CVSS: 8.8EPSS: 0%CPEs: 8EXPL: 0CVE-2023-23518 – webkitgtk: memory corruption issue leading to arbitrary code execution
https://notcve.org/view.php?id=CVE-2023-23518
The issue was addressed with improved memory handling. This issue is fixed in macOS Monterey 12.6.3, macOS Ventura 13.2, watchOS 9.3, macOS Big Sur 11.7.3, Safari 16.3, tvOS 16.3, iOS 16.3 and iPadOS 16.3. Processing maliciously crafted web content may lead to arbitrary code execution. A vulnerability was found in WebKitGTK. This issue occurs when processing maliciously crafted web content in WebKit. • https://support.apple.com/en-us/HT213599 https://support.apple.com/en-us/HT213600 https://support.apple.com/en-us/HT213601 https://support.apple.com/en-us/HT213603 https://support.apple.com/en-us/HT213604 https://support.apple.com/en-us/HT213605 https://support.apple.com/en-us/HT213606 https://support.apple.com/en-us/HT213638 https://access.redhat.com/security/cve/CVE-2023-23518 https://bugzilla.redhat.com/show_bug.cgi?id=2167715 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 1CVE-2023-24068
https://notcve.org/view.php?id=CVE-2023-24068
Signal Desktop before 6.2.0 on Windows, Linux, and macOS allows an attacker to modify conversation attachments within the attachments.noindex directory. Client mechanisms fail to validate modifications of existing cached files, resulting in an attacker's ability to insert malicious code into pre-existing attachments or replace them completely. A threat actor can forward the existing attachment in the corresponding conversation to external groups, and the name and size of the file will not change, allowing the malware to masquerade as another file. NOTE: the vendor disputes the relevance of this finding because the product is not intended to protect against adversaries with this degree of local access. Signal Desktop anterior a 6.2.0 en Windows, Linux y macOS permite a un atacante modificar archivos adjuntos de conversaciones dentro del directorio attachments.noindex. • https://johnjhacking.com/blog/cve-2023-24068-cve-2023-24069 https://signal.org/download/linux https://signal.org/download/macos https://signal.org/en/download/windows •
CVSS: 3.3EPSS: 0%CPEs: 4EXPL: 1CVE-2023-24069
https://notcve.org/view.php?id=CVE-2023-24069
Signal Desktop before 6.2.0 on Windows, Linux, and macOS allows an attacker to obtain potentially sensitive attachments sent in messages from the attachments.noindex directory. Cached attachments are not effectively cleared. In some cases, even after a self-initiated file deletion, an attacker can still recover the file if it was previously replied to in a conversation. (Local filesystem access is needed by the attacker.) NOTE: the vendor disputes the relevance of this finding because the product is not intended to protect against adversaries with this degree of local access. • https://johnjhacking.com/blog/cve-2023-24068-cve-2023-24069 https://signal.org/download/linux https://signal.org/download/macos https://signal.org/en/download/windows • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 1CVE-2022-45557
https://notcve.org/view.php?id=CVE-2022-45557
Cross site scripting (XSS) vulnerability in Hundredrabbits Left 7.1.5 for MacOS allows attackers to execute arbitrary code via file names. Vulnerabilidad de cross site scripting (XSS) en Hundredrabbits Left 7.1.5 para MacOS permite a atacantes ejecutar código arbitrario a través de nombres de archivos. • https://github.com/hundredrabbits/Left/issues/167 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 1CVE-2022-45558
https://notcve.org/view.php?id=CVE-2022-45558
Cross site scripting (XSS) vulnerability in Hundredrabbits Left 7.1.5 for MacOS allows attackers to execute arbitrary code via the meta tag. Vulnerabilidad de cross site scripting (XSS) en Hundredrabbits Left 7.1.5 para MacOS permite a atacantes ejecutar código arbitrario a través de la etiqueta meta . • https://github.com/hundredrabbits/Left/issues/168 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •