Vulnerability CVE-2021-1825

Vulnerability Name:

CVE-2021-1825 (CCN-200745)

Assigned:

2020-12-08

Published:

2021-04-26

Updated:

2021-09-16

Summary:

An input validation issue was addressed with improved input validation. This issue is fixed in iTunes 12.11.3 for Windows, iCloud for Windows 12.3, macOS Big Sur 11.3, Safari 14.1, watchOS 7.4, tvOS 14.5, iOS 14.5 and iPadOS 14.5. Processing maliciously crafted web content may lead to a cross site scripting attack.

CVSS v3 Severity:

6.1 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): None

6.1 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): None

8.1 High (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N)
7.7 High (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:H/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): None

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

5.5 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-79
CWE-20

Vulnerability Consequences:

Cross-Site Scripting

References:

Source: MITRE
Type: CNA
CVE-2021-1825

Source: XF
Type: UNKNOWN
apple-ios-cve20211825-xss(200745)

Source: CCN
Type: Apple security document HT212317
About the security content of iOS 14.5 and iPadOS 14.5

Source: MISC
Type: Vendor Advisory
https://support.apple.com/en-us/HT212317

Source: CCN
Type: Apple security document HT212318
About the security content of Safari 14.1

Source: MISC
Type: Vendor Advisory
https://support.apple.com/en-us/HT212318

Source: MISC
Type: Vendor Advisory
https://support.apple.com/en-us/HT212319

Source: CCN
Type: Apple security document HT212321
About the security content of iCloud for Windows 12.3

Source: MISC
Type: Vendor Advisory
https://support.apple.com/en-us/HT212321

Source: MISC
Type: Vendor Advisory
https://support.apple.com/en-us/HT212323

Source: MISC
Type: Vendor Advisory
https://support.apple.com/en-us/HT212324

Source: MISC
Type: Vendor Advisory
https://support.apple.com/en-us/HT212325

Source: CCN
Type: IBM Security Bulletin 6493729 (Cloud Pak for Security)
Cloud Pak for Security is vulnerable to several CVEs

Vulnerable Configuration:

Configuration 1:

cpe:/a:apple:icloud:*:*:*:*:*:windows:*:* (Version < 12.3)

OR cpe:/a:apple:itunes:*:*:*:*:*:windows:*:* (Version < 12.11.3)

OR cpe:/a:apple:safari:*:*:*:*:*:*:*:* (Version < 14.1)

OR cpe:/o:apple:ipados:*:*:*:*:*:*:*:* (Version < 14.5)

OR cpe:/o:apple:iphone_os:*:*:*:*:*:*:*:* (Version < 14.5)

OR cpe:/o:apple:macos:*:*:*:*:*:*:*:* (Version >= 11.0 and < 11.3)

OR cpe:/o:apple:tvos:*:*:*:*:*:*:*:* (Version < 14.5)

OR cpe:/o:apple:watchos:*:*:*:*:*:*:*:* (Version < 7.4)

Configuration RedHat 1:

cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

Configuration RedHat 3:

cpe:/a:redhat:enterprise_linux:8::crb:*:*:*:*:*

Configuration RedHat 4:

cpe:/o:redhat:enterprise_linux:8:*:*:*:*:*:*:*

Configuration RedHat 5:

cpe:/o:redhat:enterprise_linux:8::baseos:*:*:*:*:*

Configuration CCN 1:

cpe:/a:apple:safari:14.0.0:*:*:*:*:*:*:*

OR cpe:/o:apple:ios:14.4:*:*:*:*:*:*:*

OR cpe:/o:apple:ipados:14.4:*:*:*:*:*:*:*

OR cpe:/a:apple:icloud:12.3:*:*:*:*:windows:*:*

AND

cpe:/a:ibm:cloud_pak_for_security:1.7.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_security:1.7.1.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_security:1.7.2.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:8033	P	libjavascriptcoregtk-5_0-0-2.38.6-150400.4.39.1 on GA media (Moderate)	2023-06-20
oval:org.opensuse.security:def:7603	P	libjavascriptcoregtk-4_0-18-2.38.6-150400.4.39.1 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:7941	P	libjavascriptcoregtk-4_1-0-2.38.6-150400.4.39.1 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:3401	P	xen-4.12.1_06-1.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3018	P	augeas-1.10.1-2.6 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3320	P	pam_yubico-2.26-1.25 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:94648	P	libjavascriptcoregtk-4_0-18-2.36.0-150400.2.13 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:94950	P	libjavascriptcoregtk-4_1-0-2.36.0-150400.2.13 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:95031	P	libjavascriptcoregtk-5_0-0-2.36.0-150400.2.12 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:119097	P	Security update for webkit2gtk3 (Important)	2022-02-17
oval:org.opensuse.security:def:118905	P	Security update for webkit2gtk3 (Important)	2022-01-25
oval:org.opensuse.security:def:119587	P	Security update for webkit2gtk3 (Important)	2022-01-25
oval:org.opensuse.security:def:1070	P	Security update for webkit2gtk3 (Important)	2022-01-25
oval:org.opensuse.security:def:101609	P	Security update for webkit2gtk3 (Important)	2022-01-25
oval:org.opensuse.security:def:119212	P	Security update for webkit2gtk3 (Important)	2022-01-25
oval:org.opensuse.security:def:101759	P	Security update for webkit2gtk3 (Important)	2022-01-25
oval:org.opensuse.security:def:118715	P	Security update for webkit2gtk3 (Important)	2022-01-25
oval:org.opensuse.security:def:119402	P	Security update for webkit2gtk3 (Important)	2022-01-25
oval:org.opensuse.security:def:898	P	Security update for webkit2gtk3 (Important)	2022-01-25
oval:org.opensuse.security:def:127265	P	Security update for webkit2gtk3 (Important)	2022-01-20
oval:org.opensuse.security:def:5226	P	Security update for webkit2gtk3 (Important)	2022-01-20
oval:org.opensuse.security:def:125702	P	Security update for webkit2gtk3 (Important)	2022-01-20
oval:org.opensuse.security:def:6020	P	Security update for webkit2gtk3 (Important)	2022-01-20
oval:org.opensuse.security:def:126868	P	Security update for webkit2gtk3 (Important)	2022-01-20
oval:com.redhat.rhsa:def:20211586	P	RHSA-2021:1586: GNOME security, bug fix, and enhancement update (Moderate)	2021-05-18

BACK