In onBindingDied of CallRedirectionProcessor.java, there is a possible permission bypass due to a logic error in the code. This could lead to local escalation of privilege and background activity launch with no additional execution privileges needed. User interaction is not needed for exploitation.

)\]}' { "commit": "5b335401d1c8de7d1c85f4a0cf353f7f9fc30218", "tree": "85b52fe7ec98818de079ea0df2d775b8c39a2655", "parents": \[ "dd302d211bd8b935464b48551a76ef718bf33ccc" \], "author": { "name": "Grace Jia", "email": "xiaotonj@google.com", "time": "Thu Jul 20 13:42:50 2023 -0700" }, "committer": { "name": "Android Build Coastguard Worker", "email": "android-build-coastguard-worker@google.com", "time": "Thu Aug 10 17:13:01 2023 +0000" }, "message": "Fix vulnerability in CallRedirectionService.\\n\\nCurrently when the CallRedirectionService binding died, we didn\\u0027t do\\nanything, which cause malicious app start activities even not run in the\\nbackground by implementing a CallRedirectionService and overriding the\\nonPlaceCall method to schedule a activity start job in an independent\\nprocess and then kill itself. In that way, the activity can still\\nstart after the CallRedirectionService died. Fix this by unbinding the\\nservice when the binding died.\\n\\nBug: b/289809991\\nTest: Using testapp provided in bug to make sure the test activity can\\u0027t\\nbe started\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:29b52e3cd027da2d8644450a4dee3a7d95dc0043)\\nMerged-In: I065d361b83700474a1efab2a75928427ee0a14ba\\nChange-Id: I065d361b83700474a1efab2a75928427ee0a14ba\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "226382bde4ab09d0efc1ec408db64c7e3c2cf633", "old\_mode": 33188, "old\_path": "src/com/android/server/telecom/callredirection/CallRedirectionProcessor.java", "new\_id": "02debcd6c1b5710c2a7a14cd97165ff3d8e080cc", "new\_mode": 33188, "new\_path": "src/com/android/server/telecom/callredirection/CallRedirectionProcessor.java" } \] }

CVE-2023-40130

In FillUi of FillUi.java, there is a possible way to view another user's images due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

)\]}' { "commit": "08becc8c600f14c5529115cc1a1e0c97cd503f33", "tree": "3f0b8b76102e3b965d293910f949644ce9963cc3", "parents": \[ "2d88a5c481df8986dbba2e02c5bf82f105b36243" \], "author": { "name": "Tim Yu", "email": "yunicorn@google.com", "time": "Tue Jun 20 21:24:36 2023 +0000" }, "committer": { "name": "Android Build Coastguard Worker", "email": "android-build-coastguard-worker@google.com", "time": "Thu Aug 10 17:10:43 2023 +0000" }, "message": "\[DO NOT MERGE\] Verify URI Permissions in Autofill RemoteViews\\n\\nCheck permissions of URI inside of FillResponse\\u0027s RemoteViews. If the\\ncurrent user does not have the required permissions to view the URI, the\\nRemoteView is dropped from displaying.\\n\\nThis fixes a security spill in which a user can view content of another\\nuser through a malicious Autofill provider.\\n\\nBug: 283137865\\nFixes: b/283264674 b/281666022 b/281665050 b/281848557 b/281533566\\nb/281534749 b/283101289\\nTest: Verified by POC app attached in bugs\\nTest: atest CtsAutoFillServiceTestCases (added new tests)\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:93810ba1c0a4d31f49adbf9454731e2b7defdfc0)\\nMerged-In: I6f4d2a35e89bbed7bd9e07bf5cd3e2d68b20af9a\\nChange-Id: I6f4d2a35e89bbed7bd9e07bf5cd3e2d68b20af9a\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "bc5d6457c945fec1263428c45dd50615ec131132", "old\_mode": 33188, "old\_path": "services/autofill/java/com/android/server/autofill/Helper.java", "new\_id": "48113a81cca5f0a44dc5b478f47e7cadef622745", "new\_mode": 33188, "new\_path": "services/autofill/java/com/android/server/autofill/Helper.java" }, { "type": "modify", "old\_id": "c2c630e01bee7a3d999047550719a9e2b0e25201", "old\_mode": 33188, "old\_path": "services/autofill/java/com/android/server/autofill/ui/DialogFillUi.java", "new\_id": "59184e9ed28814672004f7d8a8d01b6105ab7b40", "new\_mode": 33188, "new\_path": "services/autofill/java/com/android/server/autofill/ui/DialogFillUi.java" }, { "type": "modify", "old\_id": "8fbdd81cc4cc666f5fe855da1aa29187066ac73f", "old\_mode": 33188, "old\_path": "services/autofill/java/com/android/server/autofill/ui/FillUi.java", "new\_id": "76fa258734ccc37aea53d19990e64f122c6a0f51", "new\_mode": 33188, "new\_path": "services/autofill/java/com/android/server/autofill/ui/FillUi.java" }, { "type": "modify", "old\_id": "677871f6c85f860363fc3e5cb2d07f65b602f6ef", "old\_mode": 33188, "old\_path": "services/autofill/java/com/android/server/autofill/ui/SaveUi.java", "new\_id": "533a7b69a650a58ecceb078fd2442dc9e74f67c2", "new\_mode": 33188, "new\_path": "services/autofill/java/com/android/server/autofill/ui/SaveUi.java" } \] }

CVE-2023-40139

In android_view_InputDevice_create of android_view_InputDevice.cpp, there is a possible way to execute arbitrary code due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

