mode": 33188, "new\_path": "packages/SystemUI/src/com/android/systemui/media/ResumeMediaBrowser.java" }, { "type": "modify", "old\_id": "3d1380b6bd243ccaa79bb1f4fc512444f9ab4494", "old\_mode": 33188, "old\_path": "packages/SystemUI/src/com/android/systemui/media/ResumeMediaBrowserFactory.java", "new\_id": "fca0ab7e531650f01663aceb0f770b098ccf232c", "new\_mode": 33188, "new\_path": "packages/SystemUI/src/com/android/systemui/media/ResumeMediaBrowserFactory.java" }, { "type": "modify", "old\_id": "3d3ac836d26499639288249db236b2c7a4b405d5", "old\_mode": 33188, "old\_path": "packages/SystemUI/tests/src/com/android/systemui/media/MediaResumeListenerTest.kt", "new\_id": "e7df1a219d3e2502da142a8be84371d63ef4f99e", "new\_mode": 33188, "new\_path": "packages/SystemUI/tests/src/com/android/systemui/media/MediaResumeListenerTest.kt" }, { "type": "modify", "old\_id": "dafaa6b936968ea7f59078be6405875b43444421", "old\_mode": 33188, "old\_path": "packages/SystemUI/tests/src/com/android/systemui/media/ResumeMediaBrowserTest.kt", "new\_id": "e3134d482955c2aa56ecd990be5bedd4af6abe43", "new\_mode": 33188, "new\_path": "packages/SystemUI/tests/src/com/android/systemui/media/ResumeMediaBrowserTest.kt" } \] }

CVE-2023-35675

In checkKeyIntentParceledCorrectly of AccountManagerService.java, there is a possible way to control other running activities due to unsafe deserialization. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

)\]}' { "commit": "f810d81839af38ee121c446105ca67cb12992fc6", "tree": "b2589522f06167da4811d58d8b9a0bc6f4357734", "parents": \[ "109e58b62dc9fedcee93983678ef9d4931e72afa" \], "author": { "name": "Dmitry Dementyev", "email": "dementyev@google.com", "time": "Wed Jul 05 10:45:04 2023 -0700" }, "committer": { "name": "Duy Truong", "email": "duytruong@google.com", "time": "Wed Jul 19 17:51:46 2023 -0700" }, "message": "Update AccountManagerService checkKeyIntentParceledCorrectly.\\n\\nBug: 265798288\\nTest: manual\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:8476b140eed0235df4e8f07d94420a1471191b55)\\nMerged-In: Ia2030a9dc371dccadd4e188a529351ac4232bb4f\\nChange-Id: Ia2030a9dc371dccadd4e188a529351ac4232bb4f\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "639f35e1ae13895c1c785e78b1f99ffa3ac414e0", "old\_mode": 33188, "old\_path": "services/core/java/com/android/server/accounts/AccountManagerService.java", "new\_id": "7a19d034c2c820b6197c6c37ae94cbada72926a2", "new\_mode": 33188, "new\_path": "services/core/java/com/android/server/accounts/AccountManagerService.java" } \] }

CVE-2023-35669

In updateList of NotificationAccessSettings.java, there is a possible way to hide approved notification listeners in the settings due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

)\]}' { "commit": "d8355ac47e068ad20c6a7b1602e72f0585ec0085", "tree": "f8cac26c332efe2eea5230b368e944cfd75b4582", "parents": \[ "185bd5b809d252a866952cec5b97897fd261447b" \], "author": { "name": "Matías Hernández", "email": "matiashe@google.com", "time": "Mon Jun 05 18:24:04 2023 +0200" }, "committer": { "name": "Android Build Coastguard Worker", "email": "android-build-coastguard-worker@google.com", "time": "Fri Jul 14 17:31:24 2023 +0000" }, "message": "Don\\u0027t hide approved NLSes in Settings\\n\\nNote that an NLS that shouldn\\u0027t be approvable (because its name is too long) but was already approved (either before the max length check was introduced, or through other means) will disappear from the list if the user revokes its access. This might be somewhat confusing, but since this is a very-edge case already it\\u0027s fine.\\n\\nBug: 282932362\\nTest: manual\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ff255c6eda1528f01a167a9a65b7f8e414d28584)\\nMerged-In: I4c9faea68e6d16b1a4ec7f472b5433cac1704c06\\nChange-Id: I4c9faea68e6d16b1a4ec7f472b5433cac1704c06\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "56d3f0e445c773b94df4971107f6755ded8d7d32", "old\_mode": 33188, "old\_path": "src/com/android/settings/notification/NotificationAccessSettings.java", "new\_id": "369c4f6dfaf81bcd91d764eff38c6309c16504bb", "new\_mode": 33188, "new\_path": "src/com/android/settings/notification/NotificationAccessSettings.java" }, { "type": "modify", "old\_id": "150dbe0483d208bd64bf5892f7b48ecc32add162", "old\_mode": 33188, "old\_path": "src/com/android/settings/notification/NotificationBackend.java", "new\_id": "cbc3e72e224cb8347af1437cd7b7629178946de9", "new\_mode": 33188, "new\_path": "src/com/android/settings/notification/NotificationBackend.java" }, { "type": "add", "old\_id": "0000000000000000000000000000000000000000", "old\_mode": 0, "old\_path": "/dev/null", "new\_id": "e644c2975b71fecf26e47754f6d77f4aab142a3a", "new\_mode": 33188, "new\_path": "tests/robotests/src/com/android/settings/notification/NotificationAccessSettingsTest.java" } \] }

