CVE-2018-4309

Published: Apr 3, 2019Modified: Nov 21, 2024

6.1

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

A cross-site scripting issue existed in Safari. This issue was addressed with improved URL validation. This issue affected versions prior to iOS 12, tvOS 12, Safari 12, iTunes 12.9 for Windows, iCloud for Windows 7.7.

Affected (5)

Products: Apple: Iphone Os, Safari, Tvos, Icloud, Itunes

5 products

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Apple Iphone Os	Before 12.0
Apple Safari	Before 12
Apple Tvos	Before 12

Configuration B

2 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Apple Icloud	Before 7.7
Apple Itunes	Before 12.9

Running on/with	Platform Versions
Microsoft Windows	All versions

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (10)

https://support.apple.com/kb/HT209106

Source: product-security@apple.com

Vendor Advisory

https://support.apple.com/kb/HT209107

Source: product-security@apple.com

Vendor Advisory

https://support.apple.com/kb/HT209109

Source: product-security@apple.com

Vendor Advisory

https://support.apple.com/kb/HT209140

Source: product-security@apple.com

Vendor Advisory

https://support.apple.com/kb/HT209141

Source: product-security@apple.com

Vendor Advisory

https://support.apple.com/kb/HT209106