FreshRSS

πŸ”’
☐ β˜† βœ‡ Full Disclosure

Defense in depth -- the Microsoft way (part 84): (no) fun with %COMSPEC%

March 24th 2023 at 13:17

Posted by Stefan Kanthak on Mar 24

Hi @ll,

the documentation of the builtin START command
<https://technet.microsoft.com/en-us/library/cc770297.aspx>
of Windows NT's command processor CMD.EXE states:

| When you run a command that contains the string "CMD" as the first
| token without an extension or path qualifier, "CMD" is replaced
| with the value of the COMSPEC variable.
| This prevents users from picking up cmd from the current directory....
☐ β˜† βœ‡ Full Disclosure

Invitation to the World Cryptologic Competition 2023

March 22nd 2023 at 05:32

Posted by Competition Administrator on Mar 21

The WCC 2023 is a fully-online and open competition using GitHub.
The language of the competition is English.

The WCC 2023 has a total duration of 295 days, from Sunday January 1st 2023
to Monday October 23rd 2023.
Teams and Judges must complete registration before Wednesday June 1st.

The WCC 2023 has three entry categories:
Category A: Block Ciphers with a 512-bit block, 512-bit key, and 192-bit
nonce
Category B: Digest Functions with a...
☐ β˜† βœ‡ Full Disclosure

Re: Microsoft PlayReady security research

March 22nd 2023 at 05:30

Posted by Adam Gowdiak on Mar 21

Hello,

I feel obliged to provide additional comments to this paragraph as I
start to believe that CANAL+ might not deserve sole blame here...

While Microsoft claims there is absolutely no bug at its end, I
personally start to perceive the company as the one that should be
also blamed to some extent.

Below, I am providing you with the reasons that has lead me to such a
conclusion.

For many months, no response from CANAL+ was taken at my end as...
☐ β˜† βœ‡ Full Disclosure

Insecure python cgi documentation and tutorials are vulnerable to XSS.

March 22nd 2023 at 05:30

Posted by Georgi Guninski on Mar 21

Is there low hanging fruit for the following observation?

The documentation of the python cgi module is vulnerable to XSS
(cross site scripting)

https://docs.python.org/3/library/cgi.html

```
form = cgi.FieldStorage()
print("<p>name:", form["name"].value)
print("<p>addr:", form["addr"].value)
```

First result on google for "tutorial python cgi"
is...
☐ β˜† βœ‡ Full Disclosure

Re: Defense in depth -- the Microsoft way (part 83): instead to fix even their most stupid mistaskes, they spill barrels of snakeoil to cover them (or just leave them as-is)

March 22nd 2023 at 05:29

Posted by Arik Seils on Mar 21

Hi there,

One can use the Metasploit Framework Module post/windows/local/bypassua _fodhelper to achieve this.

Greetings from Germany,

A.Seils

17.03.2023 06:26:56 Stefan Kanthak <stefan.kanthak () nexgo de>:
☐ β˜† βœ‡ Full Disclosure

Re: Microsoft PlayReady security research

March 21st 2023 at 10:11

Posted by Security Explorations on Mar 21

Hello,

I feel obliged to provide additional comments to this paragraph as I
start to believe that CANAL+ might not deserve sole blame here...

While Microsoft claims there is absolutely no bug at its end, I
personally start to perceive the company as the one that should be
also blamed to some extent.

Below, I am providing you with the reasons that has lead me to such a
conclusion.

For many months, no response from CANAL+ was taken at my end as...
☐ β˜† βœ‡ Full Disclosure

Defense in depth -- the Microsoft way (part 83): instead to fix even their most stupid mistaskes, they spill barrels of snakeoil to cover them (or just leave them as-is)

March 17th 2023 at 05:23

Posted by Stefan Kanthak on Mar 16

Hi @ll,

with Windows 2000, Microsoft virtualised the [HKEY_CLASSES_ROOT] registry
branch: what was just an alias for [HKEY_LOCAL_MACHINE\SOFTWARE\Classes]
before became the overlay of [HKEY_LOCAL_MACHINE\SOFTWARE\Classes] and
[HKEY_CURRENT_USER\Software\Classes] with the latter having precedence:
<https://msdn.microsoft.com/en-us/library/ms724498.aspx>

Note: while [HKEY_LOCAL_MACHINE\SOFTWARE\Classes] is writable only by...
☐ β˜† βœ‡ Full Disclosure

[CFP] Security BSides Ljubljana 0x7E7 | June 16, 2023

March 17th 2023 at 05:22

Posted by Andraz Sraka on Mar 16

MMMMMMMMMMMMMMMMNmddmNMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMN..-..--+MMNy:...-.-/yNMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMy..ymd-.:Mm::-:osyo-..-mMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MM:..---.:dM/..+NNyyMN/..:MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
Mm../dds.-oy.-.dMh--mMds++MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
My:::::/ydMmo..-hMMMmo//omMs/+Mm+++++shNMN+//+//+oMNy+///ohM
MMMs//yMNo+hMh---m:-:hy+sMN..+Mo..os+.-:Ny--ossssdN-.:yyo+mM...
☐ β˜† βœ‡ Full Disclosure

Full Disclosure - Fastly

March 12th 2023 at 03:13

Posted by Andrey Stoykov on Mar 11

Correspondence from Fastly declined to comment regarding new discovered
vulnerabilities within their website.