)\]}' { "commit": "2d88a5c481df8986dbba2e02c5bf82f105b36243", "tree": "6fe3bd910de991370a02c926861447a19172e1ac", "parents": \[ "5a3d0c131175d923cf35c7beb3ee77a9e6485dad" \], "author": { "name": "Josep del Rio", "email": "joseprio@google.com", "time": "Mon Jun 26 09:30:06 2023 +0000" }, "committer": { "name": "Android Build Coastguard Worker", "email": "android-build-coastguard-worker@google.com", "time": "Thu Aug 10 17:10:32 2023 +0000" }, "message": "Do not share key mappings with JNI object\\n\\nThe key mapping information between the native key mappings and\\nthe KeyCharacterMap object available in Java is currently shared,\\nwhich means that a read can be attempted while it\\u0027s being modified.\\n\\nBug: 274058082\\nTest: Patch tested by Oppo\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:3d993de0d1ada8065d1fe561f690c8f82b6a7d4b)\\nMerged-In: I745008a0a8ea30830660c45dcebee917b3913d13\\nChange-Id: I745008a0a8ea30830660c45dcebee917b3913d13\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "9cc72437a0234a89063644ffe2ab29c1dd47e381", "old\_mode": 33188, "old\_path": "core/jni/android\_view\_InputDevice.cpp", "new\_id": "f7c770e0bffb81d000ca79477c2fa674b44d66b4", "new\_mode": 33188, "new\_path": "core/jni/android\_view\_InputDevice.cpp" } \] }

CVE-2023-40140

Google has announced that it's expanding its Vulnerability Rewards Program (VRP) to reward researchers for finding attack scenarios tailored to generative artificial intelligence (AI) systems in an effort to bolster AI safety and security.
"Generative AI raises new and different concerns than traditional digital security, such as the potential for unfair bias, model manipulation or

Artificial Intelligence / Vulnerability

Google has announced that it's expanding its Vulnerability Rewards Program (VRP) to reward researchers for finding attack scenarios tailored to generative artificial intelligence (AI) systems in an effort to bolster AI safety and security.

"Generative AI raises new and different concerns than traditional digital security, such as the potential for unfair bias, model manipulation or misinterpretations of data (hallucinations)," Google's Laurie Richardson and Royal Hansen said.

Some of the categories that are in scope include prompt injections, leakage of sensitive data from training datasets, model manipulation, adversarial perturbation attacks that trigger misclassification, and model theft.

It's worth noting that Google earlier this July instituted an AI Red Team to help address threats to AI systems as part of its Secure AI Framework (SAIF).

Also announced as part of its commitment to secure AI are efforts to strengthen the AI supply chain via existing open-source security initiatives such as Supply Chain Levels for Software Artifacts (SLSA) and Sigstore.

"Digital signatures, such as those from Sigstore, which allow users to verify that the software wasn't tampered with or replaced," Google said.

"Metadata such as SLSA provenance that tell us what's in software and how it was built, allowing consumers to ensure license compatibility, identify known vulnerabilities, and detect more advanced threats."

The development comes as OpenAI unveiled a new internal Preparedness team to "track, evaluate, forecast, and protect" against catastrophic risks to generative AI spanning cybersecurity, chemical, biological, radiological, and nuclear (CBRN) threats.

The two companies, alongside Anthropic and Microsoft, have also announced the creation of a $10 million AI Safety Fund, focused on promoting research in the field of AI safety.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Google Expands Its Bug Bounty Program to Tackle Artificial Intelligence Threats

open-vm-tools contains a file descriptor hijack vulnerability in the vmware-user-suid-wrapper. A malicious actor with non-root privileges may be able to hijack the 
/dev/uinput file descriptor allowing them to simulate user inputs.

Advisory ID: VMSA-2023-0024

CVSSv3 Range: 7.5 - 7.8

Issue Date: 2023-10-26

Updated On: 2023-10-26 (Initial Advisory)

CVE(s): CVE-2023-34057, CVE-2023-34058

Synopsis: VMware Tools updates address Local Privilege Escalation and SAML Token Signature Bypass vulnerabilities (CVE-2023-34057, CVE-2023-34058)

****1\. Impacted Products****

*   VMware Tools

****2\. Introduction****

Multiple vulnerabilities in VMware Tools were responsibly reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products.

****3a. Local privilege escalation vulnerability in VMware Tools (macOS) (CVE-2023-34057)****

VMware Tools contains a local privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8.

A malicious actor with local user access to a guest virtual machine may elevate privileges within the virtual machine.

To remediate CVE-2023-34057 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

VMware would like to thank Dan Revah of Google for reporting this issue to us.

****3b. SAML Token Signature Bypass vulnerability in VMware Tools (CVE-2023-34058)****

VMware Tools contains a SAML token signature bypass vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5.

A malicious actor that has been granted Guest Operation Privileges in a target virtual machine may be able to elevate their privileges if that target virtual machine has been assigned a more privileged Guest Alias.

To remediate CVE-2023-34058 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

*   While the description and known attack vectors are very similar to CVE-2023-20900, CVE-2023-34058 has a different root cause that has now been addressed.
*   CVE-2023-34058 also impacts open-vm-tools. Fixes have been provided to the Linux community for distribution.

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

VMware Tools

12.x.x, 11.x.x, 10.3.x

macOS

CVE-2023-34057

7.8

important

12.1.1

None

None

VMware Tools

12.x.x, 11.x.x, 10.3.x

Windows

CVE-2023-34057

N/A

N/A

Unaffected

N/A

N/A

VMware Tools

12.x.x, 11.x.x, 10.3.x

macOS

CVE-2023-34058

N/A

N/A

Unaffected

N/A

N/A

VMware Tools

12.x.x, 11.x.x, 10.3.x

Windows

CVE-2023-34058

7.5

important

12.3.5

None

None

****4\. References****

****5\. Change Log****

**2023-10-26 VMSA-2023-0024  
**Initial security advisory.

****6\. Contact****

CVE-2023-34059: VMSA-2023-0024

With Google's announcement of seven years of support, other smartphone makers risk falling behind.

Consumers want their devices to be secure and need to be supported for longer, according to Omdia's new survey of 1,578 consumers across 13 major countries in the Americas, Asia & Oceania, and Europe in September 2023. Google and Fairphone are pushing this forward, but governments are also stepping in to ensure security is taken seriously —  benefiting consumer safety and the environment.

