Posted by Apple Product Security via Fulldisclosure on Mar 13
APPLE-SA-03-07-2024-3 macOS Ventura 13.6.5
macOS Ventura 13.6.5 addresses the following issues.
Information about the security content is also available at https://support.apple.com/kb/HT214085.
Apple maintains a Security Releases page at https://support.apple.com/HT201222 which lists recent
software updates with security advisories.
Admin Framework
Available for: macOS Ventura
Impact: An app may be able to elevate privileges
Description: A…
Posted by Apple Product Security via Fulldisclosure on Mar 13
APPLE-SA-03-05-2024-2 iOS 16.7.6 and iPadOS 16.7.6
iOS 16.7.6 and iPadOS 16.7.6 addresses the following issues.
Information about the security content is also available at https://support.apple.com/kb/HT214082.
Apple maintains a Security Releases page at https://support.apple.com/HT201222 which lists recent
software updates with security advisories.
Additional CVE entries coming soon.
Kernel
Available for: iPhone 8, iPhone 8 Plus, iPhone X,…
Posted by Apple Product Security via Fulldisclosure on Mar 13
APPLE-SA-03-05-2024-1 iOS 17.4 and iPadOS 17.4
iOS 17.4 and iPadOS 17.4 addresses the following issues.
Information about the security content is also available at https://support.apple.com/kb/HT214081.
Apple maintains a Security Releases page at https://support.apple.com/HT201222 which lists recent
software updates with security advisories.
Additional CVE entries coming soon.
Accessibility
Available for: iPhone XS and later, iPad Pro…
Threat: Backdoor.Win32.Beastdoor.oq
Vulnerability: Unauthenticated Remote Command Execution
Description: The malware listens on TCP port 1332, makes outbound
connections to SMTP port 25 and executes a PE file named svchost.exe
dropped in…
Arbitrary code execution in StimulusReflex. This affects version 3.5.0 up to and including 3.5.0.rc2 and v3.5.0.pre10.
## Vulnerable code excerpt
stimulus_reflex/lib/stimulus_reflex/reflex.rb
“`
# Invoke the reflex action specified by `name` and run all callbacks
def process(name, *args)
run_callbacks(:process) { public_send(name, *args) }
end
“`
Posted by Valentin Lobstein via Fulldisclosure on Mar 13
CVE ID: CVE-2024-25228
Title: Authenticated Command Injection Vulnerability in ManoeuvreHandler.class.php of Vinchin Backup & Recovery
Versions 7.2 and Earlier
Description:
A critical security vulnerability has been discovered in the `getVerifydiyResult` function within the
`ManoeuvreHandler.class.php` file of Vinchin Backup & Recovery software, affecting versions 7.2 and earlier. This
function, intended for validating IP addresses…
