Teedy v1.11 has a vulnerability in its text editor that allows events

to be executed in HTML tags that an attacker could manipulate. Thanks

to this, it is possible to execute malicious JavaScript in the webapp.





**teedy.io**

© {{ currentDate | date: 'yyyy' }} {{ 'index.copyright' | translate }}

CVE-2023-4892: {{ $title }}

Docker Desktop before 4.12.0 is vulnerable to RCE via a crafted extension description or changelog.

This issue affects Docker Desktop: before 4.12.0.



CVE-2023-0625: Docker Desktop release notes

Docker Desktop before 4.23.0 allows Access Token theft via a crafted extension icon URL.

This issue affects Docker Desktop: before 4.23.0.



CVE-2023-5166: Docker Desktop release notes

Cross Site Scripting vulnerability in Service Provider Management System v.1.0 allows a remote attacker to execute arbitrary code and obtain sensitive information via the firstname, middlename and lastname parameters in the /php-spms/admin/?page=user endpoint.

**About the Application**

This Service Provider Management System v.1.0 is a sort of Content Management System (CMS) that is built specifically for companies that provide different services. The project is a company website that allows the management to dynamically manage the site information and other data on the front end. This project has 2 modules which are the Public and Management site.

The Management Site is the side of the system where accessible to the company staff or system-registered users only. On this site, users are required to log in with their valid system credentials to gain access to the features and functionalities. Users have 2 different roles which are the Administrator and the Staff. The Administrator users have the privilege to manage and access all the features and functionalities of the said site while the Staff users only have limited permissions. Here, system users can manage the list of services that their company provided. They can also update the dynamic page content of the public website on this side.

**Vulnerability Description**

Cross Site Scripting vulnerability in Service Provider Management System v.1.0 allows a remote attacker to execute arbitrary code and obtain sensitive information via the firstname, middlename and lastname parameters in the /php-spms/admin/?page=user endpoint.

**Vulnerable Code**

**Filename:** /php-spms/admin/user/index.php

**Vulnerable Endpoint:** /php-spms/admin/?page=user

**Vulnerable Parameter:** firstname, middlename, lastname

**Code:**

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

<form action="" id="manage-user">	
	<input type="hidden" name="id" value="<?php echo $_settings->userdata('id') ?>">
		<div class="form-group">
			<label for="name">First Name</label>
			<input type="text" name="firstname" id="firstname" class="form-control" value="<?php echo isset($meta['firstname']) ? $meta['firstname']: '' ?>" required>
		</div>
		<div class="form-group">
			<label for="name">Middle Name</label>
			<input type="text" name="middlename" id="middlename" class="form-control" value="<?php echo isset($meta['middlename']) ? $meta['middlename']: '' ?>">
		</div>
		<div class="form-group">
			<label for="name">Last Name</label>
			<input type="text" name="lastname" id="lastname" class="form-control" value="<?php echo isset($meta['lastname']) ? $meta['lastname']: '' ?>" required>
		</div>
		<div class="form-group">
			<label for="username">Username</label>
			<input type="text" name="username" id="username" class="form-control" value="<?php echo isset($meta['username']) ? $meta['username']: '' ?>" required  autocomplete="off">
		</div>
		<div class="form-group">
			<label for="password">Password</label>
			<input type="password" name="password" id="password" class="form-control" value="" autocomplete="off"><small><i>Leave this blank if you dont want to change the password.</i></small>
		</div>
		<div class="form-group">
			<label for="" class="control-label">Avatar</label>
			<div class="custom-file">
				<input type="file" class="form-control" id="customFile" name="img" onchange="displayImg(this,$(this))" accept="image/png, image/jpeg">
			</div>
		</div>
		<div class="form-group d-flex justify-content-center">
			<img src="<?php echo validate_image(isset($meta['avatar']) ? $meta['avatar'] :'') ?>" alt="" id="cimg" class="img-fluid img-thumbnail">
		</div>
</form>

When users input their names, such as their firstname, middlename, and lastname, the website neglects the critical step of sanitizing this information to ensure it’s free from potentially harmful characters before storing it in the backend. This oversight creates a security vulnerability known as ‘Stored Cross-Site Scripting’ (Stored XSS), especially concerning these name parameters.