Poor practices regarding password changes.

1. Reset user password
2. Access link sent
3. Temporary password sent plaintext

// HTTP POST request

POST /user/mwebsec%40gmail.com/password/request_reset HTTP/2
Host: api.fastly.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0)
Gecko/20100101 Firefox/108.0
[...]

[...]...
☐ β˜† βœ‡ Full Disclosure

Full Disclosure - Shopify Application

March 12th 2023 at 03:13

Posted by Andrey Stoykov on Mar 11

Correspondence from Shopify declined to comment regarding new discovered
vulnerabilities within their website.

Although 'frontend' vulnerabilities are considered out of scope,
person/tester foundhimself a beefy bugbounty from the same page that has
been listed below, including similar functionality that has not been tested
yet.

Two emails and several reports, the 'hacker-1' staff reject the bid for
findings.

Online Store...
☐ β˜† βœ‡ Full Disclosure

[CVE-2023-25355/25356] No fix available - vulnerabilities in CoreDial sipXcom sipXopenfire

March 7th 2023 at 02:47

Posted by Systems Research Group via Fulldisclosure on Mar 06


☐ β˜† βœ‡ Full Disclosure

SEC Consult SA-20230306-0 :: Multiple Vulnerabilities in Arris DG3450 Cable Gateway

March 7th 2023 at 02:46

Posted by SEC Consult Vulnerability Lab, Research via Fulldisclosure on Mar 06

SEC Consult Vulnerability Lab Security Advisory < 20230306-0 >
=======================================================================
title: Multiple Vulnerabilities
product: Arris DG3450 Cable Gateway
vulnerable version: AR01.02.056.18_041520_711.NCS.10
fixed version: -
CVE number: CVE-2023-27571, CVE-2023-27572
impact: medium
homepage: https://www.commscope.com...
☐ β˜† βœ‡ Full Disclosure

OpenBSD overflow

March 7th 2023 at 02:45

Posted by Erg Noor on Mar 06

Hi,

Fun OpenBSD bug.

ip_dooptions() will allow IPOPT_SSRR with optlen = 2.

save_rte() will set isr_nhops to very large value, which will cause
overflow in next ip_srcroute() call.

More info is here https://github.com/fuzzingrf/openbsd_tcpip_overflow/

-erg
☐ β˜† βœ‡ Full Disclosure

SEC Consult SA-20230228-0 :: OS Command Injectionin Barracuda CloudGen WAN

March 3rd 2023 at 06:18

Posted by SEC Consult Vulnerability Lab, Research via Fulldisclosure on Mar 02

SEC Consult Vulnerability Lab Security Advisory < 20230228-0 >
=======================================================================
title: OS Command Injection
product: Barracuda CloudGen WAN
vulnerable version: < v8.* hotfix 1089
fixed version: v8.* with hotfix webui-sdwan-1089-8.3.1-174141891 or above
version 9.0.0 or above
CVE number: CVE-2023-26213...
☐ β˜† βœ‡ Full Disclosure

SRP on Windows 11

March 3rd 2023 at 06:18

Posted by Andy Ful on Mar 02

The correction to:
Full Disclosure: Defense in depth -- the Microsoft way (part 82):
INVALID/BOGUS AppLocker rules disable SAFER on Windows 11 22H2
(seclists.org) <https://seclists.org/fulldisclosure/2023/Feb/13>

The Kanthak correction to restore SRP functionality on Windows 11 ver.
22H2, works only when Smart App Control is OFF. If it is in Evaluate or ON
mode, then the invalid registry values are automatically restored after
restarting...
☐ β˜† βœ‡ Full Disclosure

NetBSD overflow

March 3rd 2023 at 06:17

Posted by Erg Noor on Mar 02

Hi,

Trivial overflow in hfslib_reada_node_offset, while loop has no range
checks.

|size_t hfslib_reada_node_offsets(void* in_bytes, uint16_t*
out_offset_array) { void* ptr; if (in_bytes == NULL || out_offset_array
== NULL) return 0; ptr = in_bytes; out_offset_array--; do {
out_offset_array++; *out_offset_array = be16tohp(&ptr); } while
(*out_offset_array != (uint16_t)14); return ((uint8_t*)ptr -
(uint8_t*)in_bytes); }|

