Details of VAR-201006-0136

ID

VAR-201006-0136

CVE

CVE-2010-1382

TITLE

Apple Mac OS X of Wiki Server cross-site scripting vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2010-001662

DESCRIPTION

Cross-site scripting (XSS) vulnerability in Wiki Server in Apple Mac OS X 10.5.8, and 10.6 before 10.6.4, allows remote authenticated users to inject arbitrary web script or HTML via crafted Wiki content, related to lack of a charset field. Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing an attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible. Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2010-004. The update addresses new vulnerabilities that affect the CUPS, DesktopServices, Folder Manager, Help Viewer, iChat, ImageIO, Network Authorization, Open Directory, Printer Setup, Printing, Ruby, SMB File Server, and Wiki Server components of Mac OS X. The advisory also contains security updates for 13 previously reported issues. This BID is being retired. The following individual records exist to better document the issues: 40886 Apple Mac OS X Help Viewer 'help://' URI Cross Site Scripting Vulnerability 40887 Apple Mac OS X Folder Manager Symbolic Link Handling Security Bypass Vulnerability 40888 Apple Mac OS X Prior to 10.6.4 Printer Setup (CVE-2010-1379) Remote Denial Of Service Vulnerability 40889 Apple Mac OS X CUPS Web Interface Unspecified Cross Site Request Forgery Vulnerability 40892 Apple Mac OS X Wiki Server Comment HTML Injection Vulnerability 40893 Apple Mac OS X Samba Wide Links Symbolic Link Handling Security Bypass Vulnerability 40894 Apple Mac OS X Prior to 10.6.4 ImageIO (CVE-2010-0543) Remote Code Execution Vulnerability 40895 Ruby WEBrick UTF-7 Encoding Cross Site Scripting Vulnerability 40896 Apple Mac OS X iChat Inline Image Transfer Directory Traversal Vulnerability 40897 Apple Mac OS X CUPS Web Interface Unspecified Information Disclosure Vulnerability 40898 Apple Mac OS X DesktopServices Component Insecure File Permissions Vulnerability 40901 Apple Mac OS X Network Authorization Local Privilege Escalation Vulnerability 40902 Apple Mac OS X Network Authorization URI Handler Remote Format String Vulnerability 40903 Apple Mac OS X Prior to 10.6.4 Printing (CVE-2010-1380) Integer Overflow Vulnerability 40905 Apple Mac OS X Prior to 10.6.4 Open Directory (CVE-2010-1377) Security Bypass Vulnerability

Trust: 2.25

sources: NVD: CVE-2010-1382 // JVNDB: JVNDB-2010-001662 // BID: 40892 // BID: 40871 // VULHUB: VHN-43987

AFFECTED PRODUCTS

vendor:	apple	model:	mac os x	scope:	eq	version:	10.6.3	Trust: 1.6
vendor:	apple	model:	mac os x	scope:	eq	version:	10.6.2	Trust: 1.6
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.6.2	Trust: 1.6
vendor:	apple	model:	mac os x	scope:	eq	version:	10.6.1	Trust: 1.6
vendor:	apple	model:	mac os x	scope:	eq	version:	10.5.8	Trust: 1.6
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.6.3	Trust: 1.6
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.6.1	Trust: 1.6
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.5.8	Trust: 1.6
vendor:	apple	model:	mac os x	scope:	eq	version:	10.6.0	Trust: 1.6
vendor:	apple	model:	mac os x server	scope:	eq	version:	10.6.0	Trust: 1.6
vendor:	apple	model:	mac os x	scope:	eq	version:	v10.5.8	Trust: 0.8
vendor:	apple	model:	mac os x	scope:	eq	version:	v10.6 to v10.6.3	Trust: 0.8
vendor:	apple	model:	mac os x server	scope:	eq	version:	v10.5.8	Trust: 0.8
vendor:	apple	model:	mac os x server	scope:	eq	version:	v10.6 to v10.6.3	Trust: 0.8
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.6.3	Trust: 0.6
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.6.2	Trust: 0.6
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.6.1	Trust: 0.6
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.5.8	Trust: 0.6
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.5.7	Trust: 0.6
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.5.6	Trust: 0.6
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.5.5	Trust: 0.6
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.5.4	Trust: 0.6
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.5.3	Trust: 0.6
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.5.2	Trust: 0.6
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.5.1	Trust: 0.6
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.6	Trust: 0.6
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.5	Trust: 0.6
vendor:	apple	model:	mac os	scope:	eq	version:	x10.6.3	Trust: 0.6
vendor:	apple	model:	mac os	scope:	eq	version:	x10.6.2	Trust: 0.6
vendor:	apple	model:	mac os	scope:	eq	version:	x10.6.1	Trust: 0.6
vendor:	apple	model:	mac os	scope:	eq	version:	x10.5.8	Trust: 0.6
vendor:	apple	model:	mac os	scope:	eq	version:	x10.5.7	Trust: 0.6
vendor:	apple	model:	mac os	scope:	eq	version:	x10.5.6	Trust: 0.6
vendor:	apple	model:	mac os	scope:	eq	version:	x10.5.5	Trust: 0.6
vendor:	apple	model:	mac os	scope:	eq	version:	x10.5.4	Trust: 0.6
vendor:	apple	model:	mac os	scope:	eq	version:	x10.5.3	Trust: 0.6
vendor:	apple	model:	mac os	scope:	eq	version:	x10.5.2	Trust: 0.6
vendor:	apple	model:	mac os	scope:	eq	version:	x10.5.1	Trust: 0.6
vendor:	apple	model:	mac os	scope:	eq	version:	x10.6	Trust: 0.6
vendor:	apple	model:	mac os	scope:	eq	version:	x10.5	Trust: 0.6
vendor:	apple	model:	mac os server	scope:	ne	version:	x10.6.4	Trust: 0.6
vendor:	apple	model:	mac os	scope:	ne	version:	x10.6.4	Trust: 0.6