Stored Cross-Site Scripting (XSS) is a type of security vulnerability that occurs in web applications when user input, often in the form of text or other content, is not properly sanitized or validated before being stored on the server and then later displayed to other users. This vulnerability allows attackers to inject malicious scripts, typically in the form of JavaScript code, into the application’s data storage. When other users retrieve and view this data, the injected script code is executed within their browsers, potentially leading to a range of malicious actions.

**Impact of Stored Cross-Site Scripting**

The impacts of Stored Cross-Site Scripting (Stored XSS) are mentioned below:

**Session Hijacking**: Attackers can hijack user sessions, gaining unauthorized access to accounts and allowing them to perform actions on behalf of users or access confidential data.

**Manipulation of Web Pages**: Stored XSS can alter the appearance and functionality of web pages, potentially tricking users into executing unintended actions, clicking on malicious links, or downloading malware.

**Attack Scenario**

*   Go to http://application ip/php-spms/admin/?page=user.

*   Provide payload as "><script>alert("XSS on Firstname"), "><script>alert("XSS on Middlename"), "><script>alert("XSS on Lastname") on parameter such as firstname, middlename and lastname respectively.

_User Details_

*   Click on Update.
    
*   You will observe the popup of each payload we provided.
    

_XSS on Firstname_

_XSS on Middlename_

_XSS on Lastname_

Mitigating stored cross-site scripting (XSS) vulnerabilities is crucial for securing web applications. To prevent stored XSS, follow these best practices:

*   **Whitelist Input**: Only allow specific, safe characters and patterns in user input. Reject any input that doesn’t conform to this whitelist.
    
*   **Data Sanitization**: Filter and clean user input to remove or encode any potentially malicious characters. Use libraries like OWASP’s Java Encoder, PHP’s htmlspecialchars, or equivalent functions in other languages.
    
*   **Sanitization Libraries**: Use security libraries and frameworks that provide built-in XSS prevention mechanisms, such as Ruby on Rails, Django, or AngularJS.
    
*   **Use HTTP-Only Cookies**: Mark cookies as HTTP-only to prevent JavaScript from accessing them, reducing the impact of XSS attacks.
    
*   **Session Management**: Implement secure session management to ensure that session cookies and tokens are properly protected and rotated.
    
*   **Security Headers**: Use security headers like X-XSS-Protection and X-Content-Type-Options to instruct browsers to mitigate certain types of attacks.
    

That’s all in this writeup.

Thanks for reading this far. If you enjoyed the writeup, do support me **here**.

CVE-2023-43456: CVE-2023-43456 - Stored Cross-Site Scripting (XSS)

OPNsense versions 23.1.11_1, 23.7.3, and 23.7.4 suffer from cross site scripting vulnerabilities that can allow for privilege escalation.

Advisory X41-2023-001: Two Vulnerabilities in OPNsense  
===========================================================  
Highest Severity Rating: High  
Confirmed Affected Versions: 23.1.11_1, 23.7.3, 23.7.4  
Confirmed Patched Versions: Commit 484753b2abe3fd0fcdb73d8bf00c3fc3709eb8b7  
Vendor: Deciso B.V. / OPNsense  
Vendor URL: https://opnsense.org  
Credit: X41 D-Sec GmbH, Yasar Klawohn and JM  
Status: Public   
Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2023-001-opnsense

Summary and Impact  
------------------  
The OPNsense dashboard displays widgets with information about the system,  
running services, gateways and more. These widgets can be arranged in  
different orders and columns. The values for the number of columns and the  
order of widgets are stored server-side and are the same for all users of an  
OPNsense instance. They are reflected unmodified on every visit. This can be  
abused by a low-privileged attacker to inject their own content into the  
page, enabling a cross-site scripting (XSS) attack that can result in  
privilege escalation.

Product Description  
-------------------  
OPNsense is an open source, FreeBSD-based firewall and routing operating  
system. It includes many features of commercial firewalls and can be managed  
entirely via its web GUI.

Stored XSS in the OPNsense Dashboard via the column_count Parameter  
===================================================================  
Severity Rating: High  
Vector: Network  
CWE: 79  
CVSS Score: 8.0  
CVSS Vector: 3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H  
Credit: X41 D-Sec GmbH, Yasar Klawohn

Analysis  
--------  
The number of columns displayed in the dashboard is set via an HTTP POST  
request to /index.php, using the column_count request parameter. This  
parameter is not properly escaped when returned to the client. To exploit  
this issue, the payload "><script>alert(1)</script> is submitted as part of  
the column_count parameter. This input is reflected unmodified in the  
response and on any subsequent visit to the dashboard by any user. Only the  
"Lobby: Login / Logout / Dashboard" permission is required to abuse this  
issue.

