Vulnerability Name:

CVE-2013-6835 (CCN-91748)

Assigned:2013-11-20
Published:2014-03-10
Updated:2017-01-07
Summary:TelephonyUI Framework in Apple iOS 7 before 7.1, when Safari is used, does not require user confirmation for FaceTime audio calls, which allows remote attackers to obtain telephone number or e-mail address information via a facetime-audio: URL.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-264
Vulnerability Consequences:Bypass Security
References:Source: APPLE
Type: UNKNOWN
APPLE-SA-2014-09-17-1

Source: MITRE
Type: CNA
CVE-2013-6835

Source: BUGTRAQ
Type: UNKNOWN
20140310 [CVE-2013-6835] - iOS 7.0.6 Safari/Facetime-Audio Privacy issue

Source: CCN
Type: Bugtraq Mailing List, Mon 10 Mar 2014
[CVE-2013-6835] - iOS 7.0.6 Safari/Facetime-Audio Privacy issue

Source: FULLDISC
Type: UNKNOWN
20140311 [CVE-2013-6835] - iOS 7.0.6 Safari/Facetime-Audio Privacy issue

Source: CCN
Type: Apple Web site
About the security content of iOS 7.1

Source: CONFIRM
Type: Vendor Advisory
http://support.apple.com/kb/HT6162

Source: CONFIRM
Type: UNKNOWN
http://support.apple.com/kb/HT6441

Source: BID
Type: UNKNOWN
66108

Source: CCN
Type: BID-66108
Apple iOS 'facetime-audio://' Security Bypass Vulnerability

Source: XF
Type: UNKNOWN
appleios-cve20136835-sec-bypass(91748)

Source: CCN
Type: Packet Storm Security [03-11-2014]
Apple Facetime Information Disclosure

Vulnerable Configuration:Configuration 1:
  • cpe:/o:apple:ios:7.0:*:*:*:*:*:*:*
  • OR cpe:/o:apple:ios:7.0.1:*:*:*:*:*:*:*
  • OR cpe:/o:apple:ios:7.0.2:*:*:*:*:*:*:*
  • OR cpe:/o:apple:ios:7.0.3:*:*:*:*:*:*:*
  • OR cpe:/o:apple:ios:7.0.4:*:*:*:*:*:*:*
  • OR cpe:/o:apple:ios:7.0.5:*:*:*:*:*:*:*
  • OR cpe:/o:apple:iphone_os:*:*:*:*:*:*:*:* (Version <= 7.0.6)
  • AND
  • cpe:/a:apple:safari:*:*:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    BACK
    apple iphone os 7.0
    apple iphone os 7.0.1
    apple iphone os 7.0.2
    apple iphone os 7.0.3
    apple iphone os 7.0.4
    apple iphone os 7.0.5
    apple iphone os *
    apple safari *