APPLE-SA-2023-07-24-1 Safari 16.6

Posted by Apple Product Security via Fulldisclosure on Jul 25

APPLE-SA-2023-07-24-1 Safari 16.6

Safari 16.6 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT213847.

Apple maintains a Security Updates page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

WebKit
Available for: macOS Big Sur and macOS Monterey
Impact: A website may be able to bypass Same Origin Policy
Description: The...

APPLE-SA-2023-07-24-3 iOS 15.7.8 and iPadOS 15.7.8

Posted by Apple Product Security via Fulldisclosure on Jul 25

APPLE-SA-2023-07-24-3 iOS 15.7.8 and iPadOS 15.7.8

iOS 15.7.8 and iPadOS 15.7.8 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT213842.

Apple maintains a Security Updates page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

Apple Neural Engine
Available for devices with Apple Neural Engine: iPhone 8 and later, iPad
Pro...

APPLE-SA-2023-07-24-2 iOS 16.6 and iPadOS 16.6

Posted by Apple Product Security via Fulldisclosure on Jul 25

APPLE-SA-2023-07-24-2 iOS 16.6 and iPadOS 16.6

iOS 16.6 and iPadOS 16.6 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT213841.

Apple maintains a Security Updates page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

Apple Neural Engine
Available for devices with Apple Neural Engine: iPhone 8 and later, iPad
Pro (3rd...

APPLE-SA-2023-07-24-1 Safari 16.6

Posted by Deven Kishore via Fulldisclosure on Jul 24

APPLE-SA-2023-07-24-1 Safari 16.6

Safari 16.6 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT213847.

Apple maintains a Security Updates page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

WebKit
Available for: macOS Big Sur and macOS Monterey
Impact: A website may be able to bypass Same Origin Policy
Description: The...

[SYSS-2023-006]: Omnis Studio - Expected Behavior Violation (CWE-440) (CVE-2023-38334)

Posted by Matthias Deeg via Fulldisclosure on Jul 21

Advisory ID: SYSS-2023-006
Product: Omnis Studio
Manufacturer: Omnis Software Ltd.
Affected Version(s): 10.22.00
Tested Version(s): 10.22.00
Vulnerability Type: Expected Behavior Violation (CWE-440)
Risk Level: Low
Solution Status: Open
Manufacturer Notification: 2023-03-30
Solution Date: -
Public Disclosure: 2023-07-20
CVE Reference:...

[SYSS-2023-005]: Omnis Studio - Expected Behavior Violation (CWE-440) (CVE-2023-38335)

Posted by Matthias Deeg via Fulldisclosure on Jul 21

Advisory ID: SYSS-2023-005
Product: Omnis Studio
Manufacturer: Omnis Software Ltd.
Affected Version(s): 10.22.00
Tested Version(s): 10.22.00
Vulnerability Type: Expected Behavior Violation (CWE-440)
Risk Level: Low
Solution Status: Open
Manufacturer Notification: 2023-03-30
Solution Date: -
Public Disclosure: 2023-07-20
CVE Reference:...

Active Super Shop CMS v2.5 - HTML Injection Vulnerabilities

Posted by info () vulnerability-lab com on Jul 19

Document Title:
===============
Active Super Shop CMS v2.5 - HTML Injection Vulnerabilities

References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2278

Release Date:
=============
2023-07-04

Vulnerability Laboratory ID (VL-ID):
====================================
2278

Common Vulnerability Scoring System:
====================================
5.4

Vulnerability Class:
====================
Script Code...

Boom CMS v8.0.7 - Cross Site Scripting Vulnerability

Posted by info () vulnerability-lab com on Jul 19

Document Title:
===============
Boom CMS v8.0.7 - Cross Site Scripting Vulnerability

References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2274

Release Date:
=============
2023-07-03

Vulnerability Laboratory ID (VL-ID):
====================================
2274

Common Vulnerability Scoring System:
====================================
5.3

Vulnerability Class:
====================
Cross Site Scripting -...