Once the server receives the POST request, the column_count parameter is  
written unmodified into the configuration:

} elseif ($_SERVER['REQUEST_METHOD'] === 'POST' && !empty($_POST['origin'])  
            && $_POST['origin'] == 'dashboard') {  
    // ...  
    if (!empty($_POST['column_count'])) {  
        $config['widgets']['column_count'] = $_POST['column_count'];  
    } elseif(isset($config['widgets']['column_count'])) {  
        unset($config['widgets']['column_count']);  
    }  
    write_config('Widget configuration has been changed');  
    header(url_safe('Location: /index.php'));  
    exit;  
}  
// from:  
// https://github.com/opnsense/core/blob/2306449329e462364c07317b23a1f257779a4fc8/src/www/index.php#L66-L79

If the column_count parameter is not empty, it is used unmodified: 

// ...  
if ($_SERVER['REQUEST_METHOD'] === 'GET') {  
    $pconfig = $config['widgets'];  
    // ...  
    $pconfig['column_count'] =  
       !empty($pconfig['column_count']) ? $pconfig['column_count'] : 2;  
    // ...  
// from:  
// https://github.com/opnsense/core/blob/306449329e462364c07317b23a1f257779a4fc8/src/www/index.php#L42

Below, the unmodified value is written:

  
<section class="page-content-main">  
  <form method="post" id="iform">  
    <input type="hidden" value="dashboard" name="origin" id="origin" />  
    <input type="hidden" value="" name="sequence" id="sequence" />  
    <input type="hidden" value="<?= $pconfig['column_count'];?>"  
        name="column_count" id="column_count_input" />  
  </form>  
  


Proof of Concept  
----------------  
Log in as root. On the left side, go to System -> Access -> Users, and add a  
new user. For "Effective Privileges", only select "Lobby: Login / Logout /  
Dashboard". The user is now only able to view the dashboard and the help  
pages.

Log in as that newly created user and open your browser's network monitor.  
In the OPNsense dashboard, select "1 column" from the top right and then  
press "save settings". Repeat the POST request and replace the column_count  
variable with

column_count=1"><script>alert(1)</script>

Now, log in as admin again, you should see an alert box resulting from the  
following HTML response:

<form method="post" id="iform">  
      
    <input type="hidden" value="1">  
        <script>alert(1)</script>"  
        name="column_count" id="column_count_input" />  
</form>

This is the stored XSS and can result in privilege escalation. The OPNsense  
developers did apply a Content-Security-Policy, but unfortunately allow  
unsafe-inline and unsafe-eval for scripts, which does not prevent the  
exploitation of this vulnerability.

Stored XSS in the OPNsense Dashboard via the sequence Parameter  
===============================================================  
Severity Rating: High   
Vector: Network  
CWE: 79  
CVSS Score: 8.0  
CVSS Vector: 3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H  
Credit: X41 D-Sec GmbH, JM and Yasar Klawohn

Analysis  
--------  
The order in which the widgets are displayed in the Dashboard is set via an  
HTTP POST request to /index.php, using the sequence request parameter. This  
parameter is not properly escaped when returned to the client. To exploit  
this issue, the payload "><script>alert(1)</script> is submitted as part of  
the sequence parameter. This input is reflected unmodified in the response  
and on any subsequent visit to the dashboard by any user. Only the "Lobby:  
Login / Logout / Dashboard" permission is required to abuse this issue.

The order in which widgets are displayed on the dashboard can be set in the  
same POST request, via the sequence parameter. The sequence parameter has the  
following format:

sequence=services_status-container:00000000-col3:show,  
    interface_list-container:00000001-col4:show,  
    gateways-container:00000002-col4:show

Once the server receives the POST request, the sequence parameter is written  
unmodified into the configuration:

} elseif ($_SERVER['REQUEST_METHOD'] === 'POST' && !empty($_POST['origin'])  
            && $_POST['origin'] == 'dashboard') {  
    if (!empty($_POST['sequence'])) {  
        $config['widgets']['sequence'] = $_POST['sequence'];  
    } elseif (isset($config['widgets']['sequence'])) {  
        unset($config['widgets']['sequence']);  
    }  
    // ...  
    write_config('Widget configuration has been changed');  
    header(url_safe('Location: /index.php'));  
    exit;  
}  
// from:  
// https://github.com/opnsense/core/blob/cbaf7cee1f0a6fabd1ec4c752a5d169c402976dc/src/www/index.php#L66-L80

When serving a GET request, the sequence parameter is returned unmodified,  
starting with a read of its value from the configuration:

// ...  
$pconfig = $config['widgets'];  
// set default dashboard view  
$pconfig['sequence'] = !empty($pconfig['sequence']) ?  
    $pconfig['sequence'] : '';  
// ...  
// from:  
// https://github.com/opnsense/core/blob/2306449329e462364c07317b23a1f257779a4fc8/src/www/index.php#L39-L41

sequence is then split by comma and further split by colon into name,  
sortKey, and state. The list of widgets is sorted on the server side using  
the sortKey.

$widgetSeqParts = explode(",", $pconfig['sequence']);  
foreach (glob('/usr/local/www/widgets/widgets/*.widget.php') as $php_file) {  
    $widgetItem = array();  
    // [...]  
    foreach ($widgetSeqParts as $seqPart) {  
        $tmp = explode(':', $seqPart);  
        if (count($tmp) == 3 &&  
            explode('-', $tmp[0])[0] == $widgetItem['name']  
        ) {  
            $widgetItem['state'] = $tmp[2];  
            $widgetItem['sortKey'] = $tmp[1];  
        }  
    }  
    $widgetCollection[] = $widgetItem;  
}  
// sort widgets  
usort($widgetCollection, function ($item1, $item2) {  
    return strcmp(strtolower($item1['sortKey']),  
        strtolower($item2['sortKey']));  
});  
// from:  
// https://github.com/opnsense/core/blob/2306449329e462364c07317b23a1f257779a4fc8/src/www/index.php#L44-L65

Finally, the sortKey is written unescaped into an HTML attribute:

<section  
    class="widgetdiv"  
    data-sortkey="<?=$widgetItem['sortKey'] ?>"  
    id="<?=$widgetItem['name'];?>"  
    style="display:<?=$divdisplay;?>;"  


Proof of Concept  
----------------  
Log in as root. On the left side, go to System -> Access -> Users, and add a  
new user. For "Effective Privileges", only select "Lobby: Login / Logout /  
Dashboard". The user is now only able to view the dashboard and the help  
pages.

Log in as that newly created user and open your browser's network monitor. In  
the OPNsense dashboard, reorder the widgets via drag-and-drop, then press  
"save settings".

Repeat the POST request and replace the sequence variable with

sequence=gateways-container:1"><script>alert(1)</script>-col4:show

Now, log in as admin again, you should see an alert box resulting from the  
following HTML response:

<div class="container-fluid">  
      
        <section class="widgetdiv" data-sortkey="1">  
            <script>alert(2)</script>  
            -col4" id="gateways"  style="display:block;">

This is the stored XSS and can result in privilege escalation.

The OPNsense developers did apply a Content-Security-Policy, but  
unfortunately allow unsafe-inline and unsafe-eval for scripts, which does not  
prevent the exploitation of this vulnerability.

Workarounds  
===========

Remove all effective privileges for /index.php* of low-privilege users.

Timeline  
========  
2023-09-13: Problem discovered

2023-09-14: Write-up and discovery of second finding

2023-09-19: Disclosure to Deciso B.V. / OPNsense

2023-09-19: Issue fixed upstream by Deciso B.V. / OPNsense

2023-09-20: CVE requested

2023-09-20: Informed Deciso B.V. / OPNsense that we will make the issues  
public the following day, since the patch is public

2023-09-21: Release of advisory

About X41 D-Sec GmbH  
====================  
X41 is an expert provider for application security services.  
Having extensive industry experience and expertise in the area of information  
security, a strong core security team of world class security experts enables  
X41 to perform premium security services.

Fields of expertise in the area of application security are security centered  
code reviews, binary reverse engineering and vulnerability discovery.  
Custom research and IT security consulting and support services are core  
competencies of X41.