sources: BID: 40892 // BID: 40871 // JVNDB: JVNDB-2010-001662 // CNNVD: CNNVD-201006-293 // NVD: CVE-2010-1382

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2010-1382
value:	LOW
Trust: 1.0
NVD:	CVE-2010-1382
value:	LOW
Trust: 0.8
CNNVD:	CNNVD-201006-293
value:	LOW
Trust: 0.6
VULHUB:	VHN-43987
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2010-1382
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-43987
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-43987 // JVNDB: JVNDB-2010-001662 // CNNVD: CNNVD-201006-293 // NVD: CVE-2010-1382

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-43987 // JVNDB: JVNDB-2010-001662 // NVD: CVE-2010-1382

THREAT TYPE

network

Trust: 0.6

sources: BID: 40892 // BID: 40871

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201006-293

CONFIGURATIONS

sources: JVNDB: JVNDB-2010-001662

PATCH

title:	HT4188	url:	http://support.apple.com/kb/HT4188	Trust: 0.8
title:	HT4188	url:	http://support.apple.com/kb/HT4188?viewlocale=ja_JP	Trust: 0.8

sources: JVNDB: JVNDB-2010-001662

EXTERNAL IDS

db:	NVD	id:	CVE-2010-1382	Trust: 2.8
db:	VUPEN	id:	ADV-2010-1481	Trust: 2.5
db:	SECUNIA	id:	40220	Trust: 2.5
db:	SECTRACK	id:	1024103	Trust: 2.5
db:	BID	id:	40871	Trust: 2.0
db:	JVNDB	id:	JVNDB-2010-001662	Trust: 0.8
db:	CNNVD	id:	CNNVD-201006-293	Trust: 0.7
db:	APPLE	id:	APPLE-SA-2010-06-15-1	Trust: 0.6
db:	BID	id:	40892	Trust: 0.4
db:	VULHUB	id:	VHN-43987	Trust: 0.1

sources: VULHUB: VHN-43987 // BID: 40892 // BID: 40871 // JVNDB: JVNDB-2010-001662 // CNNVD: CNNVD-201006-293 // NVD: CVE-2010-1382

REFERENCES

url:	http://securitytracker.com/id?1024103	Trust: 2.5
url:	http://secunia.com/advisories/40220	Trust: 2.5
url:	http://www.vupen.com/english/advisories/2010/1481	Trust: 2.5
url:	http://lists.apple.com/archives/security-announce/2010//jun/msg00001.html	Trust: 1.7
url:	http://www.securityfocus.com/bid/40871	Trust: 1.7
url:	http://support.apple.com/kb/ht4188	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-1382	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2010-1382	Trust: 0.8
url:	http://software.cisco.com/download/navigator.html?mdfid=283613663	Trust: 0.3
url:	http://www.apple.com/macosx/	Trust: 0.3

sources: VULHUB: VHN-43987 // BID: 40892 // BID: 40871 // JVNDB: JVNDB-2010-001662 // CNNVD: CNNVD-201006-293 // NVD: CVE-2010-1382

CREDITS

Apple; Adrian 'pagvac' Pastor of GNUCITIZEN, and Tim Starling; Tim Waugh; Luca Carettoni; Michi Ruepp of pianobakery.com; Clint Ruoho of Laconic Security; Kevin Finisterre of digitalmunition.com; MIT Kerberos Team; Joel Johnson, Debian, Brian Almeida; Emm

Trust: 0.6

sources: CNNVD: CNNVD-201006-293

SOURCES

db:	VULHUB	id:	VHN-43987
db:	BID	id:	40892
db:	BID	id:	40871
db:	JVNDB	id:	JVNDB-2010-001662
db:	CNNVD	id:	CNNVD-201006-293
db:	NVD	id:	CVE-2010-1382

LAST UPDATE DATE

2025-04-11T19:57:23.595000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-43987	date:	2010-06-18T00:00:00
db:	BID	id:	40892	date:	2010-06-15T00:00:00
db:	BID	id:	40871	date:	2010-06-16T21:59:00
db:	JVNDB	id:	JVNDB-2010-001662	date:	2010-07-12T00:00:00
db:	CNNVD	id:	CNNVD-201006-293	date:	2010-06-21T00:00:00
db:	NVD	id:	CVE-2010-1382	date:	2025-04-11T00:51:21.963

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-43987	date:	2010-06-17T00:00:00
db:	BID	id:	40892	date:	2010-06-15T00:00:00
db:	BID	id:	40871	date:	2010-06-15T00:00:00
db:	JVNDB	id:	JVNDB-2010-001662	date:	2010-07-12T00:00:00
db:	CNNVD	id:	CNNVD-201006-293	date:	2010-06-21T00:00:00
db:	NVD	id:	CVE-2010-1382	date:	2010-06-17T16:30:01.780