Sign-up

ID

VAR-201006-0226


CVE

CVE-2010-1373


TITLE

Apple Mac OS X Help Viewer vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2010-001649

DESCRIPTION

Cross-site scripting (XSS) vulnerability in Help Viewer in Apple Mac OS X 10.6 before 10.6.4 allows remote attackers to inject arbitrary web script or HTML via a crafted help: URL, related to "URL parameters in HTML content.". Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2010-004. The update addresses new vulnerabilities that affect the CUPS, DesktopServices, Folder Manager, Help Viewer, iChat, ImageIO, Network Authorization, Open Directory, Printer Setup, Printing, Ruby, SMB File Server, and Wiki Server components of Mac OS X. The advisory also contains security updates for 13 previously reported issues. This BID is being retired. The following individual records exist to better document the issues: 40886 Apple Mac OS X Help Viewer 'help://' URI Cross Site Scripting Vulnerability 40887 Apple Mac OS X Folder Manager Symbolic Link Handling Security Bypass Vulnerability 40888 Apple Mac OS X Prior to 10.6.4 Printer Setup (CVE-2010-1379) Remote Denial Of Service Vulnerability 40889 Apple Mac OS X CUPS Web Interface Unspecified Cross Site Request Forgery Vulnerability 40892 Apple Mac OS X Wiki Server Comment HTML Injection Vulnerability 40893 Apple Mac OS X Samba Wide Links Symbolic Link Handling Security Bypass Vulnerability 40894 Apple Mac OS X Prior to 10.6.4 ImageIO (CVE-2010-0543) Remote Code Execution Vulnerability 40895 Ruby WEBrick UTF-7 Encoding Cross Site Scripting Vulnerability 40896 Apple Mac OS X iChat Inline Image Transfer Directory Traversal Vulnerability 40897 Apple Mac OS X CUPS Web Interface Unspecified Information Disclosure Vulnerability 40898 Apple Mac OS X DesktopServices Component Insecure File Permissions Vulnerability 40901 Apple Mac OS X Network Authorization Local Privilege Escalation Vulnerability 40902 Apple Mac OS X Network Authorization URI Handler Remote Format String Vulnerability 40903 Apple Mac OS X Prior to 10.6.4 Printing (CVE-2010-1380) Integer Overflow Vulnerability 40905 Apple Mac OS X Prior to 10.6.4 Open Directory (CVE-2010-1377) Security Bypass Vulnerability. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks

Trust: 2.25

sources: NVD: CVE-2010-1373 // JVNDB: JVNDB-2010-001649 // BID: 40871 // BID: 40886 // VULHUB: VHN-43978

AFFECTED PRODUCTS

vendor:applemodel:mac os xscope:eqversion:10.6.3

Trust: 1.6

vendor:applemodel:mac os xscope:eqversion:10.6.2

Trust: 1.6

vendor:applemodel:mac os x serverscope:eqversion:10.6.2

Trust: 1.6

vendor:applemodel:mac os xscope:eqversion:10.6.1

Trust: 1.6

vendor:applemodel:mac os x serverscope:eqversion:10.6.3

Trust: 1.6

vendor:applemodel:mac os x serverscope:eqversion:10.6.1

Trust: 1.6

vendor:applemodel:mac os xscope:eqversion:10.6.0

Trust: 1.6

vendor:applemodel:mac os x serverscope:eqversion:10.6.0

Trust: 1.6

vendor:applemodel:mac os xscope:eqversion:v10.6 to v10.6.3

Trust: 0.8

vendor:applemodel:mac os x serverscope:eqversion:v10.6 to v10.6.3

Trust: 0.8

vendor:applemodel:mac os serverscope:eqversion:x10.6.3

Trust: 0.6

vendor:applemodel:mac os serverscope:eqversion:x10.6.2

Trust: 0.6

vendor:applemodel:mac os serverscope:eqversion:x10.6.1

Trust: 0.6

vendor:applemodel:mac os serverscope:eqversion:x10.6

Trust: 0.6

vendor:applemodel:mac osscope:eqversion:x10.6.3

Trust: 0.6

vendor:applemodel:mac osscope:eqversion:x10.6.2

Trust: 0.6

vendor:applemodel:mac osscope:eqversion:x10.6.1

Trust: 0.6

vendor:applemodel:mac osscope:eqversion:x10.6

Trust: 0.6

vendor:applemodel:mac os serverscope:neversion:x10.6.4

Trust: 0.6

vendor:applemodel:mac osscope:neversion:x10.6.4

Trust: 0.6

vendor:applemodel:mac os serverscope:eqversion:x10.5.8

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.5.7

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.5.6

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.5.5

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.5.4

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.5.3

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.5.2

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.5.1

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5.8

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5.7

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5.6

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5.4

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5.3

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5.2

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5.1

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5

Trust: 0.3

sources: BID: 40871 // BID: 40886 // JVNDB: JVNDB-2010-001649 // CNNVD: CNNVD-201006-285 // NVD: CVE-2010-1373

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2010-1373
value: MEDIUM

Trust: 1.0

NVD: CVE-2010-1373
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201006-285
value: MEDIUM