OPNsense 23.1.11_1 / 23.7.3 / 23.7.4 Cross Site Scripting / Privilege Escalation

Apple Security Advisory 2023-09-21-7 - macOS Monterey 12.7 addresses a privilege escalation vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2023-09-21-7 macOS Monterey 12.7

macOS Monterey 12.7 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT213932.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Additional CVE entries coming soon.

Kernel  
Available for: macOS Monterey  
Impact: A local attacker may be able to elevate their privileges. Apple  
is aware of a report that this issue may have been actively exploited  
against versions of iOS before iOS 16.7.  
Description: The issue was addressed with improved checks.  
CVE-2023-41992: Bill Marczak of The Citizen Lab at The University of  
Toronto's Munk School and Maddie Stone of Google's Threat Analysis Group

Additional recognition

Kernel  
We would like to acknowledge Bill Marczak of The Citizen Lab at The  
University of Toronto's Munk School and Maddie Stone of Google's Threat  
Analysis Group for their assistance.

macOS Monterey 12.7 may be obtained from the Mac App Store or Apple's  
Software Downloads web site: https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmUMi+UACgkQX+5d1TXa  
Ivodjg/+Lz5oU3oZFmJoiYgTRKvcCVcRb/u8ioWsOxB0ZZQ1Z7o/KCi/ccV09fRy  
zbt72qAzpjseCcfq46hgy+zIuKgbOdXvUJZEOywZuWmPy540sB7YDm/BsinP7ESA  
XTlh1BnKL6kboXMZ0zurdW1kzAMqLjxYp/ku5ySSCG8YWwtjgvmYM7fjoRhj7/rp  
If5mmHkTdlEvRL1OZni3kmP5uMyAAQ5kB/LOwE5euqFJb5mtgAZaXPGZe2UPIaWw  
mHTI3SwyGtEcehuOBi3jArJMI3r/k4qYfOpK5Z3rwJrffdK6ztCMgePKfF7IuWS+  
VRgCnhyL7eu2THyK03m4VwzyuYuUDLYXkFDmEE4K5ymedSjjFaZpF27SOVYGD6G9  
oGoxnJ8k55Ldy6El/caiKb2YNgMD5KPsCCvZRim3o+ADl1E2q5TfU5d9nnG6DPXP  
ZXDb4Q/IQRTlKhunJ6cDA7ZRkQ53A9vIECxHLCeOIC6VALib++8TvdKrjbm2r09d  
1fhMFeSiE3Nak2RwHWHAjNCfL/enIwpGM9kiRZK1QHFCbDm7JM7d5rNW9FLgXXv+  
PlhL3CRgmE2iGDZZJpZavyGcSGqewLmeWAn/gWhzwGRBilKiMpAGPLQlAPd6YOA8  
6p366vYRJ1cITlIJ6KzYhGLrah4iYFErzyyfK8cZy6ajJFJZ01g=  
=nhhn  
-----END PGP SIGNATURE-----

Apple Security Advisory 2023-09-21-7

Apple Security Advisory 2023-09-21-6 - macOS Ventura 13.6 addresses bypass vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2023-09-21-6 macOS Ventura 13.6

macOS Ventura 13.6 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT213931.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Additional CVE entries coming soon.

Kernel  
Available for: macOS Ventura  
Impact: A local attacker may be able to elevate their privileges. Apple  
is aware of a report that this issue may have been actively exploited  
against versions of iOS before iOS 16.7.  
Description: The issue was addressed with improved checks.  
CVE-2023-41992: Bill Marczak of The Citizen Lab at The University of  
Toronto's Munk School and Maddie Stone of Google's Threat Analysis Group

Security  
Available for: macOS Ventura  
Impact: A malicious app may be able to bypass signature  
validation. Apple is aware of a report that this issue may have been  
actively exploited against versions of iOS before iOS 16.7.  
Description: A certificate validation issue was addressed.  
CVE-2023-41991: Bill Marczak of The Citizen Lab at The University of  
Toronto's Munk School and Maddie Stone of Google's Threat Analysis Group

WebKit  
Available for: macOS Ventura  
Impact: Processing web content may lead to arbitrary code  
execution. Apple is aware of a report that this issue may have been  
actively exploited against versions of iOS before iOS 16.7.  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 261544  
CVE-2023-41993: Bill Marczak of The Citizen Lab at The University of  
Toronto's Munk School and Maddie Stone of Google's Threat Analysis Group