Tiva Events Calender v1.4 - Cross Site Scripting Vulnerability

Posted by info () vulnerability-lab com on Jul 19

Document Title:
===============
Tiva Events Calender v1.4 - Cross Site Scripting Vulnerability

References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2276

Release Date:
=============
2023-07-05

Vulnerability Laboratory ID (VL-ID):
====================================
2276

Common Vulnerability Scoring System:
====================================
5

Vulnerability Class:
====================
Cross Site...

Dooblou WiFi File Explorer 1.13.3 - Multiple Vulnerabilities

Posted by info () vulnerability-lab com on Jul 19

Document Title:
===============
Dooblou WiFi File Explorer 1.13.3 - Multiple Vulnerabilities

References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2317

Release Date:
=============
2023-07-04

Vulnerability Laboratory ID (VL-ID):
====================================
2317

Common Vulnerability Scoring System:
====================================
5.1

Vulnerability Class:
====================
Multiple...

PaulPrinting CMS - (Search Delivery) Cross Site Scripting Vulnerability

Posted by info () vulnerability-lab com on Jul 19

Document Title:
===============
PaulPrinting CMS - (Search Delivery) Cross Site Scripting Vulnerability

References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2286

Release Date:
=============
2023-07-17

Vulnerability Laboratory ID (VL-ID):
====================================
2286

Common Vulnerability Scoring System:
====================================
5.2

Vulnerability Class:
====================...

Webile v1.0.1 - Multiple Cross Site Web Vulnerabilities

Posted by info () vulnerability-lab com on Jul 19

Document Title:
===============
Webile v1.0.1 - Multiple Cross Site Web Vulnerabilities

References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2321

Release Date:
=============
2023-07-03

Vulnerability Laboratory ID (VL-ID):
====================================
2321

Common Vulnerability Scoring System:
====================================
5.5

Vulnerability Class:
====================
Cross Site...

Aures Booking & POS Terminal - Local Privilege Escalation Vulnerability

Posted by info () vulnerability-lab com on Jul 19

Document Title:
===============
Aures Booking & POS Terminal - Local Privilege Escalation Vulnerability

References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2323

Release Date:
=============
2023-07-17

Vulnerability Laboratory ID (VL-ID):
====================================
2323

Common Vulnerability Scoring System:
====================================
7.2

Vulnerability Class:
====================...

PaulPrinting CMS - Multiple Cross Site Web Vulnerabilities

Posted by info () vulnerability-lab com on Jul 19

Document Title:
===============
PaulPrinting CMS - Multiple Cross Site Web Vulnerabilities

References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2285

Release Date:
=============
2023-07-19

Vulnerability Laboratory ID (VL-ID):
====================================
2285

Common Vulnerability Scoring System:
====================================
5.8

Vulnerability Class:
====================
Cross Site...

CVE-2023-38408: Remote Code Execution in OpenSSH's forwarded ssh-agent

Posted by Qualys Security Advisory via Fulldisclosure on Jul 19

Qualys Security Advisory

CVE-2023-38408: Remote Code Execution in OpenSSH's forwarded ssh-agent

========================================================================
Contents
========================================================================

Summary
Background
Experiments
Results
Discussion
Acknowledgments
Timeline

========================================================================
Summary...

Re: Citrix Gateway & Cloud MFA - Insufficient Session Validation Vulnerability

Posted by Jeffrey Walton on Jul 19

There's also https://en.wikipedia.org/wiki/Session_hijacking#Prevention

One thing Jim Manico of OWASP recommends is to (re)prompt the user for
their password on occasion, like when performing a high value
operation. That will effectively re-authenticate a user before a high
value operation. Attackers with a cookie but without the user's
password should fail the re-authentication challenge.

Jeff

[RT-SA-2023-001] Session Token Enumeration in RWS WorldServer

Posted by RedTeam Pentesting GmbH on Jul 19

Advisory: Session Token Enumeration in RWS WorldServer

Session tokens in RWS WorldServer have a low entropy and can be
enumerated, leading to unauthorised access to user sessions.