Repro is here...
☐ β˜† βœ‡ Full Disclosure

[NetworkSEC NWSSA] CVE-2023-26602: ASUS ASMB8 iKVM RCE and SSH Root Access

February 28th 2023 at 07:41

Posted by Peter Ohm on Feb 27

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
# Exploit Title: ASUS ASMB8 iKVM RCE and SSH Root Access
# Date: 2023-02-16
# Exploit Author: d1g () segfault net for NetworkSEC [NWSSA-002-2023]
# Vendor Homepage: https://servers.asus.com/search?q=ASMB8
# Version/Model: ASMB8 iKVM Firmware <= 1.14.51 (probably others)
# Tested on: Linux AMI2CFDA1C7570E 2.6.28.10-ami...
☐ β˜† βœ‡ Full Disclosure

[NetworkSEC NWSSA] CVE-2023-26609: ABUS Security Camera LFI, RCE and SSH Root

February 28th 2023 at 07:41

Posted by Peter Ohm on Feb 27

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
# Exploit Title: ABUS Security Camera LFI, RCE and SSH Root Access
# Date: 2023-02-16
# Exploit Author: d1g () segfault net for NetworkSEC [NWSSA-001-2023]
# Vendor Homepage: https://www.abus.com
# Version/Model: TVIP 20000-21150 (probably many others)
# Tested on: GM ARM Linux 2.6, Server: Boa/0.94.14rc21
# CVE:...
☐ β˜† βœ‡ Full Disclosure

Microsoft Windows Contact File / Remote Code Execution (Resurrected) CVE-2022-44666

February 28th 2023 at 03:13

Posted by hyp3rlinx on Feb 27

[-] Microsoft Windows Contact file / Remote Code Execution (Resurrected
2022) / CVE-2022-44666

[+] John Page (aka hyp3rlinx)
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec

Back in 2018 I discovered three related Windows remote code execution
vulnerabilities affecting both VCF and Contact files. They were purchased
by Trend Micro Zero Day Initiative (@thezdi) from me and received candidate
identifiers ZDI-CAN-6920 and ZDI-CAN-7591. Microsoft...
☐ β˜† βœ‡ Full Disclosure

Defense in depth -- the Microsoft way (part 82): INVALID/BOGUS AppLocker rules disable SAFER on Windows 11 22H2

February 23rd 2023 at 06:16

Posted by Stefan Kanthak on Feb 22

Hi @ll,

in Windows 11 22H2. some imbeciles from Redmond added the following
(of course WRONG and INVALID) registry entries and keys which they
dare to ship to their billion world-wide users:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Srp\Gp]
"RuleCount"=dword:00000002
"LastWriteTime"=hex(b):01,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Srp\Gp\DLL]

JFTR: the time stamp is 100ns past...
☐ β˜† βœ‡ Full Disclosure

Multiple vulnerabilities in Audiocodes Device Manager Express

February 23rd 2023 at 06:15

Posted by Eric Flokstra on Feb 22

# Product Name: Device Manager Express
# Vendor Homepage: https://www.audiocodes.com
# Software Link:
https://www.audiocodes.com/solutions-products/products/management-products-solutions/device-manager
# Version: <= 7.8.20002.47752
# Tested on: Windows 10 / Server 2019
# Default credentials: admin/admin
# CVE-2022-24627, CVE-2022-24628, CVE-2022-24629, CVE-2022-24630,
CVE-2022-24631, CVE-2022-24632
# Exploit:...
☐ β˜† βœ‡ Full Disclosure

Sumo Logic keep api credentials on endpoints

February 23rd 2023 at 06:15

Posted by dammitjosie--- via Fulldisclosure on Feb 22

security bug:

go sumologic.com (big company, many customer)

make free account

log in account, make access key - help.sumologic.com/docs/manage/security/access-keys/
<http://help.sumologic.com/docs/manage/security/access-keys/>

download collector for windows -
help.sumologic.com/docs/send-data/installed-collectors/collector-installation-reference/download-collector-from-static-url/

<...
☐ β˜† βœ‡ Full Disclosure

Remote Code Execution in Kardex MLOG

February 17th 2023 at 03:35

Posted by Patrick Hener on Feb 16

Remote Code Execution in Kardex MLOG
=======================================================================
Product: Kardex Mlog MCC
Vendor: Kardex Holding AG
Tested Version: 5.7.12+0-a203c2a213-master
Fixed Version: inline patch - no new version number
Vulnerability Type: Improper Control of Generation of Code ("RFI") - CWE-94
CVSSv2 Severity:...
☐ β˜† βœ‡ Full Disclosure

