In onTaskAppeared of PipTaskOrganizer.java, there is a possible way to bypass background activity launch restrictions due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2023-40116

In resetSettingsLocked of SettingsProvider.java, there is a possible lockscreen bypass due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

)\]}' { "commit": "ff86ff28cf82124f8e65833a2dd8c319aea08945", "tree": "524d68215696fbfe5584e2a97f296e20904941a2", "parents": \[ "86c8421c1181816b6cb333eb62a78e32290c4b17" \], "author": { "name": "Eric Biggers", "email": "ebiggers@google.com", "time": "Fri Jul 28 22:03:03 2023 +0000" }, "committer": { "name": "Justin Dunlap", "email": "justindunlap@google.com", "time": "Fri Sep 01 12:58:52 2023 -0700" }, "message": "RESTRICT AUTOMERGE: SettingsProvider: exclude secure\_frp\_mode from resets\\n\\nWhen RescueParty detects that a system process is crashing frequently,\\nit tries to recover in various ways, such as by resetting all settings.\\nUnfortunately, this included resetting the secure\_frp\_mode setting,\\nwhich is the means by which the system keeps track of whether the\\nFactory Reset Protection (FRP) challenge has been passed yet. With this\\nsetting reset, some FRP restrictions went away and it became possible to\\nbypass FRP by setting a new lockscreen credential.\\n\\nFix this by excluding secure\_frp\_mode from resets.\\n\\nNote: currently this bug isn\\u0027t reproducible on \\u0027main\\u0027 due to ag/23727749\\ndisabling much of RescueParty, but that is a temporary change.\\n\\nBug: 253043065\\nTest: With ag/23727749 reverted and with my fix to prevent\\n com.android.settings from crashing \*not\* applied, tried repeatedly\\n setting lockscreen credential while in FRP mode, using the\\n smartlock setup activity launched by intent via adb. Verified\\n that although RescueParty is still triggered after 5 attempts,\\n secure\_frp\_mode is no longer reset (its value remains \\"1\\").\\nTest: Verified that secure\_frp\_mode still gets changed from 1 to 0 when\\n FRP is passed legitimately.\\nTest: atest com.android.providers.settings.SettingsProviderTest\\nTest: atest android.provider.SettingsProviderTest\\n(cherry picked from commit 9890dd7f15c091f7d1a09e4fddb9f85d32015955)\\n(changed Global.SECURE\_FRP\_MODE to Secure.SECURE\_FRP\_MODE,\\n needed because this setting was moved in U)\\n(removed static keyword from shouldExcludeSettingFromReset(),\\n needed for compatibility with Java 15 and earlier)\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:8c2d2c6fc91c6b80809a91ac510667af24d2cf17)\\nMerged-In: Id95ed43b9cc2208090064392bcd5dc012710af93\\nChange-Id: Id95ed43b9cc2208090064392bcd5dc012710af93\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "a6edb0f0e2e35722ff118876f3098934a38b0f76", "old\_mode": 33188, "old\_path": "packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java", "new\_id": "2e04cdae2a30420eb8a7aa41adf5dd5ef4dbf661", "new\_mode": 33188, "new\_path": "packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java" }, { "type": "modify", "old\_id": "eaf0dcb9b4e797a07e5c2c058c3bbfe260b5024a", "old\_mode": 33188, "old\_path": "packages/SettingsProvider/test/src/com/android/providers/settings/SettingsProviderTest.java", "new\_id": "1c6d2b08136c3bda2fee087466e44ee105ce8ec4", "new\_mode": 33188, "new\_path": "packages/SettingsProvider/test/src/com/android/providers/settings/SettingsProviderTest.java" } \] }

CVE-2023-40117

In onBindingDied of CallRedirectionProcessor.java, there is a possible permission bypass due to a logic error in the code. This could lead to local escalation of privilege and background activity launch with no additional execution privileges needed. User interaction is not needed for exploitation.