Details
=======

Product: WorldServer
Affected Versions: 11.7.3 and earlier versions
Fixed Version: 11.8.0
Vulnerability Type: Session Token Enumeration
Security Risk: high
Vendor URL: https://www.rws.com/localization/products/additional-solutions/
Vendor Status:...

WBCE - Stored XSS

Posted by Andrey Stoykov on Jul 16

# Exploit Title: WBCE - Stored XSS
# Date: 07/2023
# Exploit Author: Andrey Stoykov
# Version: 1.6.1
# Tested on: Windows Server 2022
# Blog: http://msecureltd.blogspot.com

Steps to Exploit:

1. Login to application
2. Browse to following URI "http://host/wbce/admin/pages/intro.php"
3. Paste XSS payload "TEST"><img src=x onerror=alert(1)>"
4. Then browse to settings "Settings->General Settings->Enable...

Re: Citrix Gateway & Cloud MFA - Insufficient Session Validation Vulnerability

Posted by Jens Timmerman on Jul 16

Hi,

I've been working with a lot of products I believe that are vulnerable
to a very similar exploit, and I was wondering how one should fix
this/protect against this attack?

I looked at
https://owasp.org/www-community/attacks/Session_hijacking_attack
<https://owasp.org/www-community/attacks/Session_hijacking_attack> but
the page linking to the related controls doesn't seem to exist.

Unquoted Path - XAMPP 8.2.4

Posted by Andrey Stoykov on Jul 11

# Exploit Title: XAMPP 8.2.4 - Unquoted Path
# Date: 07/2023
# Exploit Author: Andrey Stoykov
# Version: 8.2.4
# Software Link:
https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/8.2.4/xampp-windows-x64-8.2.4-0-VS16-installer.exe
# Tested on: Windows Server 2022
# Blog: http://msecureltd.blogspot.com/

Steps to Exploit:

1. Search for unquoted paths
2. Generate meterpreter shell
3. Copy shell to XAMPP directory replacing...

APPLE-SA-2023-07-10-1 Safari 16.5.2

Posted by Apple Product Security via Fulldisclosure on Jul 11

APPLE-SA-2023-07-10-1 Safari 16.5.2

Safari 16.5.2 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT213826.

Apple maintains a Security Updates page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

WebKit
Available for: macOS Big Sur and macOS Monterey
Impact: Processing web content may lead to arbitrary code execution....

APPLE-SA-2023-07-10-2 Rapid Security Responses for iOS 16.5.1 and iPadOS 16.5.1

Posted by Apple Product Security via Fulldisclosure on Jul 11

APPLE-SA-2023-07-10-2 Rapid Security Responses for iOS 16.5.1 and iPadOS 16.5.1

Rapid Security Responses for iOS 16.5.1 and iPadOS 16.5.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT213823.

Apple maintains a Security Updates page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

This document describes the content of...

APPLE-SA-2023-07-10-3 Rapid Security Responses for macOS Ventura 13.4.1

Posted by Apple Product Security via Fulldisclosure on Jul 11

APPLE-SA-2023-07-10-3 Rapid Security Responses for macOS Ventura 13.4.1

Rapid Security Responses for macOS Ventura 13.4.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT213825.

Apple maintains a Security Updates page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

This document describes the content of Rapid Security...

Re: [tool] tc - anonymous and cyphered chat over Tor circuits in PGP

Posted by bo0od via Fulldisclosure on Jul 11

I didnt see worst than this app to use for anonymity like this one:

- PGP is old bad stuff:

https://www.kicksecure.com/wiki/OpenPGP#Issues_with_PGP

- RSA/DSA old as well and has tons of security issues like side channel
and timing attacks..etc (the researches about them everywhere)

use Post-Quantum cryptography or at least ECC.

- C code is again old and insecure (memory issues..etc), should be
replaced with Rust

so yeah nice idea but...

