CVE-2020-3867

A logic issue was addressed with improved state management. This issue is fixed in iOS 13.3.1 and iPadOS 13.3.1, tvOS 13.3.1, Safari 13.0.5, iTunes for Windows 12.10.4, iCloud for Windows 11.0, iCloud for Windows 7.17. Processing maliciously crafted web content may lead to universal cross site scripting.

CVSS v3 6.1 MEDIUM
CVSS v2.0 4.3 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00004.html	Mailing List Patch Third Party Advisory
https://security.gentoo.org/glsa/202003-22	Third Party Advisory
https://support.apple.com/HT210947	Release Notes Vendor Advisory
https://support.apple.com/HT210948	Release Notes Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:apple:icloud::::::windows::*
	cpe:2.3:a:apple:icloud::::::windows::*
	cpe:2.3:a:apple:itunes::::::windows::*
	cpe:2.3:a:apple:safari::::::::
	cpe:2.3:o:apple:ipados::::::::
	cpe:2.3:o:apple:iphone_os::::::::
	cpe:2.3:o:apple:tvos::::::::

Configuration 2 (hide)

cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*

Configuration 3 (hide)

cpe:2.3:a:webkitgtk:webkitgtk:*:*:*:*:*:*:*:*

History

22 Dec 2021, 18:04

Type	Values Removed	Values Added
CPE		cpe:2.3:a:webkitgtk:webkitgtk::::::::
References	~~(GENTOO) https://security.gentoo.org/glsa/202003-22 -~~	(GENTOO) https://security.gentoo.org/glsa/202003-22 - Third Party Advisory

Information

Published : 2020-02-27 21:15

Updated : 2024-02-04 20:39

NVD link : CVE-2020-3867

Mitre link : CVE-2020-3867

CVE.ORG link : CVE-2020-3867

JSON object : View

Products Affected

apple

iphone_os
safari
ipados
itunes
tvos
icloud

opensuse

leap

webkitgtk

webkitgtk

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2020-3867", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2020-02-27T21:15:18.130", "references": [{"url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00004.html", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "source": "product-security@apple.com"}, {"url": "https://security.gentoo.org/glsa/202003-22", "tags": ["Third Party Advisory"], "source": "product-security@apple.com"}, {"url": "https://support.apple.com/HT210947", "tags": ["Release Notes", "Vendor Advisory"], "source": "product-security@apple.com"}, {"url": "https://support.apple.com/HT210948", "tags": ["Release Notes", "Vendor Advisory"], "source": "product-security@apple.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "A logic issue was addressed with improved state management. This issue is fixed in iOS 13.3.1 and iPadOS 13.3.1, tvOS 13.3.1, Safari 13.0.5, iTunes for Windows 12.10.4, iCloud for Windows 11.0, iCloud for Windows 7.17. Processing maliciously crafted web content may lead to universal cross site scripting."}, {"lang": "es", "value": "Se abord\u00f3 un problema l\u00f3gico con una administraci\u00f3n de estado mejorada. Este problema es corregido en iOS versi\u00f3n 13.3.1 y iPadOS versi\u00f3n 13.3.1, tvOS versi\u00f3n 13.3.1, Safari versi\u00f3n 13.0.5, iTunes para Windows versi\u00f3n 12.10.4, iCloud para Windows versi\u00f3n 11.0, iCloud para Windows versi\u00f3n 7.17. El procesamiento de contenido web dise\u00f1ado maliciosamente puede conllevar a un ataque de tipo cross site scripting universal."}], "lastModified": "2021-12-22T18:04:46.427", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apple:icloud:*:*:*:*:*:windows:*:*", "vulnerable": true, "matchCriteriaId": "65AF31B2-A5B2-4BF5-B534-B53BE79CDDA2", "versionEndExcluding": "7.17"}, {"criteria": "cpe:2.3:a:apple:icloud:*:*:*:*:*:windows:*:*", "vulnerable": true, "matchCriteriaId": "F2F63E96-27FA-4637-8081-A9B76C7385F8", "versionEndIncluding": "10.8", "versionStartIncluding": "10.0"}, {"criteria": "cpe:2.3:a:apple:itunes:*:*:*:*:*:windows:*:*", "vulnerable": true, "matchCriteriaId": "15CC59BB-5F0C-4381-A7E7-EFFCC01CC308", "versionEndExcluding": "12.10.4"}, {"criteria": "cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BB81F563-28D4-425E-A81A-002557E23CF8", "versionEndExcluding": "13.0.5"}, {"criteria": "cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3DD89B34-EA75-4559-A112-13B489B2502A", "versionEndExcluding": "13.3.1"}, {"criteria": "cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B4BFEAAB-906E-4F49-A6DB-5717BADD8089", "versionEndExcluding": "13.3.1"}, {"criteria": "cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7C2B3AC9-FAFE-4819-9538-A072B446BE78", "versionEndExcluding": "13.3.1"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:webkitgtk:webkitgtk:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7E0C2B1D-5610-4C43-93AE-D739560B73BB", "versionEndExcluding": "2.26.4"}], "operator": "OR"}]}], "sourceIdentifier": "product-security@apple.com"}