Trust: 0.6

VULHUB: VHN-43978
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2010-1373
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-43978
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-43978 // JVNDB: JVNDB-2010-001649 // CNNVD: CNNVD-201006-285 // NVD: CVE-2010-1373

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-43978 // JVNDB: JVNDB-2010-001649 // NVD: CVE-2010-1373

THREAT TYPE

network

Trust: 0.6

sources: BID: 40871 // BID: 40886

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201006-285

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2010-001649

PATCH
title:HT4188url:http://support.apple.com/kb/HT4188
Trust: 0.8
title:HT4188url:http://support.apple.com/kb/HT4188?viewlocale=ja_JP
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2010-001649

EXTERNAL IDS
db:NVDid:CVE-2010-1373
Trust: 2.8
db:VUPENid:ADV-2010-1481
Trust: 2.5
db:SECUNIAid:40220
Trust: 2.5
db:SECTRACKid:1024103
Trust: 2.5
db:BIDid:40871
Trust: 2.0
db:JVNDBid:JVNDB-2010-001649
Trust: 0.8
db:CNNVDid:CNNVD-201006-285
Trust: 0.7
db:APPLEid:APPLE-SA-2010-06-15-1
Trust: 0.6
db:BIDid:40886
Trust: 0.4
db:VULHUBid:VHN-43978
Trust: 0.1
sources:
            
            
            VULHUB: VHN-43978 // 
            
            
            
            BID: 40871 // 
            
            
            
            BID: 40886 // 
            
            
            
            JVNDB: JVNDB-2010-001649 // 
            
            
            
            CNNVD: CNNVD-201006-285 // 
            
            
            
            NVD: CVE-2010-1373

REFERENCES
url:http://securitytracker.com/id?1024103
Trust: 2.5
url:http://secunia.com/advisories/40220
Trust: 2.5
url:http://www.vupen.com/english/advisories/2010/1481
Trust: 2.5
url:http://lists.apple.com/archives/security-announce/2010//jun/msg00001.html
Trust: 1.7
url:http://www.securityfocus.com/bid/40871
Trust: 1.7
url:http://support.apple.com/kb/ht4188
Trust: 1.7
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-1373
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2010-1373
Trust: 0.8
url:http://www.apple.com/macosx/
Trust: 0.6
sources:
            
            
            VULHUB: VHN-43978 // 
            
            
            
            BID: 40871 // 
            
            
            
            BID: 40886 // 
            
            
            
            JVNDB: JVNDB-2010-001649 // 
            
            
            
            CNNVD: CNNVD-201006-285 // 
            
            
            
            NVD: CVE-2010-1373

CREDITS
Apple; Adrian 'pagvac' Pastor of GNUCITIZEN, and Tim Starling; Tim Waugh; Luca Carettoni; Michi Ruepp of pianobakery.com; Clint Ruoho of Laconic Security; Kevin Finisterre of digitalmunition.com; MIT Kerberos Team; Joel Johnson, Debian, Brian Almeida; Emm
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201006-285

SOURCES
db:VULHUBid:VHN-43978
db:BIDid:40871
db:BIDid:40886
db:JVNDBid:JVNDB-2010-001649
db:CNNVDid:CNNVD-201006-285
db:NVDid:CVE-2010-1373

LAST UPDATE DATE
2025-04-11T20:25:43.771000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-43978date:2010-06-17T00:00:00
db:BIDid:40871date:2010-06-16T21:59:00
db:BIDid:40886date:2010-06-15T00:00:00
db:JVNDBid:JVNDB-2010-001649date:2010-07-08T00:00:00
db:CNNVDid:CNNVD-201006-285date:2010-06-21T00:00:00
db:NVDid:CVE-2010-1373date:2025-04-11T00:51:21.963

SOURCES RELEASE DATE
db:VULHUBid:VHN-43978date:2010-06-17T00:00:00
db:BIDid:40871date:2010-06-15T00:00:00
db:BIDid:40886date:2010-06-15T00:00:00
db:JVNDBid:JVNDB-2010-001649date:2010-07-08T00:00:00
db:CNNVDid:CNNVD-201006-285date:2010-06-21T00:00:00
db:NVDid:CVE-2010-1373date:2010-06-17T16:30:01.497