Asterisk Release 16.30.1

Posted by Asterisk Development Team via Fulldisclosure on Jul 11

The Asterisk Development Team would like to announce security release
Asterisk 16.30.1.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/16.30.1
and
https://downloads.asterisk.org/pub/telephony/asterisk

The following security advisories were resolved in this release:
https://github.com/asterisk/asterisk/security/advisories/GHSA-4xjp-22g4-9fxm

Change Log for Release 16.30.1...

Asterisk Release 18.18.1

Posted by Asterisk Development Team via Fulldisclosure on Jul 11

The Asterisk Development Team would like to announce security release
Asterisk 18.18.1.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/18.18.1
and
https://downloads.asterisk.org/pub/telephony/asterisk

The following security advisories were resolved in this release:
https://github.com/asterisk/asterisk/security/advisories/GHSA-4xjp-22g4-9fxm

Change Log for Release 18.18.1...

Re: Ransom.Haron / Code Execution

Posted by malvuln on Jul 11

*** Correction: should have been CRYPTSP.dll ***

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022
Original source:
https://malvuln.com/advisory/dedad693898bba0e4964e6c9a749d380.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Ransom.Haron
Vulnerability: Code Execution
Description: Haron looks for and executes DLLs in its current directory.
Therefore, we can potentially hijack a vuln DLL execute our own code,...

Asterisk Release 19.8.1

Posted by Asterisk Development Team via Fulldisclosure on Jul 11

The Asterisk Development Team would like to announce security release
Asterisk 19.8.1.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/19.8.1
and
https://downloads.asterisk.org/pub/telephony/asterisk

The following security advisories were resolved in this release:
https://github.com/asterisk/asterisk/security/advisories/GHSA-4xjp-22g4-9fxm

Change Log for Release 19.8.1...

Asterisk Release 20.3.1

Posted by Asterisk Development Team via Fulldisclosure on Jul 11

The Asterisk Development Team would like to announce security release
Asterisk 20.3.1.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/20.3.1
and
https://downloads.asterisk.org/pub/telephony/asterisk

The following security advisories were resolved in this release:
https://github.com/asterisk/asterisk/security/advisories/GHSA-4xjp-22g4-9fxm

Change Log for Release 20.3.1...

Asterisk Release certified-18.9-cert5

Posted by Asterisk Development Team via Fulldisclosure on Jul 11

The Asterisk Development Team would like to announce security release
Certified Asterisk 18.9-cert5.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/certified-18.9-cert5
and
https://downloads.asterisk.org/pub/telephony/certified-asterisk

The following security advisories were resolved in this release:
https://github.com/asterisk/asterisk/security/advisories/GHSA-4xjp-22g4-9fxm...

SEC Consult SA-20230628-0 :: Stored XSS & Privilege Escalation in Boomerang Parental Control App

Posted by SEC Consult Vulnerability Lab, Research via Fulldisclosure on Jul 07

SEC Consult Vulnerability Lab Security Advisory < 20230628-0 >
=======================================================================
title: Stored XSS & Privilege Escalation
product: Boomerang Parental Control App
vulnerable version: <13.83
fixed version: >=13.83 (only issue 1), rest not fixed
CVE number: CVE-2023-36620, CVE-2023-36621
impact: High...

SEC Consult SA-20230705-0 :: Path traversal bypass & Denial of service in Kyocera TASKalfa 4053ci printer

Posted by SEC Consult Vulnerability Lab, Research via Fulldisclosure on Jul 07

SEC Consult Vulnerability Lab Security Advisory < 20230705-0 >
=======================================================================
title: Path traversal bypass & Denial of service
product: Kyocera TASKalfa 4053ci printer
vulnerable version: TASKalfa 4053ci Version <= 2VG_S000.002.561
fixed version: 2VG_S000.002.574
CVE numbers: CVE-2023-34259, CVE-2023-34260, CVE-2023-34261...