**The Need for Security Updates**

While every effort can be put in place by a device manufacturer to ensure the device is "secure by design" or even certified to regulatory or standardized requirements, vulnerabilities are constantly evolving. Updates are key to ensure that new vulnerabilities are found and remediated in a timely manner.

This is happening as consumers increasingly use their mobile phones for sensitive activities such as online banking, identity verification and even relying on services such as Apple or Google Pay.

The update support period is therefore crucial, as well as the frequency of updates and the ability for security-specific updates to be rolled out independent of wider software updates — which is now offered by many of the leading smartphones.

**How Much Support Do Consumers Need?**

Security update periods and replacement cycle rates are frequently a topic of discussion among those pushing for sustainable tech. There's also skepticism as to how long devices should realistically be updated for, with some questioning the usefulness of five-year+ support.

However, shedding light on the actual usage of mobile devices makes it clear that the longer the support, the better — for both security and sustainability. As such, we asked consumers how long they are using their smartphones.

Security updates for many phones under $500 only last two years, yet 56% of consumers used their previous phone for longer. While premium phones typically have five years' support, more than 5% reported that they kept their previous phone longer — beyond the support of any phone available at the time. This also doesn't take into account how late after release the consumer is buying it; if you bought a Samsung Galaxy S22 Ultra now, you'd get a little over three years of support. If you bought a refurbished iPhone 11, you'd get under 1 year. This is effectively stifling a growing second-hand phone market — and leaving those devices potentially vulnerable.

Currently the only phones to offer more than five years of guaranteed security updates are the Google Pixel 8 and Pixel 8 Pro (seven years) and the Fairphone 5 (eight years). Longer updates can help to slow replacement and production rates, effectively keeping working phones in consumers' hands for longer. By reducing phone production, it drastically reduces the environmental impacts of the smartphone industry.

    

Source: Omdia

**Who's Responsible?**

Fifty percent of consumers believe it should be the operating system developer (either Apple or Google) that is responsible for the security of their smartphone. However, how long a phone is supported is primarily down to the device maker and its negotiations with the chipset maker.

Apple and Google are in the unique position of making their own chip, device, and operating system. They are, therefore, their own arbiters. This is likely how Google can commit to seven years — but for Samsung and other Android brands, it would be a more complex process.

Ultimately, regulatory pressure, discussed below, will put mandatory security requirements on device manufacturers, and in some cases importers and distributors, to ensure device update transparency.

    

Source: Omdia

**Security Is a Key Purchase-Driver**

Consumers have security top-of-mind when considering their next phone. Forty-six percent confirmed better security features would be a purchase driver, while just 7% said no.

Sixty-nine percent of survey respondents said good security features were critical or important when deciding which smartphone to purchase, although this is second to key hardware specs such as long battery life, durability, and processor speed. When comparing two similar phones, security and brand trust could become the most important and deciding factor.

**Governments, Policymakers and Standards Bodies Must Step In**

There has historically been a lack of standardization and transparency from equipment manufacturers on security measures for their devices. As a result, governments and standards bodies are developing standards to define baseline requirements, defining product labels to increase consumer visibility and choice, and eventually mandating minimum security requirements.

For example, while Apple has historically given five years of support, it's not transparent at launch; if you just bought a new iPhone 15, you have no official commitment from Apple that it will be supported for two years or five. But with the UK's Product Security and Telecommunications Infrastructure (PSTI) Act, the support period must be stated at the point of sale, from April 2024.

The UK PSTI is just one example, with guidance and legislation being proposed in the US, EU, China, Japan, Korea, and more. While mobile devices are sometimes out of the scope of IoT legislation and government guidance, the proposed EU Cyber Resilience Act will include operating systems for mobile devices — mandating security updates for at least five years, among other requirements.

All manufacturers of connected devices should prioritize and adopt standards and guidance such as the widely referenced ETSI EN 303 645 (Cybersecurity for Consumer IoT) or TS 103 732 (Consumer Mobile Device Protection Profile) to future-proof for upcoming regulation. Further, although at the current time labelling is voluntary, device makers can and should ensure and empower consumer choice by opting in to labelling and certification schemes.

Longer Support Periods Raise the Bar for Mobile Security

WordPress AI ChatBot plugin versions 4.8.9 and below suffer from arbitrary file deletion, remote SQL injection, and directory traversal vulnerabilities.

Vulnerability Details and Technical Analysis

The AI ChatBot plugin provides website owners with a plug and play chat solution that can be expanded upon with customizable FAQs and custom text responses. It provides website users with an interface that allows them to look up order information, leave contact information for later callbacks and can be integrated with OpenAI’s ChatGPT or Google’s DialogFlow.

A lot of the interactions with the chatbot happen via AJAX actions. Many of these actions were made available to unauthenticated users in order to allow them to interact with the chatbot. Other actions required at least subscriber-level access.

Unauthenticated SQL Injection – CVE-2023-5204

Description: Unauthenticated SQL Injection via qc_wpbo_search_response 

Affected Plugin:AI ChatBot

Plugin slug:chatbot

Vendor: QuantumCloud

Affected versions: <= 4.8.9

CVE ID: CVE-2023-5204

CVSS score: 9.8 (Critical)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Researcher: Marco Wotschka 

Fully Patched Version: 4.9.1

One of the many vulnerabilities we discovered was an unauthenticated SQL Injection. The following two AJAX actions are used for searches during interactions with the chatbot:

add_action( 'wp_ajax_nopriv_wpbo_search_response', 'qc_wpbo_search_response' );

add_action( 'wp_ajax_wpbo_search_response', 'qc_wpbo_search_response' );

The wp_ajax_nopriv_wpbo_search_response AJAX action can be used by users who are not authenticated to WordPress due to the hook utilizing ‘nopriv’. On the other hand, the standard wp_ajax_wpbo_search_response AJAX action can only be used by authenticated users due to the inherent functionality of AJAX actions.

qc_wpbo_search_response 

function qc_wpbo_search_response (shortened for brevity)

The qc_wpbo_search_response function hooked by the aforementioned AJAX actions is used to search within the database for responses containing certain keywords. If the $_POST[‘strid’] parameter is set, a record is retrieved from the wpbot_response table by ID. The $strid variable supplied by the POST parameter can be leveraged for SQL Injection, despite being sanitized using the sanitize_text_field function.