CyberDanube Security Research 20230213-0 | Multiple Vulnerabilities in JetWave Series

February 14th 2023 at 21:43

Posted by Thomas Weber on Feb 14

CyberDanube Security Research 20230213-0
-------------------------------------------------------------------------------
Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β  title| Multiple Vulnerabilities
Β Β Β Β Β Β Β Β Β Β Β Β Β  product| JetWave4221 HP-E, JetWave 2212G, JetWave
2212X/2212S,
Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β  | JetWave 2211C, JetWave 2411/2111, JetWave
2411L/2111L,
Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β  | JetWave 2414/2114, JetWave...
☐ β˜† βœ‡ Full Disclosure

SEC Consult SA-20230214-0 :: Multiple XSS Vulnerabilities in B&R Systems Diagnostics Manager

February 14th 2023 at 21:42

Posted by SEC Consult Vulnerability Lab, Research via Fulldisclosure on Feb 14

SEC Consult Vulnerability Lab Security Advisory < 20230214-0 >
=======================================================================
title: Multiple XSS Vulnerabilities
product: B&R Systems Diagnostics Manager
vulnerable version: >=3.00 and <=C4.93
fixed version: >=D4.93
CVE number: CVE-2022-4286
impact: medium
homepage: https://www.br-automation.com...
☐ β˜† βœ‡ Full Disclosure

Defense in depth -- the Microsoft way (part 81): enabling UTF-8 support breaks existing code

February 14th 2023 at 21:42

Posted by Stefan Kanthak on Feb 14

Hi @ll,

almost 4 years ago, with Windows 10 1903, after more than a year
beta-testing in insider previews, Microsoft finally released UTF-8
support for the -A interfaces of the Windows API.

0) <https://docs.microsoft.com/en-us/windows/uwp/design/globalizing/use-utf8-code-page#activeCodePage>

| If the ANSI code page is configured for UTF-8, -A APIs typically
| operate in UTF-8. This model has the benefit of supporting
| existing...
☐ β˜† βœ‡ Full Disclosure

APPLE-SA-2023-02-13-1 iOS 16.3.1 and iPadOS 16.3.1

February 14th 2023 at 21:42

Posted by Apple Product Security via Fulldisclosure on Feb 14

APPLE-SA-2023-02-13-1 iOS 16.3.1 and iPadOS 16.3.1

iOS 16.3.1 and iPadOS 16.3.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT213635.

Kernel
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air
3rd generation and later, iPad 5th generation and later, and iPad
mini 5th generation and later
Impact: An app may be able to execute arbitrary code with kernel...
☐ β˜† βœ‡ Full Disclosure

APPLE-SA-2023-02-13-2 macOS Ventura 13.2.1

February 14th 2023 at 21:42

Posted by Apple Product Security via Fulldisclosure on Feb 14

APPLE-SA-2023-02-13-2 macOS Ventura 13.2.1

macOS Ventura 13.2.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT213633.

Kernel
Available for: macOS Ventura
Impact: An app may be able to execute arbitrary code with kernel
privileges
Description: A use after free issue was addressed with improved
memory management.
CVE-2023-23514: Xinru Chi of Pangu Lab, Ned Williamson of...
☐ β˜† βœ‡ Full Disclosure

APPLE-SA-2023-02-13-3 Safari 16.3.1

February 14th 2023 at 21:42

Posted by Apple Product Security via Fulldisclosure on Feb 14

APPLE-SA-2023-02-13-3 Safari 16.3.1

Safari 16.3.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT213638.

WebKit
Available for: macOS Big Sur and macOS Monterey
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution. Apple is aware of a report that this issue
may have been actively exploited.
Description: A type confusion issue was addressed...
☐ β˜† βœ‡ Full Disclosure

OXAS-ADV-2022-0002: OX App Suite Security Advisory

February 14th 2023 at 21:41

Posted by Martin Heiland via Fulldisclosure on Feb 14

Dear subscribers,

we're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those
vulnerabilities. Feel free to join our bug bounty programs for OX AppSuite, Dovecot and PowerDNS at YesWeHack.

A CSAF representation of this advisory has been published at
https://documentation.open-xchange.com/security/advisories/.