)\]}' { "commit": "5b335401d1c8de7d1c85f4a0cf353f7f9fc30218", "tree": "85b52fe7ec98818de079ea0df2d775b8c39a2655", "parents": \[ "dd302d211bd8b935464b48551a76ef718bf33ccc" \], "author": { "name": "Grace Jia", "email": "xiaotonj@google.com", "time": "Thu Jul 20 13:42:50 2023 -0700" }, "committer": { "name": "Android Build Coastguard Worker", "email": "android-build-coastguard-worker@google.com", "time": "Thu Aug 10 17:13:01 2023 +0000" }, "message": "Fix vulnerability in CallRedirectionService.\\n\\nCurrently when the CallRedirectionService binding died, we didn\\u0027t do\\nanything, which cause malicious app start activities even not run in the\\nbackground by implementing a CallRedirectionService and overriding the\\nonPlaceCall method to schedule a activity start job in an independent\\nprocess and then kill itself. In that way, the activity can still\\nstart after the CallRedirectionService died. Fix this by unbinding the\\nservice when the binding died.\\n\\nBug: b/289809991\\nTest: Using testapp provided in bug to make sure the test activity can\\u0027t\\nbe started\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:29b52e3cd027da2d8644450a4dee3a7d95dc0043)\\nMerged-In: I065d361b83700474a1efab2a75928427ee0a14ba\\nChange-Id: I065d361b83700474a1efab2a75928427ee0a14ba\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "226382bde4ab09d0efc1ec408db64c7e3c2cf633", "old\_mode": 33188, "old\_path": "src/com/android/server/telecom/callredirection/CallRedirectionProcessor.java", "new\_id": "02debcd6c1b5710c2a7a14cd97165ff3d8e080cc", "new\_mode": 33188, "new\_path": "src/com/android/server/telecom/callredirection/CallRedirectionProcessor.java" } \] }

CVE-2023-40130

In appendEscapedSQLString of DatabaseUtils.java, there is a possible SQL injection due to unsafe deserialization. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.

)\]}' { "commit": "3287ac2d2565dc96bf6177967f8e3aed33954253", "tree": "832070d1a4d228a36bfcce5f0f3410555063e3ca", "parents": \[ "7212a4bec2d2f1a74fa54a12a04255d6a183baa9" \], "author": { "name": "Kunal Malhotra", "email": "malhk@google.com", "time": "Fri Jun 02 23:32:02 2023 +0000" }, "committer": { "name": "Justin Dunlap", "email": "justindunlap@google.com", "time": "Fri Sep 01 12:58:52 2023 -0700" }, "message": "Fixing DatabaseUtils to detect malformed UTF-16 strings\\n\\nTest: tested with POC in bug, also using atest\\nBug: 224771621\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:fb4a72e3943d166088407e61aa4439ac349f3f12)\\nMerged-In: Ide65205b83063801971c5778af3154bcf3f0e530\\nChange-Id: Ide65205b83063801971c5778af3154bcf3f0e530\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "6c8a8500e4e38c282491cefbf98e42b3a92e976a", "old\_mode": 33188, "old\_path": "core/java/android/database/DatabaseUtils.java", "new\_id": "d41df4f49d48fd3d2bf7274644fc96e67352022b", "new\_mode": 33188, "new\_path": "core/java/android/database/DatabaseUtils.java" } \] }

CVE-2023-40121

In FillUi of FillUi.java, there is a possible way to view another user's images due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

)\]}' { "commit": "08becc8c600f14c5529115cc1a1e0c97cd503f33", "tree": "3f0b8b76102e3b965d293910f949644ce9963cc3", "parents": \[ "2d88a5c481df8986dbba2e02c5bf82f105b36243" \], "author": { "name": "Tim Yu", "email": "yunicorn@google.com", "time": "Tue Jun 20 21:24:36 2023 +0000" }, "committer": { "name": "Android Build Coastguard Worker", "email": "android-build-coastguard-worker@google.com", "time": "Thu Aug 10 17:10:43 2023 +0000" }, "message": "\[DO NOT MERGE\] Verify URI Permissions in Autofill RemoteViews\\n\\nCheck permissions of URI inside of FillResponse\\u0027s RemoteViews. If the\\ncurrent user does not have the required permissions to view the URI, the\\nRemoteView is dropped from displaying.\\n\\nThis fixes a security spill in which a user can view content of another\\nuser through a malicious Autofill provider.\\n\\nBug: 283137865\\nFixes: b/283264674 b/281666022 b/281665050 b/281848557 b/281533566\\nb/281534749 b/283101289\\nTest: Verified by POC app attached in bugs\\nTest: atest CtsAutoFillServiceTestCases (added new tests)\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:93810ba1c0a4d31f49adbf9454731e2b7defdfc0)\\nMerged-In: I6f4d2a35e89bbed7bd9e07bf5cd3e2d68b20af9a\\nChange-Id: I6f4d2a35e89bbed7bd9e07bf5cd3e2d68b20af9a\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "bc5d6457c945fec1263428c45dd50615ec131132", "old\_mode": 33188, "old\_path": "services/autofill/java/com/android/server/autofill/Helper.java", "new\_id": "48113a81cca5f0a44dc5b478f47e7cadef622745", "new\_mode": 33188, "new\_path": "services/autofill/java/com/android/server/autofill/Helper.java" }, { "type": "modify", "old\_id": "c2c630e01bee7a3d999047550719a9e2b0e25201", "old\_mode": 33188, "old\_path": "services/autofill/java/com/android/server/autofill/ui/DialogFillUi.java", "new\_id": "59184e9ed28814672004f7d8a8d01b6105ab7b40", "new\_mode": 33188, "new\_path": "services/autofill/java/com/android/server/autofill/ui/DialogFillUi.java" }, { "type": "modify", "old\_id": "8fbdd81cc4cc666f5fe855da1aa29187066ac73f", "old\_mode": 33188, "old\_path": "services/autofill/java/com/android/server/autofill/ui/FillUi.java", "new\_id": "76fa258734ccc37aea53d19990e64f122c6a0f51", "new\_mode": 33188, "new\_path": "services/autofill/java/com/android/server/autofill/ui/FillUi.java" }, { "type": "modify", "old\_id": "677871f6c85f860363fc3e5cb2d07f65b602f6ef", "old\_mode": 33188, "old\_path": "services/autofill/java/com/android/server/autofill/ui/SaveUi.java", "new\_id": "533a7b69a650a58ecceb078fd2442dc9e74f67c2", "new\_mode": 33188, "new\_path": "services/autofill/java/com/android/server/autofill/ui/SaveUi.java" } \] }