According to the WordPress Developer Resources, the sanitize_text_field function checks for invalid UTF-8; converts single < characters to entities; strips all tags; removes line breaks, tabs, and extra whitespace; strips percent-encoded characters. This does not provide sufficient protection against SQL Injection attempts, and is only intended for Cross-Site Scripting protection. Furthermore, the get_results function used in the above function call does not perform any preparation, nor is there any escaping of the user supplied input passed to the SQL Query. We always recommend the use of the prepare function on SQL queries as it provides adequate escaping on the user-supplied values, which prevents SQL injection from being successful. In addition, ensuring that the $strid is an integer would help prevent a SQL Injection attack from being successful.

The lack of a UNION operation in the above SQL query makes exploiting this vulnerability more difficult, but a time-based blind injection approach using the SLEEP() function and CASE statements can still be used to extract information from the database by observing the duration of individual queries. While tedious, this technique can be used to extract sensitive information from the database. This includes hashed passwords.

Arbitrary File Deletion – CVE-2023-5212

Description:Authenticated (Subscriber+) Arbitrary File Deletion via qcld_openai_delete_training_file 

Affected Plugin: AI ChatBot

Plugin slug: chatbot

Vendor: QuantumCloud

Affected versions: <= 4.8.9

CVE ID:CVE-2023-5212

CVSS score: 9.6 (Critical)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Researcher: Marco Wotschka 

Fully Patched Version: 4.9.1

The plugin offers the ability to upload training files to OpenAI. An arbitrary file deletion vulnerability existed in the  qcld_openai_delete_training_file  function invoked via the following AJAX action:

add_action('wp_ajax_qcld_openai_delete_training_file',[$this,'qcld_openai_delete_training_file']);

delete_training_file 

function qcld_openai_delete_training_file

This vulnerable function accepts a file path via the $_POST[‘file’] parameter and checks whether the file exists. If it does, the function adjusts permissions on the file in such a way that it can be removed and proceeds to delete it. This function misses a capability check to ensure that the user performing the action has proper privileges, as well as a nonce check to ensure that the action is performed intentionally. and is thus vulnerable to Missing Authorization and Cross-Site Request Forgery.

Furthermore, no check is performed ensuring that the file is an OpenAI training file and that it resides in a location or directory where training files are expected to be located. This could allow an authenticated attacker with subscriber-level privileges or higher to remove the wp-config.php file of an affected site, which would invoke the WordPress installation script on the next site visit and could lead to a complete site takeover.

The file path passed via the $_POST[‘file’] parameter could also point to a file outside of the affected website, thus enabling the deletion of wp-config.php files of other sites in shared hosting environments. Deleting wp-config.php forces the site into a setup state, at which point an attacker can take over the site by pointing it to a database under their control. Of course, attackers are not limited to deleting PHP files either as long as the web server can change file permissions and delete the file.

Version 4.9.1 removed this function as well as the corresponding AJAX action. Version 4.9.2 reintroduced the vulnerable function and action hook, which were both again removed in version 4.9.3.

Directory Traversal to Arbitrary File Write – CVE-2023-5241

Description: Authenticated (Subscriber+) Directory Traversal to Arbitrary File Write via qcld_openai_upload_pagetraining_file 

Affected Plugin: AI ChatBot

Plugin slug: chatbot

Vendor:QuantumCloud

Affected versions: <= 4.8.9

CVE ID: CVE-2023-5241

CVSS score: 9.6 (Critical)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H

Researcher: Marco Wotschka 

Fully Patched Version: 4.9.1

We also discovered an arbitrary file write vulnerability which exists in the qcld_openai_upload_pagetraining_file function. The entire function is rather long which is why we won’t display it here in its entirety.

upload_training_file 

function qcld_openai_upload_pagetraining_file (shortened for brevity)

The function expects a filename to be passed as a  $_POST[‘filename’]  parameter, which is sanitized using the sanitize_text_field function. The $file variable is used to determine the location of a file in the wp-content/uploads/qcldopenai_site_training/ directory. If the file exists, the function proceeds to declare a variable called $split_file, creates a file handle $qcld_openai_json_file and opens the file in append mode. This means that the file is not overwritten but anything written to the file is instead appended.

It is not immediately clear what the purpose of this part of the function is since it simply appends the contents that are already in the file to the end of the file until the length of the content that is added exceeds $this->wpaicg_max_file_size or the entire file has been duplicated.

The corresponding if-statement that determines when to terminate writing to the file looks as follows:

if(mb_strlen($qcld_openai_content, '8bit') >$this->wpaicg_max_file_size)

In a default installation $this->wpaicg_max_file_size is not defined and therefore NULL. Hence, in such scenarios the function adds the first line of the file specified by the user to the end of the file. Since NULL is interpreted as zero in a comparison statement like this, any positive file size will suffice to break out of this part of the function.

Unfortunately, this code is vulnerable to Directory Traversal via the filename parameter. If the filename that is passed is a relative path to wp-config.php, the file handle will ultimately point to the site’s wp-config.php file. An authenticated attacker with subscriber-privileges or higher could utilize this fact to append the first line of its content to the file wp-config.php, which would be <?php.

While an attacker does not have any influence on the data that is written, in most cases a <?php could be written to the end of a targeted PHP file, which can lead to catastrophic consequences as the added PHP tag may result in an error such as

Parse error: syntax error, unexpected token "<", expecting end of file

This prevents the site from loading properly and can be used to append to any PHP file (or other files) including those in shared hosting environments leading to Denial of Service (DoS). One way to prevent Directory Traversal is to use the sanitize_file_name function, which removes special characters including slashes and leading dots from the file name.