Additional recognition

Kernel  
We would like to acknowledge Bill Marczak of The Citizen Lab at The  
University of Toronto's Munk School and Maddie Stone of Google's Threat  
Analysis Group for their assistance.

macOS Ventura 13.6 may be obtained from the Mac App Store or Apple's  
Software Downloads web site: https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmUMi+UACgkQX+5d1TXa  
IvpVCQ/+PH+bewmpAxIP9LKpZWkBLgiRwd7BnB1GuqC3IjjQebkqq1mBKM9J5aVV  
iNrGOIccwxHKofbcwHda2upOkUOGV7zdi4iO5TV1TgsZoM1HCfkQ/laKMtyEPZj7  
jdOSpR0kr9E1xUN/muIgir3Acy3SHmqq+6tp5JtaIdTV2WvG/w0LSU8bHmroNhB8  
tRWml3mUV9i9HG+kDT+q+bYNdDs7GO1eTAQyOvB6X+pSBVQiClp8r9PbQAPvMw41  
QZQsZGHF1/Oq1A/6FZlBdwgPvqsKyhSsK9HzVgDPuCftdYBCbf7XJ/QkIRi5udrX  
YKuWwYyTjtaDaokPEbQtlw8R60ZL2ecyaF2u8wuhx1m5v2hq6OM3vZemeNgBVmtB  
7TdimeKzvl+IY1gmo34hkHGJ8ILTUExHD+0VhRBsYXYi9cNpV+S2HFUbqkeGtCRL  
fDMaz6jZo8o9WQ69aYLC1Vqn6xwQxUH6+XS8JOzoTfHBtQgJFZ9r9kt/vJlrdCLu  
aFSfU6sdfXcI7aBlTyL+PNF0M5S+P2i6oEqJUnLhMpnD0ESeNZSOr4wfNwNW21/3  
2DtBbdzNXZ7+c2+Ds8xcOXLwHQlLfsD+u5GHbOr5X97PG59OA3GSmumEdn0DFCdJ  
q+VBu5otgp+DIFJ/xsen4pURqRsw17/aOAzyGguoVJ306SRD2Bo=  
=9eKC  
-----END PGP SIGNATURE-----

Apple Security Advisory 2023-09-21-6

Apple Security Advisory 2023-09-21-5 - watchOS 9.6.3 addresses bypass vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2023-09-21-5 watchOS 9.6.3

watchOS 9.6.3 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT213929.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: A local attacker may be able to elevate their privileges. Apple  
is aware of a report that this issue may have been actively exploited  
against versions of iOS before iOS 16.7.  
Description: The issue was addressed with improved checks.  
CVE-2023-41992: Bill Marczak of The Citizen Lab at The University of  
Toronto's Munk School and Maddie Stone of Google's Threat Analysis Group

Security  
Available for: Apple Watch Series 4 and later  
Impact: A malicious app may be able to bypass signature  
validation. Apple is aware of a report that this issue may have been  
actively exploited against versions of iOS before iOS 16.7.  
Description: A certificate validation issue was addressed.  
CVE-2023-41991: Bill Marczak of The Citizen Lab at The University of  
Toronto's Munk School and Maddie Stone of Google's Threat Analysis Group

All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmUMi+QACgkQX+5d1TXa  
IvqEKBAAot3koiHF8bV334s7cFZFe+xUGkFszWH7XR/73NCyKVRJaxjfgHkcJUPZ  
qiEgALnau3mEFagwLu2+hIEJKZLCF5nU7uf0tQOBOjWL/ZUk9DXStAahkBWmom9/  
7mGxRqiEPPduJ8jU3BbxVqbwo3IiNhww8o2bS15o/ByhBopvCtIgJFKVPdWOlnHV  
og85okHBa7uOKzwXIdERl62UuAG6swGc8iTdhDxgrlCqDNQPKTT8Re/+Dzv2htlI  
UI38gp/3wFLhQArmgzIbrU6WLMnMRPn+M/juT1AjuFLY1JkdGd/y+uEmNg/rU8tF  
b4ptEbbuR5mNxhcyx0RIn18pHOv7MV/hYRNtXzCkEH5bxAIlPMFLTRWs8OsqlBlQ  
t4lDnf/u0I50W5F3Bf6BpN4lAJaHFej1vNQtz0CN1sXocBj3LUlWFjK5lFXymWUc  
qKt+1xwXBraDuNGabZua5cZpMXNUL8wAjVv1uZOjmvdB1jHN6FVfyu9oc2ONH+p+  
UigbKwLFqlRjJ/8ee2UhNQFwkXf8wDIud/U0kuftu3xtLFJjZsiFJLBUDQ2XQl7z  
eXDvLYdq6Jvo3qiW2AuUGzVLiw4IDSUZk4U3b8ER37/SEFFOEXEJ05uzwMinYYmD  
qTWm/89O74yzgF6HPKigfzNqePZ4eButFer73hndgja9WvYxSCg=  
=4meq  
-----END PGP SIGNATURE-----