CVE-2023-35667

ux-autocomplete is a JavaScript Autocomplete functionality for Symfony. Under certain circumstances, an attacker could successfully submit an entity id for an `EntityType` that is *not* part of the valid choices. The problem has been fixed in `symfony/ux-autocomplete` version 2.11.2.

**Autocomplete <select>**Edit this page

**Autocomplete <select>**

Transform your EntityType, ChoiceType or _any_ <select> element into an Ajax-powered autocomplete smart UI control (leveraging Tom Select):

**Installation**

Before you start, make sure you have StimulusBundle configured in your app.

Then install the bundle using Composer and Symfony Flex:

If you're using WebpackEncore, install your assets and restart Encore (not needed if you're using AssetMapper):

**Usage in a Form (without Ajax)**

Any ChoiceType or EntityType can be transformed into a Tom Select-powered UI control by adding the autocomplete option:

That's all you need! When you refresh, the Autocomplete Stimulus controller will transform your select element into a smart UI control:

**Usage in a Form (with Ajax)**

In the previous example, the autocomplete happens "locally": all of the options are loaded onto the page and used for the search.

If you're using an EntityType with _many_ possible options, a better option is to load the choices via AJAX. This also allows you to search on more fields than just the "displayed" text.

To transform your field into an Ajax-powered autocomplete, you need to create a new "form type" class to represent your field. If you have MakerBundle installed, you can run:

Or, create the field by hand:

There are 3 important things:

1.  The class needs the #[AsEntityAutocompleteField] attribute so that it's noticed by the autocomplete system.
2.  The getParent() method must return ParentEntityAutocompleteType.
3.  Inside configureOptions(), you can configure your field using whatever normal EntityType options you need plus a few extra options (see Form Options Reference).

After creating this class, use it in your form:

Caution

Avoid passing any options to the 3rd argument of the ->add() method as these won't be used during the Ajax call to fetch results. Instead, include all options inside the custom class (FoodAutocompleteField).

Congratulations! Your EntityType is now Ajax-powered!

**Styling Tom Select**

In your assets/controllers.json file, you should see a line that automatically includes a CSS file for Tom Select which will give you basic styles.

If you're using Bootstrap, set tom-select.default.css to false and tom-select.bootstrap5.css to true:

To further customize things, you can override the classes with your own custom CSS and even control how individual parts of Tom Select render. See Tom Select Render Templates.

**Form Options Reference**

All ChoiceType, EntityType and TextType fields have the following new options (these can also be used inside your custom Ajax autocomplete classes, e.g. FoodAutocompleteField from above):

autocomplete (default: false)

Set to true to activate the Stimulus plugin on your select element.

tom_select_options (default: [])

Use this to set custom Tom Select Options. If you need to set an option using JavaScript, see Extending Tom Select.

options_as_html (default: false)

Set to true if your options (e.g. choice_label) contain HTML. Not needed if your autocomplete is AJAX-powered.

autocomplete_url (default: null)

Usually you don't need to set this manually. But, you _could_ manually create an autocomplete-Ajax endpoint (e.g. for a custom ChoiceType), then set this to change the field into an AJAX-powered select.

no_results_found_text (default: 'No results found')

Rendered when no matching results are found. This message is automatically translated using the AutocompleteBundle domain.

no_more_results_text (default: 'No more results')

Rendered at the bottom of the list after showing matching results. This message is automatically translated using the AutocompleteBundle domain.