Version 4.9.1 removed this function as well as the corresponding AJAX action. Version 4.9.2 reintroduced the vulnerable function and action hook, which were both again removed in version 4.9.3.

Numerous Other Missing Authorization and Cross-Site Request Forgery Vulnerabilities

In addition to the vulnerabilities outlined above, we discovered several AJAX actions without proper capability checks, which made it possible for authenticated attackers with minimal access, such as subscribers, to invoke those actions. Several of the functions were also missing nonce verification, which would make it possible for attackers to forge requests on behalf of a site administrator, or any other authenticated user considering capability checks were also missing.

However, these vulnerabilities had minimal impact and led to the exposure of information such as user order details and user names, the download and extraction of a zip used by the plugin (not arbitrary zip files), cache deletion, as well as starting and stopping of search indexing jobs to name a few. The severity of those actions is lower than the ones we detailed above.

Timeline

September 25-28, 2023 – The Wordfence Threat Intelligence team discovers several vulnerabilities in the AI ChatBot plugin.

September 28, 2023 – We initiate contact with the plugin developer.

September 29, 2023 – We release a firewall rule to protect Wordfence Premium , Wordfence Care , and Wordfence Response  customers and send the full disclosure to the plugin developer. Receipt of the disclosure is acknowledged.

October 10, 2023 – A fixed version (4.9.1) of the plugin that patches all reported vulnerabilities is released.

October 18, 2023 – Several of the vulnerabilities are reintroduced in version 4.9.2. We inform the vendor about this.

October 19, 2023 – Version 4.9.3 patches the vulnerabilities again.

October 29, 2023 – The firewall rule becomes available to free Wordfence users

Conclusion

In this blog post we covered an Unauthenticated SQL Injection vulnerability (affecting versions <= 4.8.9), as well as an Arbitrary File Write vulnerability and an Arbitrary File Deletion vulnerability (affecting versions <= 4.8.9 and 4.9.2). The SQL Injection vulnerability allows unauthenticated attackers to extract sensitive information from the database using a time-based blind injection approach, which could ultimately lead to exposure of admin credentials and site takeover.

The Arbitrary File Write vulnerability can be utilized by authenticated attackers to append opening PHP tags (in default configurations) to any file including the wp-config.php file, which can lead to Denial of Service (DoS). The Arbitrary File Deletion vulnerability can be used by authenticated attackers to delete any file on the web server offering the possibility of complete site takeovers.

All Wordfence running Wordfence Premium , Wordfence Care , and Wordfence Response , have been protected against these vulnerabilities as of September 29, 2023. Users still using the free version of Wordfence will receive the same protection on October 29, 2023.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as these vulnerabilities pose a significant risk.

For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence  and potentially earn a spot on our leaderboard .

WordPress AI ChatBot 4.8.9 SQL Injection / Traversal / File Deletion

Apple Security Advisory 10-25-2023-5 - macOS Ventura 13.6.1 addresses bypass and code execution vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-10-25-2023-5 macOS Ventura 13.6.1

macOS Ventura 13.6.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT213985.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

CoreAnimation  
Available for: macOS Ventura  
Impact: An app may be able to cause a denial-of-service  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40449: Tomi Tokics (@tomitokics) of iTomsn0w

FileProvider  
Available for: macOS Ventura  
Impact: An app may be able to cause a denial-of-service to Endpoint  
Security clients  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2023-42854: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

Find My  
Available for: macOS Ventura  
Impact: An app may be able to read sensitive location information  
Description: The issue was addressed with improved handling of caches.  
CVE-2023-40413: Adam M.

Foundation  
Available for: macOS Ventura  
Impact: A website may be able to access sensitive user data when  
resolving symlinks  
Description: This issue was addressed with improved handling of  
symlinks.  
CVE-2023-42844: Ron Masas of BreakPoint.SH

Image Capture  
Available for: macOS Ventura  
Impact: An app may be able to access protected user data  
Description: The issue was addressed with improved checks.  
CVE-2023-41077: Mickey Jin (@patch1t)

ImageIO  
Available for: macOS Ventura  
Impact: Processing an image may result in disclosure of process memory  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40416: JZ

IOTextEncryptionFamily  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40423: an anonymous researcher

iperf3  
Available for: macOS Ventura  
Impact: A remote user may be able to cause unexpected app termination or  
arbitrary code execution  
Description: The issue was addressed with improved checks.  
CVE-2023-38403

Kernel  
Available for: macOS Ventura  
Impact: An attacker that has already achieved kernel code execution may  
be able to bypass kernel memory mitigations  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42849: Linus Henze of Pinauten GmbH (pinauten.de <http://pinauten.de/>)

Model I/O  
Available for: macOS Ventura  
Impact: Processing a file may lead to unexpected app termination or  
arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42856: Michael DePlante (@izobashi) of Trend Micro Zero Day  
Initiative

Passkeys  
Available for: macOS Ventura  
Impact: An attacker may be able to access passkeys without  
authentication  
Description: The issue was addressed with additional permissions checks.  
CVE-2023-40401: an anonymous researcher, weize she

Pro Res  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42841: Mingxuan Yang (@PPPF00L), happybabywu and Guang Gong of  
360 Vulnerability Research Institute

talagent  
Available for: macOS Ventura  
Impact: An app may be able to access sensitive user data  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2023-40421: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

Weather  
Available for: macOS Ventura  
Impact: An app may be able to access sensitive user data  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-41254: Cristian Dinca of "Tudor Vianu" National High School of  
Computer Science, Romania

WindowServer  
Available for: macOS Ventura  
Impact: A website may be able to access the microphone without the  
microphone use indicator being shown  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2023-41975: an anonymous researcher

Additional recognition

GPU Drivers  
We would like to acknowledge an anonymous researcher for their  
assistance.

libarchive  
We would like to acknowledge Bahaa Naamneh for their assistance.