Yours sincerely,
Martin Heiland, Open-Xchange GmbH

Internal reference:...
☐ β˜† βœ‡ Full Disclosure

[CVE-2023-0291] Quiz And Survey Master <= 8.0.8 - Unauthenticated Arbitrary Media Deletion

February 14th 2023 at 21:40

Posted by Julien Ahrens (RCE Security) on Feb 14

RCE Security Advisory
https://www.rcesecurity.com

1. ADVISORY INFORMATION
=======================
Product: Quiz And Survey Master
Vendor URL: https://wordpress.org/plugins/quiz-master-next/
Type: Missing Authentication for Critical Function [CWE-306]
Date found: 2023-01-13
Date published: 2023-02-08
CVSSv3 Score: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
CVE: CVE-2023-0291

2. CREDITS
==========...
☐ β˜† βœ‡ Full Disclosure

[CVE-2023-0292] Quiz And Survey Master <= 8.0.8 - Cross-Site Request Forgery to Arbitrary Media Deletion

February 14th 2023 at 21:40

Posted by Julien Ahrens (RCE Security) on Feb 14

RCE Security Advisory
https://www.rcesecurity.com

1. ADVISORY INFORMATION
=======================
Product: Quiz And Survey Master
Vendor URL: https://wordpress.org/plugins/quiz-master-next/
Type: Cross-Site Request Forgery (CSRF) [CWE-352]
Date found: 2023-01-13
Date published: 2023-02-08
CVSSv3 Score: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
CVE: CVE-2023-0292

2. CREDITS
==========
This...
☐ β˜† βœ‡ Full Disclosure

[CVE-Request] Multiple vulnerabilities in BMC Control-M before 9.0.20.214

February 14th 2023 at 21:39

Posted by Benjamin Mar-Conrad on Feb 14


☐ β˜† βœ‡ Full Disclosure

Trovent Security Advisory 2203-01 / Micro Focus GroupWise transmits session ID in URL

January 31st 2023 at 07:03

Posted by Stefan Pietsch on Jan 30

# Trovent Security Advisory 2203-01 #
#####################################

Micro Focus GroupWise transmits session ID in URL
#################################################

Overview
########

Advisory ID: TRSA-2203-01
Advisory version: 1.0
Advisory status: Public
Advisory URL: https://trovent.io/security-advisory-2203-01
Affected product: Micro Focus GroupWise
Affected version: prior to 18.4.2
Vendor: Micro Focus, https://www.microfocus.com...
☐ β˜† βœ‡ Full Disclosure

[SYSS-2022-047] Razer Synapse - Local Privilege Escalation

January 27th 2023 at 03:53

Posted by Oliver Schwarz via Fulldisclosure on Jan 26

Advisory ID: SYSS-2022-047
Product: Razer Synapse
Manufacturer: Razer Inc.
Affected Version(s): Versions before 3.7.0830.081906
Tested Version(s): 3.7.0731.072516
Vulnerability Type: Improper Certificate Validation (CWE-295)
Risk Level: High
Solution Status: Open
Manufacturer Notification: 2022-08-02
Solution Date: 2022-09-06
Public Disclosure:...
☐ β˜† βœ‡ Full Disclosure

APPLE-SA-2023-01-24-1 tvOS 16.3

January 27th 2023 at 03:53

Posted by Apple Product Security via Fulldisclosure on Jan 26

APPLE-SA-2023-01-24-1 tvOS 16.3

tvOS 16.3 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT213601.

AppleMobileFileIntegrity
Available for: Apple TV 4K (all models) and Apple TV HD
Impact: An app may be able to access user-sensitive data
Description: This issue was addressed by enabling hardened runtime.
CVE-2023-23499: Wojciech ReguΕ‚a (@_r3ggi) of SecuRing...
☐ β˜† βœ‡ Full Disclosure

[RT-SA-2022-002] Skyhigh Security Secure Web Gateway: Cross-Site Scripting in Single Sign-On Plugin

January 26th 2023 at 15:25

Posted by RedTeam Pentesting GmbH on Jan 26

RedTeam Pentesting identified a vulnerability which allows attackers to
craft URLs to any third-party website that result in arbitrary content
to be injected into the response when accessed through the Secure Web
Gateway. While it is possible to inject arbitrary content types, the
primary risk arises from JavaScript code allowing for cross-site
scripting.

Details
=======

Product: Secure Web Gateway
Affected Versions: 10.2.11, potentially other...
☐ β˜† βœ‡ Full Disclosure

t2'23: Call For Papers 2023 (Helsinki, Finland)

January 24th 2023 at 06:14

Posted by Tomi Tuominen via Fulldisclosure on Jan 23

Call For Papers 2023

Tired of your bosses suspecting conference trips to exotic locations being just a ploy to partake in Security Vacation
Club? Prove them wrong by coming to Helsinki, Finland on May 4-5 2023! Guaranteed lack of sunburn, good potential for
rain or slush. In case of great spring weather, though, no money back.

CFP and registration both open. Read further if still unsure.