SEC Consult SA-20230703-0 :: Multiple Vulnerabilities including Unauthenticated RCE in Siemens A8000

Posted by SEC Consult Vulnerability Lab, Research via Fulldisclosure on Jul 07

SEC Consult Vulnerability Lab Security Advisory < 20230703-0 >
=======================================================================
title: Multiple Vulnerabilities including Unauthenticated RCE
product: Siemens A8000 CP-8050 MASTER MODULE (6MF2805-0AA00)
Siemens A8000 CP-8031 MASTER MODULE (6MF2803-1AA00)
vulnerable version: <= V04.92
fixed version: CPCI85 V05
CVE...

SEC Consult Vulnerability Lab Whitepaper: Everyone Knows SAP®, Everyone Uses SAP, Everyone Uses RFC, No One Knows RFC: From RFC to RCE 16 Years Later

Posted by SEC Consult Vulnerability Lab, Research via Fulldisclosure on Jul 07

SEC Consult Vulnerability Lab Whitepaper < 20230629-0 >
=======================================================================
Title: Everyone Knows SAP®, Everyone Uses SAP,
Everyone Uses RFC, No One Knows RFC:
From RFC to RCE 16 Years Later
Researcher: Fabian Hagg (Office Vienna)
SEC Consult Vulnerability Lab...

Re: OpenBSD kernel relinking is not transactional and a local exploit exists

Posted by pesco on Jun 21

C. W. Schech on Sat, Jun 17 2023:

By who? Which user ID specifically?

And clearly such checksums could not be tampered with?

PoC or GTFO.

rolling on the floor laughing

Re: OpenBSD kernel relinking is not transactional and a local exploit exists

Posted by jvoisin via Fulldisclosure on Jun 21

I'm unsure I understand the threat model here: an attacker with root
privileges is able to modify the kernel data about to be relinked?

You're also mentioning SLSA, but as you also said, OpenBSD doesn't have
reproducible builds and all the cool build hardening things(tm). So
having a cryptographic path to the resulting relinked kernel won't
really improve anything, given the current state of affairs.

OXAS-ADV-2023-0002: OX App Suite Security Advisory

Posted by Martin Heiland via Fulldisclosure on Jun 21

Dear subscribers,

We're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those
vulnerabilities. Feel free to join our bug bounty programs for OX AppSuite, Dovecot and PowerDNS at YesWeHack.

This advisory has also been published at https://documentation.open-xchange.com/security/advisories/.

Yours sincerely,
Martin Heiland, Open-Xchange GmbH

Internal reference: MWB-1994
Type:...

OpenBSD kernel relinking is not transactional and a local exploit exists

Posted by Schech, C. W. ("Connor") on Jun 19

The automatic and mandatory-by-default reordering of OpenBSD kernels
is NOT transactional and as a result, a local unpatched exploit exists
which allows tampering or replacement of the kernel. Arbitrary build
artifacts are cyclically relinked with no data integrity or provenance
being maintained or verified for the objects being consumed with
respect to the running kernel before and during the execution of the
mandatory kernel_reorder process in...

Polycom BToE Connector 4.4.0.0 Multiple Vulnerabilities

Posted by BUG on Jun 19

Microsoft® Lync™ Better Together over Ethernet (BToE) feature on
Polycom® VVX® business media. phones enables you to control phone
activity from your computer using your Lync client.
The BToE feature enables you to place, answer, and hold audio and video
calls from your Polycom VVX phone and your Lync client on your computer.

#### Title: Polycom BToE Connector 4.4.0.0 Multiple Vulnerabilities
#### Affected versions: 4.4.0.0
#### Tested...

Windows PowerShell / Trojan File RCE revisited

Posted by hyp3rlinx on Jun 09

Hi,

Windows PowerShell Filename Code Execution POC

Discovery: 2019 and revisited 2023

Since it still works, I dusted off and made minor improvements:

Execute a remote DLL using rundll32
Execute an unintended secondary PS1 script or local text-file (can be
hidden)
Updated the PS1 Trojan Filename Creator Python3 Script
First reported to Microsoft back in 2019 yet remains unfixed as of the time
of this writing.