libxml2  
We would like to acknowledge OSS-Fuzz, Ned Williamson of Google Project  
Zero for their assistance.

macOS Ventura 13.6.1 may be obtained from the Mac App Store or  
Apple's Software Downloads web site:  
https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmU5Y38ACgkQX+5d1TXa  
Ivp+exAAw1mhJG3ak3Vbixgq7vCy2CVcwwT1ISygYRdE0vJ2BPJVVMiNtflLuqoG  
wLazegOLQkj8VFYt4tWHC+mceX7NWq6zDeoR/lvure5DkbeFRoiyzqJimqpzLhBL  
nqzTUPvu4xrsC3u0DTTsJscEbZPx8h2WxXo/Cd1pIS2ajSDS5qklQIj+foOgPgXF  
AawOcERzVIgScIPCS3M8sIbZz63FV2CjX2OE+flr5fPSFDq0vtrOwa46pGw3hLjW  
BKhTJjhaUDneN/qsTuj+5AmqwDrCBUPltOxLDI/vjRUX+LGPmJdsPmnVL0HShNk+  
y87mbJtrXrHv6IrvcjdHfbglJVX+jjBsoGoUadM2qLNCoVK7vrfSvoFsba09Z3U+  
YK/1DCPVGq253vDfdWfoNsMUorCOP6CwmGZARMM+FErD3rUqxm3XBpZ3Jv4sLBvv  
fYyMLsn7YCBj31VzFafbliKGfduu7iijTdnfgTXEuNviTcOozeag8uNc0IW5tJKG  
bOEq6teHBXSiVQ5V84/K0hndN/DGiTXrQPJw0rjZ3V7N0olCyMdvXFGUhoDYVY5L  
WgKEpYgIJn44644Jzuj4gXEbc+sDlm+027OS2u5KrxNCtEIO2iLKTfc8dd2yJeq2  
CmMdV3N0L4smeLelGxZAtcwJc4Rdjh0Skair1iossxep+PGWAAo=kCLD  
-----END PGP SIGNATURE-----

Apple Security Advisory 10-25-2023-5

Apple Security Advisory 10-25-2023-4 - macOS Sonoma 14.1 addresses bypass, code execution, spoofing, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-10-25-2023-4 macOS Sonoma 14.1

macOS Sonoma 14.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT213984.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

App Support  
Available for: macOS Sonoma  
Impact: Parsing a file may lead to an unexpected app termination or  
arbitrary code execution  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2023-30774

AppSandbox  
Available for: macOS Sonoma  
Impact: An app may be able to access user-sensitive data  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2023-40444: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

Contacts  
Available for: macOS Sonoma  
Impact: An app may be able to access sensitive user data  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-41072: Wojciech Regula of SecuRing (wojciechregula.blog) and  
Csaba Fitzl (@theevilbit) of Offensive Security  
CVE-2023-42857: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

CoreAnimation  
Available for: macOS Sonoma  
Impact: An app may be able to cause a denial-of-service  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40449: Tomi Tokics (@tomitokics) of iTomsn0w

Emoji  
Available for: macOS Sonoma  
Impact: An attacker may be able to execute arbitrary code as root from  
the Lock Screen  
Description: The issue was addressed by restricting options offered on a  
locked device.  
CVE-2023-41989: Jewel Lambert

FileProvider  
Available for: macOS Sonoma  
Impact: An app may be able to cause a denial-of-service to Endpoint  
Security clients  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2023-42854: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

Find My  
Available for: macOS Sonoma  
Impact: An app may be able to read sensitive location information  
Description: The issue was addressed with improved handling of caches.  
CVE-2023-40413: Adam M.

Foundation  
Available for: macOS Sonoma  
Impact: A website may be able to access sensitive user data when  
resolving symlinks  
Description: This issue was addressed with improved handling of  
symlinks.  
CVE-2023-42844: Ron Masas of BreakPoint.SH

ImageIO  
Available for: macOS Sonoma  
Impact: Processing an image may result in disclosure of process memory  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40416: JZ

IOTextEncryptionFamily  
Available for: macOS Sonoma  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40423: an anonymous researcher

iperf3  
Available for: macOS Sonoma  
Impact: A remote user may be able to cause unexpected app termination or  
arbitrary code execution  
Description: The issue was addressed with improved checks.  
CVE-2023-38403

Kernel  
Available for: macOS Sonoma  
Impact: An attacker that has already achieved kernel code execution may  
be able to bypass kernel memory mitigations  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42849: Linus Henze of Pinauten GmbH (pinauten.de)

LaunchServices  
Available for: macOS Sonoma  
Impact: An app may be able to access sensitive user data  
Description: The issue was addressed with improved permissions logic.  
CVE-2023-42850: Thijs Alkemade (@xnyhps) from Computest Sector 7, Brian  
McNulty, Zhongquan Li

Login Window  
Available for: macOS Sonoma  
Impact: An attacker with knowledge of a standard user's credentials can  
unlock another standard user's locked screen on the same Mac  
Description: A logic issue was addressed with improved state management.  
CVE-2023-42861: Jon Crain, 凯 王, Brandon Chesser & CPU IT, inc, Matthew  
McLean, Steven Maser, and Avalon IT Team of Concentrix

Mail Drafts  
Available for: macOS Sonoma  
Impact: Hide My Email may be deactivated unexpectedly  
Description: An inconsistent user interface issue was addressed with  
improved state management.  
CVE-2023-40408: Grzegorz Riegel

Maps  
Available for: macOS Sonoma  
Impact: An app may be able to read sensitive location information  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-40405: Csaba Fitzl (@theevilbit) of Offensive Security

Model I/O  
Available for: macOS Sonoma  
Impact: Processing a file may lead to unexpected app termination or  
arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42856: Michael DePlante (@izobashi) of Trend Micro Zero Day  
Initiative

Networking  
Available for: macOS Sonoma  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A use-after-free issue was addressed with improved memory  
management.  
CVE-2023-40404: Certik Skyfall Team