CVE-2023-40139

In android_view_InputDevice_create of android_view_InputDevice.cpp, there is a possible way to execute arbitrary code due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

)\]}' { "commit": "2d88a5c481df8986dbba2e02c5bf82f105b36243", "tree": "6fe3bd910de991370a02c926861447a19172e1ac", "parents": \[ "5a3d0c131175d923cf35c7beb3ee77a9e6485dad" \], "author": { "name": "Josep del Rio", "email": "joseprio@google.com", "time": "Mon Jun 26 09:30:06 2023 +0000" }, "committer": { "name": "Android Build Coastguard Worker", "email": "android-build-coastguard-worker@google.com", "time": "Thu Aug 10 17:10:32 2023 +0000" }, "message": "Do not share key mappings with JNI object\\n\\nThe key mapping information between the native key mappings and\\nthe KeyCharacterMap object available in Java is currently shared,\\nwhich means that a read can be attempted while it\\u0027s being modified.\\n\\nBug: 274058082\\nTest: Patch tested by Oppo\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:3d993de0d1ada8065d1fe561f690c8f82b6a7d4b)\\nMerged-In: I745008a0a8ea30830660c45dcebee917b3913d13\\nChange-Id: I745008a0a8ea30830660c45dcebee917b3913d13\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "9cc72437a0234a89063644ffe2ab29c1dd47e381", "old\_mode": 33188, "old\_path": "core/jni/android\_view\_InputDevice.cpp", "new\_id": "f7c770e0bffb81d000ca79477c2fa674b44d66b4", "new\_mode": 33188, "new\_path": "core/jni/android\_view\_InputDevice.cpp" } \] }

CVE-2023-40140

An issue was discovered in VERMEG AgileReporter 21.3. XXE can occur via an XML document to the Analysis component.

CVE-2022-34832: XXE in AgileReporter 21.3 by VERMEG

An issue was discovered in VERMEG AgileReporter 21.3. An admin can enter an XSS payload in the Analysis component.

Important note:  
**_User with lower permission is able to add comment with payload that executed in the admin's browser._**

**How to reproduce:**  
1\. Click the name of one of the Returns.  
2\. Click on Activity log.  
3\. Click on Add comment.  
4\. Paste the following payload into the input field:  
    <img/src=\`%00\` onerror=this.onerror=confirm(3)>  
5\. Click OK  
6\. Open https://_...removed\_by\_tester_/analysis-module/dashboard  
7\. Select Regulator, Entity and exactly that Return that you have selected before  
8\. Click on Create  
9\. Click on Menu --> Comments: This will trigger the javascript pop-up code.

CVE-2022-34833: 1. Stored XSS in AgileReporter 21.3 by VERMEG

The "iLeakage" attack affects all recent iPhone, iPad, and MacBook models, allowing attackers to peruse your Gmail inbox, steal your Instagram password, or scrutinize your YouTube history.