Maui, Miami, Las Vegas, Tel Aviv or Wellington feel so...
☐ β˜† βœ‡ Full Disclosure

Re: HNS-2022-01 - HN Security Advisory - Multiple vulnerabilities in Solaris dtprintinfo and libXm/libXpm

January 24th 2023 at 06:13

Posted by Marco Ivaldi on Jan 23

Hello again,

Just a quick update. Mitre has assigned the following additional CVE IDs:

* CVE-2023-24039 - Stack-based buffer overflow in libXm ParseColors
* CVE-2023-24040 - Printer name injection and heap memory disclosure

We have updated the advisory accordingly:
https://github.com/hnsecurity/vulns/blob/main/HNS-2022-01-dtprintinfo.txt

Regards,
Marco
☐ β˜† βœ‡ Full Disclosure

APPLE-SA-2023-01-23-7 watchOS 9.3

January 24th 2023 at 06:13

Posted by Apple Product Security via Fulldisclosure on Jan 23

APPLE-SA-2023-01-23-7 watchOS 9.3

watchOS 9.3 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT213599.

AppleMobileFileIntegrity
Available for: Apple Watch Series 4 and later
Impact: An app may be able to access user-sensitive data
Description: This issue was addressed by enabling hardened runtime.
CVE-2023-23499: Wojciech Regula of SecuRing (wojciechregula.blog)

ImageIO...
☐ β˜† βœ‡ Full Disclosure

APPLE-SA-2023-01-23-8 Safari 16.3

January 24th 2023 at 06:13

Posted by Apple Product Security via Fulldisclosure on Jan 23

APPLE-SA-2023-01-23-8 Safari 16.3

Safari 16.3 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT213600.

WebKit
Available for: macOS Big Sur and macOS Monterey
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: The issue was addressed with improved checks.
WebKit Bugzilla: 245464
CVE-2023-23496: ChengGang Wu, Yan Kang, YuHao...
☐ β˜† βœ‡ Full Disclosure

APPLE-SA-2023-01-23-2 iOS 15.7.3 and iPadOS 15.7.3

January 24th 2023 at 06:12

Posted by Apple Product Security via Fulldisclosure on Jan 23

APPLE-SA-2023-01-23-2 iOS 15.7.3 and iPadOS 15.7.3

iOS 15.7.3 and iPadOS 15.7.3 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT213598.

Kernel
Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone
SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod
touch (7th generation)
Impact: An app may be able to leak sensitive kernel state
Description:...
☐ β˜† βœ‡ Full Disclosure

APPLE-SA-2023-01-23-3 iOS 12.5.7

January 24th 2023 at 06:12

Posted by Apple Product Security via Fulldisclosure on Jan 23

APPLE-SA-2023-01-23-3 iOS 12.5.7

iOS 12.5.7 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT213597.

WebKit
Available for: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad
mini 2, iPad mini 3, and iPod touch (6th generation)
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution. Apple is aware of a report that this issue
may have been...
☐ β˜† βœ‡ Full Disclosure

APPLE-SA-2023-01-23-4 macOS Ventura 13.2

January 24th 2023 at 06:12

Posted by Apple Product Security via Fulldisclosure on Jan 23

APPLE-SA-2023-01-23-4 macOS Ventura 13.2

macOS Ventura 13.2 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT213605.

AppleMobileFileIntegrity
Available for: macOS Ventura
Impact: An app may be able to access user-sensitive data
Description: This issue was addressed by enabling hardened runtime.
CVE-2023-23499: Wojciech ReguΕ‚a (@_r3ggi) of SecuRing
(wojciechregula.blog)...
☐ β˜† βœ‡ Full Disclosure

APPLE-SA-2023-01-23-1 iOS 16.3 and iPadOS 16.3

January 24th 2023 at 06:12

Posted by Apple Product Security via Fulldisclosure on Jan 23

APPLE-SA-2023-01-23-1 iOS 16.3 and iPadOS 16.3

iOS 16.3 and iPadOS 16.3 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT213606.

AppleMobileFileIntegrity
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air
3rd generation and later, iPad 5th generation and later, and iPad
mini 5th generation and later
Impact: An app may be able to access user-sensitive data...
☐ β˜† βœ‡ Full Disclosure

APPLE-SA-2023-01-23-5 macOS Monterey 12.6.3

January 24th 2023 at 06:12

Posted by Apple Product Security via Fulldisclosure on Jan 23

APPLE-SA-2023-01-23-5 macOS Monterey 12.6.3

macOS Monterey 12.6.3 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT213604.

AppleMobileFileIntegrity
Available for: macOS Monterey
Impact: An app may be able to access user-sensitive data
Description: This issue was addressed by enabling hardened runtime.
CVE-2023-23499: Wojciech ReguΕ‚a (@_r3ggi) of SecuRing...
☐ β˜† βœ‡ Full Disclosure

APPLE-SA-2023-01-23-6 macOS Big Sur 11.7.3

January 24th 2023 at 06:12

Posted by Apple Product Security via Fulldisclosure on Jan 23

APPLE-SA-2023-01-23-6 macOS Big Sur 11.7.3

macOS Big Sur 11.7.3 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT213603.