Passkeys  
Available for: macOS Sonoma  
Impact: An attacker may be able to access passkeys without  
authentication  
Description: A logic issue was addressed with improved checks.  
CVE-2023-42847: an anonymous researcher

Photos  
Available for: macOS Sonoma  
Impact: Photos in the Hidden Photos Album may be viewed without  
authentication  
Description: An authentication issue was addressed with improved state  
management.  
CVE-2023-42845: Bistrit Dahla

Pro Res  
Available for: macOS Sonoma  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42841: Mingxuan Yang (@PPPF00L), happybabywu and Guang Gong of  
360 Vulnerability Research Institute

Safari  
Available for: macOS Sonoma  
Impact: Visiting a malicious website may reveal browsing history  
Description: The issue was addressed with improved handling of caches.  
CVE-2023-41977: Alex Renda

Safari  
Available for: macOS Sonoma  
Impact: Visiting a malicious website may lead to user interface spoofing  
Description: An inconsistent user interface issue was addressed with  
improved state management.  
CVE-2023-42438: Rafay Baloch & Muhammad Samaak, an anonymous researcher

Siri  
Available for: macOS Sonoma  
Impact: An attacker with physical access may be able to use Siri to  
access sensitive user data  
Description: This issue was addressed by restricting options offered on  
a locked device.  
CVE-2023-41982: Bistrit Dahla  
CVE-2023-41997: Bistrit Dahla  
CVE-2023-41988: Bistrit Dahla

talagent  
Available for: macOS Sonoma  
Impact: An app may be able to access sensitive user data  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2023-40421: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

Terminal  
Available for: macOS Sonoma  
Impact: An app may be able to access sensitive user data  
Description: The issue was addressed with improved checks.  
CVE-2023-42842: an anonymous researcher

Vim  
Available for: macOS Sonoma  
Impact: Processing malicious input may lead to code execution  
Description: A use-after-free issue was addressed with improved memory  
management.  
CVE-2023-4733  
CVE-2023-4734  
CVE-2023-4735  
CVE-2023-4736  
CVE-2023-4738  
CVE-2023-4750  
CVE-2023-4751  
CVE-2023-4752  
CVE-2023-4781

Weather  
Available for: macOS Sonoma  
Impact: An app may be able to access sensitive user data  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-41254: Cristian Dinca of "Tudor Vianu" National High School of  
Computer Science, Romania

WebKit  
Available for: macOS Sonoma  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 259836  
CVE-2023-40447: 이준성(Junsung Lee) of Cross Republic

WebKit  
Available for: macOS Sonoma  
Impact: Processing web content may lead to arbitrary code execution  
Description: A use-after-free issue was addressed with improved memory  
management.  
WebKit Bugzilla: 259890  
CVE-2023-41976: 이준성(Junsung Lee)

WebKit  
Available for: macOS Sonoma  
Impact: Processing web content may lead to arbitrary code execution  
Description: A logic issue was addressed with improved checks.  
WebKit Bugzilla: 260173  
CVE-2023-42852: an anonymous researcher

WebKit Process Model  
Available for: macOS Sonoma  
Impact: Processing web content may lead to a denial-of-service  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 260757  
CVE-2023-41983: 이준성(Junsung Lee)

WindowServer  
Available for: macOS Sonoma  
Impact: A website may be able to access the microphone without the  
microphone use indicator being shown  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2023-41975: an anonymous researcher

Additional recognition

libarchive  
We would like to acknowledge Bahaa Naamneh for their assistance.

libxml2  
We would like to acknowledge OSS-Fuzz, Ned Williamson of Google Project  
Zero for their assistance.

Login Window  
We would like to acknowledge an anonymous researcher for their  
assistance.

man  
We would like to acknowledge Kirin (@Pwnrin) for their assistance.

Power Manager  
We would like to acknowledge Xia0o0o0o (@Nyaaaaa_ovo) of University of  
California, San Diego for their assistance.

Reminders  
We would like to acknowledge Noah Roskin-Frazee and Prof. J.  
(ZeroClicks.ai Lab) for their assistance.

WebKit  
We would like to acknowledge an anonymous researcher for their  
assistance.

macOS Sonoma 14.1 may be obtained from the Mac App Store or Apple's  
Software Downloads web site: https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmU5Y1gACgkQX+5d1TXa  
Ivp59RAA2EQwY61OvHZQ0u99Wov8TAoM9popyjLrkWBvKbTH03vdZIXyeCOaqFR8  
aT5SAlRwGOv0QIp/KmRweGlLl96/YP5fhgmDxISwahJZqOuwFkcj9OTfmoENyd6w  
7YYr0BwSfFhrFEQm/OdE4TbiXp+87YiPXA0NPVeClw15bpmQ830aIY3iMJrCLcAE  
ZI6QW9Yi3ynYhor1U+24V8hCM6LgMClNCWavZMorx3D1dfcPkhfspZL1cLqrGNqz  
cCF0IJaJDqKiFG//4FQqDbMOUuP3/FMkH4vED+9krIRqe51P6XDkVeI/BgFo6wpu  
hgZVgcPxMgbeiZX7O4BAY/ygLe2pKpyvBDJKCCo4GjkypcjmFhyyul+J45yLOSA1  
+x9EzYE8OSOn4dGA+qT9aKC4Csti9idoK0KsYHN7jCLU56Y9gvIV2n+PcWVhI4RF  
gE4BD+71vPyn6+tpf27+Kt5qW1Mj3ru6Q3u0w2xobbLdpgxc66EfCn2ZLxuzSqvc  
kSgwf1yOpiMLzBMAqWxgX51qppsQA1du8G6ZNmPjdyV28GpaWNzL/qb3vivaSYkK  
b6vrLEGID7U4wFjbVfuc7v0xmZeOgUprH6eQ7PnjRdmMq0xDaW8xFs3iGc6GScvl  
ZCI4CcZSLGPrCzmyUpbD+OMFT4SDDaOGSNEXW7jOrRjgQMc6bJQ=  
=YgRC  
-----END PGP SIGNATURE-----