Researchers have developed a side-channel exploit for Apple CPUs, enabling sophisticated attackers to extract sensitive information from browsers.

Side-channel attacks are usually overlooked, often physical counterparts to traditional software hacks. Rather than an unsecured password or a vulnerability in a program, they take advantage of the extra information a computer system or hardware generates — in the form of sound, light, or electromagnetic radiation, for example, or in the time it takes to complete certain computations (a timing attack).

On Wednesday, four researchers — including two of those responsible for uncovering the Spectre processor vulnerability back in 2018 — published the details of such an attack, which they've named "iLeakage," affecting all recent iPhone, iPad, and MacBook models.

The researchers informed Apple of their findings on Sept. 12, 2022, according to their website, and the company has since developed a mitigation. However, it's still considered unstable, it's not enabled on devices by default, and mitigating is only possible on Macs, not mobile devices.

In comments provided to Dark Reading on background, an Apple spokesperson wrote, "This proof of concept advances our understanding of these types of threats. We are aware of the issue and it will be addressed in our next scheduled software release."

**How iLeakage Works**

iLeakage takes advantage of A- and M-series Apple silicon CPUs' capacity to perform speculative execution.

Speculative execution is a method by which modern CPUs predict tasks before they're even prompted, in order to speed up information processing. "This technique has been around for over 20 years, and today all modern CPUs use it — it significantly speeds up processing, even accounting for times it might get the anticipated instructions wrong," explains John Gallagher, vice president of Viakoo Labs.

The rub is that "cache inside the CPU holds a lot of valuable data, including what might be staged for upcoming instructions. iLeakage uses the Apple WebKit capabilities inside a browser to use JavaScript to gain access to those contents."

Specifically, the researchers used a new speculation-based gadget to read the contents of another webpage when a victim clicked on their malicious webpage.

"Alone, WebKit would not enable the cache contents to be divulged, nor would how A-Series and M-Series perform speculative execution — it's the combination of the two together that leads to this exploit," Gallagher explains.

**A Successor to Meltdown/Spectre**

"This builds on a line of attacks against CPU vulnerabilities that started around 2017 with Meltdown and Spectre," Lionel Litty, chief security architect at Menlo Security points out. "High level, you want to think about applications and processes, and trust that the operating system with help from the hardware is properly isolating these from one another," but those two exploits broke the fundamental isolation between different applications, and an application and operating system, that we tend to take for granted as users, he says.

iLeakage, then, is a spiritual successor that focuses on breaking the isolation between browser tabs.

The good news is, in their website's FAQ section, the researchers described iLeakage as "a significantly difficult attack to orchestrate end-to-end," which "requires advanced knowledge of browser-based side-channel attacks and Safari's implementation." They also noted that successful exploitation hasn't been demonstrated in the wild.

Were a capable enough attacker to come along and try it, however, this method is powerful enough to siphon just about any data users traffic online: logins, search histories, credit card details, what have you. In YouTube videos, the researchers demonstrated how their exploit could expose victims' Gmail inboxes, their YouTube watch histories, and their Instagram passwords, as just a few examples.

**iPhone Users Are Especially Affected**

Though it takes advantage of the idiosyncrasies in Safari's JavaScript engine specifically, iLeakage affects all browsers on iOS, because Apple's policies force all iPhone browser apps to use Safari's engine.

"Chrome, Firefox and Edge on iOS are simply wrappers on top of Safari that provide auxiliary features such as synchronizing bookmarks and settings. Consequently, nearly every browser application listed on the App Store is vulnerable to iLeakage," the researchers explained.

iPhone users are doubly in trouble, because the best fix Apple has released thus far only works on MacBooks (and, for that matter, only in an unstable state). But for his part, Gallagher backs Apple's ability to design an effective remediation.

"Chip-level vulnerabilities are typically hard to patch, which is why it is not surprising that there is not a fix for this right now. It will take time, but ultimately if this becomes a real exploited vulnerability a patch will likely be available," he says.

Safari Side-Channel Attack Enables Browser Theft


Rockwell Automation FactoryTalk View Site Edition insufficiently validates user input, which could potentially allow threat actors to send malicious data bringing the product offline. If exploited, the product would become unavailable and require a restart to recover resulting in a denial-of-service condition.



**JavaScript required**

JavaScript is required. This web browser does not support JavaScript or JavaScript in this web browser is not enabled.

To find out if your web browser supports JavaScript or to enable JavaScript, see web browser help.

Tag

#java