Remote code execution via a...

Defense in depth -- the Microsoft way (part 85): escalation of privilege plus remote code execution with HVCISCAN.exe

Posted by Stefan Kanthak on Jun 07

Hi @ll,

about a month ago Microsoft published HVCIScan-{amd,arm}64.exe, a
"Tool to check devices for compatibility with memory integrity (HVCI)"

The "Install instructions" on the download page
<https://www.microsoft.com/en-us/download/105217> tell:

| Download the hvciscan.exe for your system architecture (AMD64 or ARM64).
| From an elevated command window or PowerShell, run hvciscan.exe

"ELEVATED" sounds...

LPE and RCE in RenderDoc: CVE-2023-33865, CVE-2023-33864, CVE-2023-33863

Posted by Qualys Security Advisory via Fulldisclosure on Jun 07

Qualys Security Advisory

LPE and RCE in RenderDoc: CVE-2023-33865, CVE-2023-33864, CVE-2023-33863

========================================================================
Contents
========================================================================

Summary
CVE-2023-33865, a symlink vulnerability in /tmp/RenderDoc
- Analysis
- Exploitation
CVE-2023-33864, an integer underflow to heap-based buffer overflow
- Analysis
- Exploitation...

[CVE-2023-29459] FC Red Bull Salzburg App "at.redbullsalzburg.android.AppMode.Default.Splash.SplashActivity" Arbitrary URL Loading

Posted by Julien Ahrens (RCE Security) on Jun 02

RCE Security Advisory
https://www.rcesecurity.com

1. ADVISORY INFORMATION
=======================
Product: FC Red Bull Salzburg App
Vendor URL: https://play.google.com/store/apps/details?id=laola.redbull
Type: Improper Authorization in Handler for Custom URL Scheme [CWE-939]
Date found: 2023-04-06
Date published: 2023-06-01
CVSSv3 Score: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVE: CVE-2023-29459...

[RT-SA-2022-004] STARFACE: Authentication with Password Hash Possible

Posted by RedTeam Pentesting GmbH on Jun 01

Advisory: STARFACE: Authentication with Password Hash Possible

RedTeam Pentesting discovered that the web interface of STARFACE as well
as its REST API allows authentication using the SHA512 hash of the
password instead of the cleartext password. While storing password
hashes instead of cleartext passwords in an application's database
generally has become best practice to protect users' passwords in case
of a database compromise, this...

CVE-2022-48331 - Buffer Overflow in Widevine Trustlet (drm_save_keys @ 0x69b0)

Posted by Cyber Intel Security on May 30

1. INFORMATION
--------------
[+] CVE : CVE-2022-48331
[+] Title : Buffer Overflow in Widevine Trustlet
(drm_save_keys @ 0x69b0)
[+] Vendor : Google
[+] Device : Nexus 6
[+] Affected component : Widevine
[+] Publication date : March 2023
[+] Credits : CyberIntel Team

2. AFFECTED VERSIONS
--------------------

5.0.0 (LRX21O), 5.0.1 (LRX22C), 5.1.0 (LMY47D), 5.1.0 (LMY47E), 5.1.0...

CVE-2022-48334 - Buffer Overflow in Widevine Trustlet (drm_verify_keys @ 0x7370)

Posted by Cyber Intel Security on May 30

1. INFORMATION
--------------
[+] CVE : CVE-2022-48334
[+] Title : Buffer Overflow in Widevine Trustlet
(drm_verify_keys @ 0x7370)
[+] Vendor : Google
[+] Device : Nexus 6
[+] Affected component : Widevine
[+] Publication date : March 2023
[+] Credits : CyberIntel Team

2. AFFECTED VERSIONS
--------------------
5.0.0 (LRX21O), 5.0.1 (LRX22C), 5.1.0 (LMY47D), 5.1.0 (LMY47E), 5.1.0...

CVE-2022-48333 - Buffer Overflow in Widevine Trustlet (drm_verify_keys @ 0x730c)