Apple Security Advisory 10-25-2023-4

Apple Security Advisory 10-25-2023-2 - iOS 16.7.2 and iPadOS 16.7.2 addresses bypass, code execution, and use-after-free vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-10-25-2023-2 iOS 16.7.2 and iPadOS 16.7.2iOS 16.7.2 and iPadOS 16.7.2 addresses the following issues.Information about the security content is also available athttps://support.apple.com/kb/HT213981.Apple maintains a Security Updates page athttps://support.apple.com/HT201222 which lists recentsoftware updates with security advisories.CoreAnimationAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: An app may be able to cause a denial-of-serviceDescription: The issue was addressed with improved memory handling.CVE-2023-40449: Tomi Tokics (@tomitokics) of iTomsn0wFind MyAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: An app may be able to read sensitive location informationDescription: The issue was addressed with improved handling of caches.CVE-2023-40413: Adam M.ImageIOAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: Processing an image may result in disclosure of process memoryDescription: The issue was addressed with improved memory handling.CVE-2023-40416: JZIOTextEncryptionFamilyAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: An app may be able to execute arbitrary code with kernelprivilegesDescription: The issue was addressed with improved memory handling.CVE-2023-40423: an anonymous researcherKernelAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: An attacker that has already achieved kernel code execution maybe able to bypass kernel memory mitigationsDescription: The issue was addressed with improved memory handling.CVE-2023-42849: Linus Henze of Pinauten GmbH (pinauten.de)Mail DraftsAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: Hide My Email may be deactivated unexpectedlyDescription: An inconsistent user interface issue was addressed withimproved state management.CVE-2023-40408: Grzegorz RiegelmDNSResponderAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: A device may be passively tracked by its Wi-Fi MAC addressDescription: This issue was addressed by removing the vulnerable code.CVE-2023-42846: Talal Haj Bakry and Tommy Mysk of Mysk Inc. @mysk_coPro ResAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: An app may be able to execute arbitrary code with kernelprivilegesDescription: The issue was addressed with improved memory handling.CVE-2023-42841: Mingxuan Yang (@PPPF00L), happybabywu and Guang Gong of360 Vulnerability Research InstituteSafariAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: Visiting a malicious website may reveal browsing historyDescription: The issue was addressed with improved handling of caches.CVE-2023-41977: Alex RendaSiriAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: An attacker with physical access may be able to use Siri toaccess sensitive user dataDescription: This issue was addressed by restricting options offered ona locked device.CVE-2023-41997: Bistrit DahlaCVE-2023-41982: Bistrit DahlaWeatherAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: An app may be able to access sensitive user dataDescription: A privacy issue was addressed with improved private dataredaction for log entries.CVE-2023-41254: Cristian Dinca of "Tudor Vianu" National High School ofComputer Science, RomaniaWebKitAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: A user's password may be read aloud by VoiceOverDescription: This issue was addressed with improved redaction ofsensitive information.WebKit Bugzilla: 248717CVE-2023-32359: Claire HoustonWebKitAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: Processing web content may lead to arbitrary code executionDescription: The issue was addressed with improved memory handling.WebKit Bugzilla: 259836CVE-2023-40447: 이준성(Junsung Lee) of Cross RepublicWebKitAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: Processing web content may lead to arbitrary code executionDescription: A logic issue was addressed with improved checks.WebKit Bugzilla: 260173CVE-2023-42852: an anonymous researcherWebKitAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: Processing web content may lead to arbitrary code executionDescription: A use-after-free issue was addressed with improved memorymanagement.WebKit Bugzilla: 259890CVE-2023-41976: 이준성(Junsung Lee)WebKit Process ModelAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: Processing web content may lead to a denial-of-serviceDescription: The issue was addressed with improved memory handling.WebKit Bugzilla: 260757CVE-2023-41983: 이준성(Junsung Lee)Additional recognitionlibxml2We would like to acknowledge OSS-Fuzz, Ned Williamson of Google ProjectZero for their assistance.libarchiveWe would like to acknowledge Bahaa Naamneh for their assistance.WebKitWe would like to acknowledge an anonymous researcher for theirassistance.This update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 16.7.2 and iPadOS 16.7.2".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmU5YvsACgkQX+5d1TXaIvpLZQ//e5ZVOM9rZ/DUWaI9SA97C3aNYfmtQCmxmFTq2PHtQ8ipSRtJyqfGXngofVuXRjgCIdVrIXiqnI7RGYHSTAZ1bcdP3ZJB6LWVC6BsNBWKP24AiPh8DxCdzIH6yvqL43nwml86WP7n7RxZDIUdY6tXewfk4OklGmqal3HCKJW5KmY2sxmKB49rfMVFTU7uBIw4rdeogwY6WL0pKGDjCl0Jwa5u8TLzX21mLP+/4+DYyocTOeSezNPCHj8Hz6xnzngtYOZfROaOLMRu72a21No7RBio6QDWGbWX09lPXF/PT00wa2vQ6JxBfnDfjGg8yLz/kN+91LlV5QDoPZLvNIx/8PIjppclLi/NbQEBZDAp6kn1T1xOQHV31rMVxUikMR3JDVHZYeaL6Yjgh55EYQUq0/ngwgZ0eTDK1wCGROLOQWdw2K4u/B5wp/XSklYLvJBSJnNFPPAanueteOsOJ0P7WQy0XPvkxblnfzz+Un2cfENhtuu2SW3Li8EXtA4P7NklsU8apEPwcVkX/FTvrQdNKdyYMtgya4fY7Zo7XAtWV+2f1EJ+WBLMaoXi2TRktQzhvrekK8OBRVRBYPAAyoWceG1tKG6V7K5kZ3mwknBGhLXJvEvV31/shr1bGYTLcdmq8VFOVuPbuhfbMiAKct6T4ipLqjTeFyTDS2xhimLMWJY==wyRz-----END PGP SIGNATURE-----

Tag

#google