For the Ajax-powered autocomplete field classes (i.e. those whose getParent() returns ParentEntityAutocompleteType), in addition to the options above, you can also pass:

searchable_fields (default: null)

Set this to an array of the fields on your entity that should be used when searching for matching options. By default (i.e. null), _all_ fields on your entity will be searched. Relationship fields can also be used - e.g. category.name if your entity has a category relation property.

security (default: false)

Secures the Ajax endpoint. By default, the endpoint can be accessed by any user. To secure it, pass security to a string role (e.g. ROLE_FOOD_ADMIN) that should be required to access the endpoint. Or, pass a callback and return true to grant access or false to deny access:

filter_query (default: null)

If you want to completely control the query made for the "search results", use this option. This is incompatible with searchable_fields:

max_results (default: 10)

Allow you to control the max number of results returned by the automatic autocomplete endpoint.

min_characters (default: 3)

Allow you to control the min number of characters to load results.

preload (default: focus)

Set to focus to call the load function when control receives focus. Set to true to call the load upon control initialization (with an empty search).

**Using with a TextType Field**

All of the above options can also be used with a TextType field:

This <input> field won't have any autocomplete, but it _will_ allow the user to enter new options and see them as nice "items" in the box. On submit, all of the options - separated by the delimiter - will be sent as a string.

You _can_ add autocompletion to this via the autocomplete_url option - but you'll likely need to create your own custom autocomplete endpoint.

**Customizing the AJAX URL/Route**

2.7

The ability to specify the route was added in Twig Components 2.7.

The default route for the Ajax calls used by the Autocomplete component is /autocomplete/{alias}/. Sometimes it may be useful to customize this URL - e.g. so that the URL lives under a specific firewall.

To use another route, first declare it:

Then specify this new route on the attribute:

**Extending Tom Select**

The easiest way to customize Tom Select is via the tom_select_options option that you pass to your field. This works great for simple things like Tom Select's loadingClass option, which is set to a string. But other options, like onInitialize, must be set via JavaScript.

To do this, create a custom Stimulus controller and listen to one or both events that the core Stimulus controller dispatches:

Note

The extending controller should be loaded eagerly (remove /* stimulusFetch: 'lazy' */), so it can listen to events dispatched by the original controller.

Then, update your field configuration to use your new controller (it will be used in addition to the core Autocomplete controller):

Or, if using a custom Ajax class, add the attr option to your configureOptions() method:

**Advanced: Creating an Autocompleter (with no Form)**

If you're not using the form system, you can create an Ajax autocomplete endpoint and then initialize the Stimulus controller manually. This only works for Doctrine entities: see Manually using the Stimulus Controller if you're autocompleting something other than an entity.

To expose the endpoint, create a class that implements Symfony\UX\Autocomplete\EntityAutocompleterInterface and tag this service with ux.entity_autocompleter, including an alias option:

Thanks to this, your can now autocomplete your Food entity via the ux_entity_autocomplete route and alias route wildcard:

Usually, you'll pass this URL to the Stimulus controller, which is discussed in the next section.

**Manually using the Stimulus Controller**

This library comes with a Stimulus controller that can activate Tom Select on any select or input element. This can be used outside of the Form component. For example:

That's it! If you want the options to be autocompleted via Ajax, pass a url value, which works well if you create a custom autocompleter:

Note

If you want to create an AJAX autocomplete endpoint that is _not_ for an entity, you will need to create this manually. The only requirement is that the response returns JSON with this format:

for using Tom Select Option Group the format is as follows

Once you have this, generate the URL to your controller and pass it to the url value of the stimulus_controller() Twig function, or to the autocomplete_url option of your form field. The search term entered by the user is passed as a query parameter called query.

Beyond url, the Stimulus controller has various other values, including tomSelectOptions. See the controller.ts file for the full list.

**Unit testing**

When writing unit tests for your form, using the TypeTestCase class, you consider registering the needed type extension AutocompleteChoiceTypeExtension like so:

**Known Issue when using with Live Component**

You _can_ use autocomplete inside of a Live Component: the autocomplete JavaScript widget should work normally and even update if your element changes (e.g. if you add or change <option> elements. Internally, a MutationObserver inside the UX autocomplete controller detects these changes and forwards them to TomSelect.

However, if you use the multiple option, due to complexities in TomSelect, the autocomplete widget _will_ work, but it will not update if you change any options. For example, if your change the "options" for a select during re-render, those will not update on the frontend.

CVE-2023-41336: Symfony UX Autocomplete Documentation

The URL Shortify WordPress plugin before 1.7.6 does not properly escape the value of the referer header, thus allowing an unauthenticated attacker to inject malicious javascript that will trigger in the plugins admin panel with statistics of the created short link.