Posted by Cyber Intel Security on May 30

1. INFORMATION
--------------
[+] CVE : CVE-2022-48333
[+] Title : Buffer Overflow in Widevine Trustlet
(drm_verify_keys @ 0x730c)
[+] Vendor : Google
[+] Device : Nexus 6
[+] Affected component : Widevine
[+] Publication date : March 2023
[+] Credits : CyberIntel Team

2. AFFECTED VERSIONS
--------------------
5.0.0 (LRX21O), 5.0.1 (LRX22C), 5.1.0 (LMY47D), 5.1.0 (LMY47E), 5.1.0...

CVE-2022-48332 - Buffer Overflow in Widevine Trustlet (drm_save_keys @ 0x6a18)

Posted by Cyber Intel Security on May 30

1. INFORMATION
--------------
[+] CVE : CVE-2022-48332
[+] Title : Buffer Overflow in Widevine Trustlet
(drm_save_keys @ 0x6a18)
[+] Vendor : Google
[+] Device : Nexus 6
[+] Affected component : Widevine
[+] Publication date : March 2023
[+] Credits : CyberIntel Team

2. AFFECTED VERSIONS
--------------------
5.0.0 (LRX21O), 5.0.1 (LRX22C), 5.1.0 (LMY47D), 5.1.0 (LMY47E), 5.1.0...

CVE-2022-48336 - Buffer Overflow in Widevine Trustlet (PRDiagParseAndStoreData @ 0x5cc8)

Posted by Cyber Intel Security on May 30

1. INFORMATION
--------------
[+] CVE : CVE-2022-48336
[+] Title : Buffer Overflow in Widevine Trustlet
(PRDiagParseAndStoreData @ 0x5cc8)
[+] Vendor : Google
[+] Device : Nexus 6
[+] Affected component : Widevine
[+] Publication date : March 2023
[+] Credits : CyberIntel Team

2. AFFECTED VERSIONS
--------------------
5.0.0 (LRX21O), 5.0.1 (LRX22C), 5.1.0 (LMY47D), 5.1.0 (LMY47E),...

CVE-2022-48335 - Buffer Overflow in Widevine Trustlet (PRDiagVerifyProvisioning @ 0x5f90)

Posted by Cyber Intel Security on May 30

1. INFORMATION
--------------
[+] CVE : CVE-2022-48335
[+] Title : Buffer Overflow in Widevine Trustlet
(PRDiagVerifyProvisioning @ 0x5f90)
[+] Vendor : Google
[+] Device : Nexus 6
[+] Affected component : Widevine
[+] Publication date : March 2023
[+] Credits : CyberIntel Team

2. AFFECTED VERSIONS
--------------------
5.0.0 (LRX21O), 5.0.1 (LRX22C), 5.1.0 (LMY47D), 5.1.0...

SCHUTZWERK-SA-2022-001: Cross-Site-Scripting in Papaya Medical Viewer

Posted by Lennert Preuth via Fulldisclosure on May 30

Title
=====

SCHUTZWERK-SA-2022-001: Cross-Site-Scripting in Papaya Medical Viewer

Status
======

PUBLISHED

Version
=======

1.0

CVE reference
=============

CVE-2023-33255

Link
====

https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2022-001/

Text-only version:
https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2022-001.txt

Further SCHUTZWERK advisories:
https://www.schutzwerk.com/blog/tags/advisories/

Affected products/vendor...

[RT-SA-2023-005] Pydio Cells: Server-Side Request Forgery

Posted by RedTeam Pentesting GmbH on May 30

For longer running processes, Pydio Cells allows for the creation of
jobs, which are run in the background. The job "remote-download" can be
used to cause the backend to send a HTTP GET request to a specified URL
and save the response to a new file. The response file is then available
in a user-specified folder in Pydio Cells.

Details
=======

Product: Pydio Cells
Affected Versions: 4.1.2 and earlier versions
Fixed Versions: 4.2.0,...

