CVE-2017-7109

An issue was discovered in certain Apple products. iOS before 11 is affected. Safari before 11 is affected. iCloud before 7.0 on Windows is affected. iTunes before 12.7 on Windows is affected. tvOS before 11 is affected. The issue involves the "WebKit" component. A cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script or HTML via crafted web content that incorrectly interacts with the Application Cache policy.

CVSS v3 6.1 MEDIUM
CVSS v2.0 4.3 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector : AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://www.securityfocus.com/bid/101005	Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1039384	Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1039428	Third Party Advisory VDB Entry
https://support.apple.com/HT208112	Vendor Advisory
https://support.apple.com/HT208113	Vendor Advisory
https://support.apple.com/HT208116	Vendor Advisory
https://support.apple.com/HT208141	Vendor Advisory
https://support.apple.com/HT208142	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:apple:safari::::::::
	cpe:2.3:o:apple:iphone_os::::::::
	cpe:2.3:o:apple:tvos::::::::

Configuration 2 (hide)

AND

OR	cpe:2.3:a:apple:icloud::::::::
	cpe:2.3:a:apple:itunes::::::::

cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2017-10-23 01:29

Updated : 2024-02-04 19:29

NVD link : CVE-2017-7109

Mitre link : CVE-2017-7109

CVE.ORG link : CVE-2017-7109

JSON object : View

Products Affected

microsoft

windows

apple

itunes
safari
icloud
iphone_os
tvos

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2017-7109", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2017-10-23T01:29:12.753", "references": [{"url": "http://www.securityfocus.com/bid/101005", "tags": ["Third Party Advisory", "VDB Entry"], "source": "product-security@apple.com"}, {"url": "http://www.securitytracker.com/id/1039384", "tags": ["Third Party Advisory", "VDB Entry"], "source": "product-security@apple.com"}, {"url": "http://www.securitytracker.com/id/1039428", "tags": ["Third Party Advisory", "VDB Entry"], "source": "product-security@apple.com"}, {"url": "https://support.apple.com/HT208112", "tags": ["Vendor Advisory"], "source": "product-security@apple.com"}, {"url": "https://support.apple.com/HT208113", "tags": ["Vendor Advisory"], "source": "product-security@apple.com"}, {"url": "https://support.apple.com/HT208116", "tags": ["Vendor Advisory"], "source": "product-security@apple.com"}, {"url": "https://support.apple.com/HT208141", "tags": ["Vendor Advisory"], "source": "product-security@apple.com"}, {"url": "https://support.apple.com/HT208142", "tags": ["Vendor Advisory"], "source": "product-security@apple.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in certain Apple products. iOS before 11 is affected. Safari before 11 is affected. iCloud before 7.0 on Windows is affected. iTunes before 12.7 on Windows is affected. tvOS before 11 is affected. The issue involves the \"WebKit\" component. A cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script or HTML via crafted web content that incorrectly interacts with the Application Cache policy."}, {"lang": "es", "value": "Se ha descubierto un problema en ciertos productos Apple. Se han visto afectadas las versiones de iOS anteriores a la 11. Se han visto afectadas las versiones de Safari anteriores a la 11, las versiones de iCloud anteriores a la 7.0 en Windows, las versiones de iTunes anteriores a la 12.7 en Windows y las versiones de tvOS anteriores a la 11. El problema implica el componente \"WebKit\". Una vulnerabilidad de Cross-Site Scripting (XSS) permite que atacantes remotos inyecten scripts web o HTML arbitrarios mediante contenidos web manipulados que interact\u00faan de forma incorrecta con la pol\u00edtica Application Cache."}], "lastModified": "2019-03-08T16:06:34.263", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "318ED418-97A3-4370-B1C1-16D69C3546EC", "versionEndIncluding": "10.1.2"}, {"criteria": "cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B3F24ECA-0CD0-4F42-84C7-ED651C2C981B", "versionEndIncluding": "10.3.3"}, {"criteria": "cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B83AE012-4180-4C56-9173-C87749B8D284", "versionEndIncluding": "10.2.2"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apple:icloud:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BEA8E202-B73B-4CC4-8B69-E3741C0DB420", "versionEndIncluding": "6.9.1"}, {"criteria": "cpe:2.3:a:apple:itunes:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "993011BA-088E-48A0-B1F6-5D49DE84EFAF", "versionEndIncluding": "12.6.2"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "2CF61F35-5905-4BA9-AD7E-7DB261D2F256"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "product-security@apple.com"}