CVE-2023-4294

Interact 7.9.79.5 allows stored Cross-site Scripting (XSS) attacks in several locations, allowing an attacker to store a JavaScript payload.

**Abstract Advisory Information**

The feature, to attach a document to a post, is prone to stored Cross-site Scripting (XSS) attacks in several locations allowing an attacker to store a JavaScript payload.

Author: Dominique Righetto

**Version affected**

Name: Interact Software

Versions: 7.9.79.5

**Common Vulnerability Scoring System**

CVSS SCORE 5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

**Patch**

No patch available

**References**

CVE – CVE-2023-41103 (mitre.org)

**Vulnerability Disclosure Timeline**

*   *   20/05/2022: Vulnerability discovery
    *   22/05/2022: Vulnerability Report to CERT-XLM
    *   05/06/2022: Vulnerability Report to Vendor through investigation
    *   05/06/2022: Vulnerability Report to Vendor through investigation
    *   13/06/2022: Vulnerability Report to Vendor through investigation
    *   20/06/2022: Community account creation asked to InteractSoftware to contact their technical departement
    *   20/06/2022: Vulnerability Report to Vendor through investigation
    *   20/06/2022: Urge vendor to reply via twitter
    *   04/07/2023: Update asking to vendor through investigation
    *   04/07/2023: Update asking to vendor for the community account creation
    *   15/07/2023: Ticket for a community account creation closed
    *   17/07/2023: Reply to help@interact-intranet.com asking for an update
    *   19/07/2023: Reply to help@interact-intranet.com asking for an update
    *   01/08/2023: Phonecall to +1 (646) 564 5775, gave vendor information for them to reach us back
    *   01/08/2023: Phonecall to +1 (646) 564 5775
    *   16/08/2023: Phonecall to +1 (646) 564 5775, got redirected to help@interactsoftware.com.
    *   16/08/2023: Update asked to help@interactsoftware.com.
    *   16/08/2023: Request CVE ID to Mitre
    *   23/08/2023: CVE IDs assigned : CVE-2023-41103
    *   24/08/2023: Vulnerabilty disclosure

Our website uses cookies technologies to assist with navigation and your ability to provide feedback, analyze your use of our products and services, to enable you to use the social media functionalities and assist with our promotional and marketing efforts, and provide content from third parties. You may choose to opt-out from all non-essential cookies or allow them for a better browsing experience.  
For more information on the use of cookies, Please check our Privacy Notice ACCEPT REJECT SETTINGS

CVE-2023-41103: CVE-2023-41103 - Excellium Services

An issue was discovered in TSplus Remote Access through 16.0.2.14. There are Full Control permissions for Everyone on some directories under %PROGRAMFILES(X86)%\TSplus\Clients\www.

    # Exploit Title: TSplus 16.0.2.14 - Remote Access Insecure Files and Folders Permissions
    # Date: 2023-08-09
    # Exploit Author: Carlo Di Dato for Deloitte Risk Advisory Italia
    # Vendor Homepage: https://tsplus.net/
    # Version: Up to 16.0.2.14
    # Tested on: Windows
    # CVE : CVE-2023-31067
    
    TSplus Remote Access (v. 16.0.2.14) is an alternative to Citrix and 
    Microsoft RDS for remote desktop access and Windows application 
    delivery. Web-enable your legacy apps, create SaaS solutions or remotely 
    access your centralized corporate tools and files.
    The TSplus Remote Access solution comes with an embedded web server to 
    allow remote users to easely connect remotely.
    However, insecure file and folder permissions are set and this could 
    allow a malicious user to manipulate file content (e.g.: changing the 
    code of html pages or js scripts) or change legitimate files (e.g. 
    Setup-VirtualPrinter-Client.exe) in order to compromise a system or to 
    gain elevated privileges.
    
    This is the list of insecure files and folders with their respective 
    permissions:
    Everyone:(OI)(CF)(F) and Everyone(F)
    Permission: Everyone:(OI)(CI)(F)
    