[RT-SA-2023-004] Pydio Cells: Cross-Site Scripting via File Download

Posted by RedTeam Pentesting GmbH on May 30

Advisory: Pydio Cells: Cross-Site Scripting via File Download

Pydio Cells implements the download of files using presigned URLs which
are generated using the Amazon AWS SDK for JavaScript [1]. The secrets
used to sign these URLs are hardcoded and exposed through the JavaScript
files of the web application. Therefore, it is possible to generate
valid signatures for arbitrary download URLs. By uploading an HTML file
and modifying the download URL...

[RT-SA-2023-003] Pydio Cells: Unauthorised Role Assignments

Posted by RedTeam Pentesting GmbH on May 30

Advisory: Pydio Cells: Unauthorised Role Assignments

Pydio Cells allows users by default to create so-called external users
in order to share files with them. By modifying the HTTP request sent
when creating such an external user, it is possible to assign the new
user arbitrary roles. By assigning all roles to a newly created user, access to
all cells and non-personal workspaces is granted.

Details
=======

Product: Pydio Cells
Affected...

Printerlogic multiple vulnerabilities

Posted by Eldar Marcussen on May 29

PrinterLogic SaaS, multiple vulnerabilities
===========================================================
PrinterLogic's Enterprise Print Management software allows IT
professionals to simplify printer driver management and empower end
users.
-- https://www.printerlogic.com/

Background
----------------------------------
The following findings were identified by performing both dynamic
testing of the PrinterLogic SaaS platform and code...

SEC Consult SA-20230517-0 :: Stored XSS vulnerability in rename functionality in Wekan (Open-Source kanban)

Posted by SEC Consult Vulnerability Lab, Research via Fulldisclosure on May 29

SEC Consult Vulnerability Lab Security Advisory < 20230517-0 >
=======================================================================
title: Stored XSS vulnerability in rename functionality
product: Wekan (Open-Source kanban)
vulnerable version: <=6.74
fixed version: 6.75 or higher
CVE number: CVE-2023-28485
impact: Medium
homepage: https://wekan.github.io...

SEC Consult SA-20230516-0 :: Multiple Vulnerabilities in Serenity and StartSharp Software

Posted by SEC Consult Vulnerability Lab, Research via Fulldisclosure on May 29

SEC Consult Vulnerability Lab Security Advisory < 20230516-0 >
=======================================================================
title: Multiple Vulnerabilities
product: Serenity and StartSharp Software
vulnerable version: < 6.7.1
fixed version: 6.7.1 or higher
CVE number: CVE-2023-31285, CVE-2023-31286, CVE-2023-31287
impact: high
homepage:...

APPLE-SA-2023-05-18-7 watchOS 9.5

Posted by Apple Product Security via Fulldisclosure on May 29

APPLE-SA-2023-05-18-7 watchOS 9.5

watchOS 9.5 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT213764.

Apple maintains a Security Updates page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

Accessibility
Available for: Apple Watch Series 4 and later
Impact: An app may be able to bypass Privacy preferences
Description: A...

APPLE-SA-2023-05-18-2 iOS 15.7.6 and iPadOS 15.7.6

Posted by Apple Product Security via Fulldisclosure on May 29

APPLE-SA-2023-05-18-2 iOS 15.7.6 and iPadOS 15.7.6

iOS 15.7.6 and iPadOS 15.7.6 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT213765.

Apple maintains a Security Updates page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.

Accessibility
Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE
(1st...

SEC Consult SA-20230515-0 :: Multiple Vulnerabilities in Kiddoware Kids Place Parental Control Android App

Posted by SEC Consult Vulnerability Lab, Research via Fulldisclosure on May 15

SEC Consult Vulnerability Lab Security Advisory < 20230515-0 >
=======================================================================
title: Multiple Vulnerabilities
product: Kiddoware Kids Place Parental Control Android App
vulnerable version: <=3.8.49
fixed version: 3.8.50 or higher
CVE number: CVE-2023-28153, CVE-2023-29078, CVE-2023-29079
impact: High
homepage:...