Vulnerability CVE-2014-4465

Vulnerability Name:

CVE-2014-4465 (CCN-99111)

Assigned:

2014-12-03

Published:

2014-12-03

Updated:

2019-03-08

Summary:

WebKit in Apple Safari before 6.2.1, 7.x before 7.1.1, and 8.x before 8.0.1 allows remote attackers to bypass the Same Origin Policy via crafted Cascading Style Sheets (CSS) token sequences within an SVG file in the SRC attribute of an IMG element.
Per an <a href="http://support.apple.com/en-us/HT204246">Apple Security Advisory</a> Apple TV before 7.0.3 was also vulnerable.
Per an <a href="http://support.apple.com/en-us/HT204245">Apple Security Advisory</a> Apple iOS before 8.1.3 was also vulnerable.

These product additions are reflected in the vulnerable configuration.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N)
3.2 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

Vulnerability Type:

CWE-20

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2014-4465

Source: APPLE
Type: Vendor Advisory
APPLE-SA-2014-12-2-1

Source: APPLE
Type: Vendor Advisory
APPLE-SA-2015-01-27-1

Source: APPLE
Type: Vendor Advisory
APPLE-SA-2015-01-27-2

Source: CCN
Type: Apple Web site
About the security content of Safari 8.0.1, Safari 7.1.1, and Safari 6.2.1

Source: CONFIRM
Type: Vendor Advisory
http://support.apple.com/HT204245

Source: CONFIRM
Type: Vendor Advisory
http://support.apple.com/HT204246

Source: CONFIRM
Type: Vendor Advisory
http://support.apple.com/kb/HT6596

Source: CCN
Type: BID-71439
Apple Safari CVE-2014-4465 Cross Domain Information Disclosure Vulnerability

Source: CCN
Type: BID-72334
Multiple Apple Products Multiple Security Vulnerabilities

Source: XF
Type: UNKNOWN
apple-safari-cve20144465-info-disc(99111)

Vulnerable Configuration:

Configuration 1:

cpe:/o:apple:tvos:*:*:*:*:*:*:*:* (Version <= 7.0.1)

Configuration 2:

cpe:/o:apple:iphone_os:*:*:*:*:*:*:*:* (Version <= 8.1.2)

Configuration 3:

cpe:/a:apple:safari:*:*:*:*:*:*:*:* (Version <= 6.2.0)

OR cpe:/a:apple:safari:7.1.0:*:*:*:*:*:*:*

OR cpe:/a:apple:safari:8.0.0:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/o:apple:mac_os_x:10.9.5:*:*:*:*:*:*:*

OR cpe:/o:apple:mac_os_x:10.10.1:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:com.ubuntu.precise:def:20144465000	V	CVE-2014-4465 on Ubuntu 12.04 LTS (precise) - medium.	2014-12-10
oval:com.ubuntu.trusty:def:20144465000	V	CVE-2014-4465 on Ubuntu 14.04 LTS (trusty) - medium.	2014-12-10
oval:com.ubuntu.xenial:def:20144465000	V	CVE-2014-4465 on Ubuntu 16.04 LTS (xenial) - medium.	2014-12-10
oval:com.ubuntu.xenial:def:201444650000000	V	CVE-2014-4465 on Ubuntu 16.04 LTS (xenial) - medium.	2014-12-10

BACK