    C:\Program Files (x86)\TSplus\Clients\www
    C:\Program Files (x86)\TSplus\Clients\www\addons
    C:\Program Files (x86)\TSplus\Clients\www\ConnectionClient
    C:\Program Files (x86)\TSplus\Clients\www\downloads
    C:\Program Files (x86)\TSplus\Clients\www\prints
    C:\Program Files (x86)\TSplus\Clients\www\RemoteAppClient
    C:\Program Files (x86)\TSplus\Clients\www\software
    C:\Program Files (x86)\TSplus\Clients\www\var
    C:\Program Files (x86)\TSplus\Clients\www\cgi-bin\remoteapp
    C:\Program Files (x86)\TSplus\Clients\www\downloads\shared
    C:\Program Files (x86)\TSplus\Clients\www\software\java
    C:\Program Files (x86)\TSplus\Clients\www\software\js
    C:\Program Files (x86)\TSplus\Clients\www\software\html5\jwres
    C:\Program Files (x86)\TSplus\Clients\www\software\html5\locales
    C:\Program Files (x86)\TSplus\Clients\www\software\html5\imgs\topmenu
    C:\Program Files (x86)\TSplus\Clients\www\software\html5\imgs\key\parts
    C:\Program Files (x86)\TSplus\Clients\www\software\java\img
    C:\Program Files (x86)\TSplus\Clients\www\software\java\third
    C:\Program Files (x86)\TSplus\Clients\www\software\java\img\cp
    C:\Program Files (x86)\TSplus\Clients\www\software\java\img\srv
    C:\Program Files (x86)\TSplus\Clients\www\software\java\third\images
    C:\Program Files (x86)\TSplus\Clients\www\software\java\third\js
    C:\Program Files 
    (x86)\TSplus\Clients\www\software\java\third\images\bramus
    C:\Program Files 
    (x86)\TSplus\Clients\www\software\java\third\js\prototype
    C:\Program Files (x86)\TSplus\Clients\www\var\log
    C:\Program Files (x86)\TSplus\UserDesktop\themes
    C:\Program Files (x86)\TSplus\UserDesktop\themes\BlueBar
    C:\Program Files (x86)\TSplus\UserDesktop\themes\Default
    C:\Program Files (x86)\TSplus\UserDesktop\themes\GreyBar
    C:\Program Files (x86)\TSplus\UserDesktop\themes\Logon
    C:\Program Files (x86)\TSplus\UserDesktop\themes\MenuOnTop
    C:\Program Files (x86)\TSplus\UserDesktop\themes\Seamless
    C:\Program Files (x86)\TSplus\UserDesktop\themes\ThinClient
    C:\Program Files (x86)\TSplus\UserDesktop\themes\Vista
    
    ------------------------------------------------------------------------------
    
    Permission: Everyone:(F)
    
    C:\Program Files (x86)\TSplus\Clients\www\all.min.css
    C:\Program Files (x86)\TSplus\Clients\www\custom.css
    C:\Program Files (x86)\TSplus\Clients\www\popins.css
    C:\Program Files (x86)\TSplus\Clients\www\robots.txt
    C:\Program Files 
    (x86)\TSplus\Clients\www\addons\Setup-VirtualPrinter-Client.exe
    C:\Program Files (x86)\TSplus\Clients\www\cgi-bin\hb.exe.config
    C:\Program Files 
    (x86)\TSplus\Clients\www\cgi-bin\SessionPrelaunch.Common.dll.config
    C:\Program Files (x86)\TSplus\Clients\www\cgi-bin\remoteapp\index.html
    C:\Program Files (x86)\TSplus\Clients\www\RemoteAppClient\index.html
    C:\Program Files (x86)\TSplus\Clients\www\software\common.css
    C:\Program Files 
    (x86)\TSplus\Clients\www\software\html5\jwres\jwwebsockify.jar
    C:\Program Files (x86)\TSplus\Clients\www\software\html5\jwres\web.jar
    C:\Program Files 
    (x86)\TSplus\Clients\www\software\html5\own\exitlist.html
    C:\Program Files 
    (x86)\TSplus\Clients\www\software\html5\own\exitupload.html
    C:\Program Files 
    (x86)\TSplus\Clients\www\software\html5\own\getlist.html
    C:\Program Files 
    (x86)\TSplus\Clients\www\software\html5\own\getupload.html
    C:\Program Files 
    (x86)\TSplus\Clients\www\software\html5\own\postupload.html
    C:\Program Files 
    (x86)\TSplus\Clients\www\software\html5\own\uploaderr.html
    C:\Program Files (x86)\TSplus\Clients\www\software\java\index.html
    C:\Program Files (x86)\TSplus\Clients\www\software\java\img\index.html
    C:\Program Files (x86)\TSplus\Clients\www\software\java\img\port.bin
    C:\Program Files (x86)\TSplus\Clients\www\software\java\third\jws.js
    C:\Program Files (x86)\TSplus\Clients\www\software\java\third\sha256.js
    C:\Program Files 
    (x86)\TSplus\Clients\www\software\java\third\js\prototype\prototype.js
    C:\Program Files (x86)\TSplus\Clients\www\software\js\jquery.min.js

Tag

#java