Apple Security Advisory 2023-09-21-5

Apple Security Advisory 2023-09-21-4 - watchOS 10.0.1 addresses bypass vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2023-09-21-4 watchOS 10.0.1

watchOS 10.0.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT213928.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: A local attacker may be able to elevate their privileges. Apple  
is aware of a report that this issue may have been actively exploited  
against versions of iOS before iOS 16.7.  
Description: The issue was addressed with improved checks.  
CVE-2023-41992: Bill Marczak of The Citizen Lab at The University of  
Toronto's Munk School and Maddie Stone of Google's Threat Analysis Group

Security  
Available for: Apple Watch Series 4 and later  
Impact: A malicious app may be able to bypass signature  
validation. Apple is aware of a report that this issue may have been  
actively exploited against versions of iOS before iOS 16.7.  
Description: A certificate validation issue was addressed.  
CVE-2023-41991: Bill Marczak of The Citizen Lab at The University of  
Toronto's Munk School and Maddie Stone of Google's Threat Analysis Group

Instructions on how to update your Apple Watch software are available  
at https://support.apple.com/kb/HT204641  To check the version on  
your Apple Watch, open the Apple Watch app on your iPhone and select  
"My Watch > General > About".  Alternatively, on your watch, select  
"My Watch > General > About".  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmUMi+QACgkQX+5d1TXa  
Ivrolg//eCfa6uj7rYz+BwmO2KTNLG+gAn+NZ9hnFb/txI8aoIwYc5rxDM8ektDP  
itxupK30fcz3cG3fdWazD8YQ16Q7nN9KgU1alLELMZCgBI9K9osMGHzwzCepF1bJ  
gaIt6e/DT6nEruNbtR9DOvZYFK0bBaM+Iar6GZ9NgSP8KwXZjRgCUBtaYuKEu2z4  
K3xic4l0iKbV6T+Wb2hoinsRYjD5vf85q/6qcufRzUdBzpCyy6jEmMZs0CKnCef7  
joEtz1tCVOydrydWXDNrmVXm5BLjBp4Fo3+i5O+zXXJvOaFdvHsbZ9IXmdMR2Zrz  
YY7XxCawuRopfTAsNmnl8dYGGA2u9hSNmxienTCReYfF2gY6QG9tUpnS6TYkv1+3  
HT/W5or4HLlVQvG4M+6ZOLIL/RlCBlnJBP7L78FYQW/0650FU6Xq3UoeQIx5LBf2  
xtz4Dk/Dd/hF0dpGgRtg/Qw1ZqMZbwSgM4Z9yNOT1BnDWKgPyyl4Cg8D50ua4jyH  
eGXUOQhM8hUoaIYjyNe2HM44tW3zZue/eXdu2xLL0LqwBWu4nEZBoyXHJLZHCtYq  
W3KFBpcK3xgXujoknsu+X4Lq/oKH9SdPVmExkIZ/3Ga+8W2pYS3vIhRglt/Cuiis  
xezTX8F3NjxIIztlBwlIgIGcdhb3pFRm7YqMwXykxOIpevPAyRM=  
=zsee  
-----END PGP SIGNATURE-----

Apple Security Advisory 2023-09-21-4

LogoBee CMS version 0.2 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : LogoBee CMS v0.2 XSS Vulnerability                                                                                 || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : https://logobee.com                                                                                                |  | # Dork      : intext:''Logo & Web Design by LogoBee''                                                                            |====================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  use payload : /updates.php?id=<marquee><font color=lime size=32>Hacked by indoushka</font></marquee>[+]  http://vaxform127.0.0.1/updates.php?id=%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3EHacked%20by%20indoushka%3C/font%3E%3C/marquee%3EGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Tag

#web