AppleMobileFileIntegrity
Available for: macOS Big Sur
Impact: An app may be able to access user-sensitive data
Description: This issue was addressed by enabling hardened runtime.
CVE-2023-23499: Wojciech ReguΕ‚a (@_r3ggi) of SecuRing
(wojciechregula.blog)...
☐ β˜† βœ‡ Full Disclosure

HNS-2022-01 - HN Security Advisory - Multiple vulnerabilities in Solaris dtprintinfo and libXm/libXpm

January 20th 2023 at 02:49

Posted by Marco Ivaldi on Jan 19

Dear Full Disclosure,

Find attached a security advisory that details multiple
vulnerabilities we discovered in Oracle Solaris CDE dtprintinfo, Motif
libXm, and X.Org libXpm.

* Title: Multiple vulnerabilities in Solaris dtprintinfo and libXm/libXpm
* Products: Common Desktop Environment 1.6, Motif 2.1, X.Org libXpm < 3.5.15
* OS: Oracle Solaris 10 (CPU January 2021)
* Author: Marco Ivaldi <marco.ivaldi () hnsecurity it>
* Date:...
☐ β˜† βœ‡ Full Disclosure

SEC Consult SA-20230117-2 :: Multiple post-authentication vulnerabilities including RCE in @OpenText Content Server component of OpenText Extended ECM

January 20th 2023 at 02:49

Posted by SEC Consult Vulnerability Lab, Research via Fulldisclosure on Jan 19

SEC Consult Vulnerability Lab Security Advisory < 20230117-2 >
=======================================================================
title: Multiple post-authentication vulnerabilities including RCE
product: OpenTextβ„’ Content Server component of OpenTextβ„’ Extended ECM
vulnerable version: 16.2.2 - 22.3
fixed version: 22.4
CVE number: CVE-2022-45924, CVE-2022-45922, CVE-2022-45925,...
☐ β˜† βœ‡ Full Disclosure

SEC Consult SA-20230117-0 :: Pre-authenticated Remote Code Execution in cs.exe (@OpenText Content Server component of OpenText Extended ECM)

January 20th 2023 at 02:49

Posted by SEC Consult Vulnerability Lab, Research via Fulldisclosure on Jan 19

SEC Consult Vulnerability Lab Security Advisory < 20230117-0 >
=======================================================================
title: Pre-authenticated Remote Code Execution in cs.exe
product: OpenTextβ„’ Content Server component of OpenTextβ„’ Extended ECM
vulnerable version: 20.4 - 22.3
fixed version: 22.4
CVE number: CVE-2022-45923
impact: Critical
homepage:...
☐ β˜† βœ‡ Full Disclosure

SEC Consult SA-20230117-1 :: Pre-authenticated Remote Code Execution via Java frontend and QDS endpoint in @OpenText Content Server component of OpenText Extended ECM

January 20th 2023 at 02:49

Posted by SEC Consult Vulnerability Lab, Research via Fulldisclosure on Jan 19

SEC Consult Vulnerability Lab Security Advisory < 20230117-1 >
=======================================================================
title: Pre-authenticated Remote Code Execution via Java frontend
and QDS endpoint
product: OpenTextβ„’ Content Server component of OpenTextβ„’ Extended ECM
vulnerable version: 20.4 - 22.3
fixed version: 22.4
CVE number: CVE-2022-45927...
☐ β˜† βœ‡ Full Disclosure

wolfSSL before 5.5.0: Denial-of-service with session resumption

January 20th 2023 at 02:48

Posted by Maximilian Ammann via Fulldisclosure on Jan 19

# wolfSSL before 5.5.0: Denial-of-service with session resumption
=================================================================

## INFO
=======

The CVE project has assigned the id CVE-2022-38152 to this issue.

Severity: 7.5 HIGH
Affected version: before 5.5.0
End of embargo: Ended August 30, 2022

## SUMMARY
==========

When a TLS 1.3 client connects to a wolfSSL server and SSL_clear is called on
its session, the server crashes with a...
☐ β˜† βœ‡ Full Disclosure

wolfSSL before 5.5.0: Denial-of-service with session resumption

January 20th 2023 at 02:48

Posted by Maximilian Ammann via Fulldisclosure on Jan 19

# wolfSSL before 5.5.0: Denial-of-service with session resumption
=================================================================

## INFO
=======

The CVE project has assigned the id CVE-2022-38152 to this issue.

Severity: 7.5 HIGH
Affected version: before 5.5.0
End of embargo: Ended August 30, 2022
Blog Post: https://blog.trailofbits.com/2023/01/12/wolfssl-vulnerabilities-tlspuffin-fuzzing-ssh/

## SUMMARY
==========

When a TLS 1.3 client...
☐ β˜† βœ‡ Full Disclosure

wolfSSL 5.3.0: Denial-of-service

January 20th 2023 at 02:48

Posted by Maximilian Ammann via Fulldisclosure on Jan 19

# wolfSSL 5.3.0: Denial-of-service
==================================

## INFO
=======

The CVE project has assigned the id CVE-2022-38153 to this issue.

Severity: 5.9 MEDIUM
Affected version: 5.3.0
End of embargo: Ended August 30, 2022
Blog Post: https://blog.trailofbits.com/2023/01/12/wolfssl-vulnerabilities-tlspuffin-fuzzing-ssh/

## SUMMARY
==========

In wolfSSL 5.3.0 man-in-the-middle attackers or a malicious server can crash TLS
1.2...
☐ β˜† βœ‡ Full Disclosure

wolfSSL before 5.5.2: Heap-buffer over-read with WOLFSSL_CALLBACKS

January 20th 2023 at 02:48

Posted by Maximilian Ammann via Fulldisclosure on Jan 19

# wolfSSL before 5.5.2: Heap-buffer over-read with WOLFSSL_CALLBACKS
====================================================================

## INFO
=======

The CVE project has assigned the id CVE-2022-42905 to this issue.

Severity: 9.1 CRITICAL
Affected version: before 5.5.2
End of embargo: Ended October 28, 2022
Blog Post: https://blog.trailofbits.com/2023/01/12/wolfssl-vulnerabilities-tlspuffin-fuzzing-ssh/

## SUMMARY
==========

If wolfSSL...
☐ β˜† βœ‡ Full Disclosure

Citrix Linux client logs session credentials

January 17th 2023 at 02:28

Posted by Russell Howe on Jan 16

The Citrix Linux client emits its session credentials when starting a
Citrix session. These credentials end up being recorded in the client's
system log.

Citrix do not consider this to be a security vulnerability.

Writeup here:
https://github.com/rhowe/disclosures/tree/main/citrix-linux-client-cred-leak

Write
☐ β˜† βœ‡ Full Disclosure

[KIS-2023-04] Tiki Wiki CMS Groupware <= 24.1 (tikiimporter_blog_wordpress.php) PHP Object Injection Vulnerability

January 9th 2023 at 20:11

Posted by Egidio Romano on Jan 09

----------------------------------------------------------------------------------------------------
Tiki Wiki CMS Groupware <= 24.1 (tikiimporter_blog_wordpress.php) PHP
Object Injection Vulnerability
----------------------------------------------------------------------------------------------------

[-] Software Link:

https://tiki.org

[-] Affected Versions:

Version 24.1 and prior versions.

[-] Vulnerability Description:

The...
☐ β˜† βœ‡ Full Disclosure

[KIS-2023-03] Tiki Wiki CMS Groupware <= 24.0 (grid.php) PHP Object Injection Vulnerability

January 9th 2023 at 20:10

Posted by Egidio Romano on Jan 09

-----------------------------------------------------------------------------
Tiki Wiki CMS Groupware <= 24.0 (grid.php) PHP Object Injection
Vulnerability
-----------------------------------------------------------------------------

[-] Software Link:

https://tiki.org

[-] Affected Versions:

Version 24.0 and prior versions.

[-] Vulnerability Description:

The vulnerability is located in the /lib/sheet/grid.php script,
specifically into...
☐ β˜† βœ‡ Full Disclosure

[KIS-2023-02] Tiki Wiki CMS Groupware <= 24.0 (structlib.php) PHP Code Injection Vulnerability

January 9th 2023 at 20:09

Posted by Egidio Romano on Jan 09

--------------------------------------------------------------------------------
Tiki Wiki CMS Groupware <= 24.0 (structlib.php) PHP Code Injection
Vulnerability
--------------------------------------------------------------------------------

[-] Software Link:

https://tiki.org

[-] Affected Versions:

Version 24.0 and prior versions.

[-] Vulnerability Description:

The vulnerability is located in the /lib/structures/structlib.php
script,...
☐ β˜† βœ‡ Full Disclosure

[KIS-2023-01] Tiki Wiki CMS Groupware <= 25.0 Two Cross-Site Request Forgery Vulnerabilities

January 9th 2023 at 20:08

Posted by Egidio Romano on Jan 09

------------------------------------------------------------------------------
Tiki Wiki CMS Groupware <= 25.0 Two Cross-Site Request Forgery
Vulnerabilities
------------------------------------------------------------------------------

[-] Software Link:

https://tiki.org

[-] Affected Versions:

Version 25.0 and prior versions.

[-] Vulnerabilities Description:

1) The /tiki-importer.php script does not implement any protection
against...
❌