Sign-up

ID

VAR-201203-0321


CVE

CVE-2011-3844


TITLE

Apple Safari Forged address bar vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2012-001656

DESCRIPTION

Apple Safari 5.0.5 does not properly implement the setInterval function, which allows remote attackers to spoof the address bar via a crafted web page. Attackers may exploit this issue to craft a misleading URI. This may aid in phishing attacks. Apple Safari 5.0.5 is affected; other versions may also be vulnerable. Apple Apple Safari is a web browser developed by Apple (Apple), and is the default browser included with Mac OS X and iOS operating systems. ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: Apple Safari "setInterval()" Address Bar Spoofing Vulnerability SECUNIA ADVISORY ID: SA44976 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/44976/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=44976 RELEASE DATE: 2012-03-07 DISCUSS ADVISORY: http://secunia.com/advisories/44976/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/44976/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=44976 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Krystian Kloskowski has discovered a vulnerability in Apple Safari, which can be exploited by malicious people to conduct spoofing attacks. The vulnerability is confirmed in version 5.0.5 (7533.21.1). SOLUTION: Update to version 5.1.2 (7534.52.7), which somewhat addresses the vulnerability. PROVIDED AND/OR DISCOVERED BY: Krystian Kloskowski (h07) via Secunia. OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.07

sources: NVD: CVE-2011-3844 // JVNDB: JVNDB-2012-001656 // BID: 52323 // VULHUB: VHN-51789 // PACKETSTORM: 110549

AFFECTED PRODUCTS

vendor:applemodel:safariscope:eqversion:5.0.5

Trust: 2.7

vendor:applemodel:safari for windowsscope:eqversion:5.0.5

Trust: 0.3

sources: BID: 52323 // JVNDB: JVNDB-2012-001656 // CNNVD: CNNVD-201203-068 // NVD: CVE-2011-3844

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2011-3844
value: MEDIUM

Trust: 1.0

NVD: CVE-2011-3844
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201203-068
value: MEDIUM

Trust: 0.6

VULHUB: VHN-51789
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2011-3844
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-51789
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-51789 // JVNDB: JVNDB-2012-001656 // CNNVD: CNNVD-201203-068 // NVD: CVE-2011-3844

PROBLEMTYPE DATA

problemtype:CWE-20

Trust: 1.9

sources: VULHUB: VHN-51789 // JVNDB: JVNDB-2012-001656 // NVD: CVE-2011-3844

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201203-068

TYPE

input validation

Trust: 0.6

sources: CNNVD: CNNVD-201203-068

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2012-001656

PATCH
title:Safariurl:http://www.apple.com/safari/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2012-001656

EXTERNAL IDS
db:NVDid:CVE-2011-3844
Trust: 2.8
db:BIDid:52323
Trust: 2.0
db:SECUNIAid:44976
Trust: 1.8
db:SECTRACKid:1026775
Trust: 1.1
db:OSVDBid:79848
Trust: 1.1
db:JVNDBid:JVNDB-2012-001656
Trust: 0.8
db:CNNVDid:CNNVD-201203-068
Trust: 0.7
db:NSFOCUSid:18985
Trust: 0.6
db:VULHUBid:VHN-51789
Trust: 0.1
db:PACKETSTORMid:110549
Trust: 0.1
sources:
            
            
            VULHUB: VHN-51789 // 
            
            
            
            BID: 52323 // 
            
            
            
            JVNDB: JVNDB-2012-001656 // 
            
            
            
            PACKETSTORM: 110549 // 
            
            
            
            CNNVD: CNNVD-201203-068 // 
            
            
            
            NVD: CVE-2011-3844

REFERENCES
url:http://www.securityfocus.com/bid/52323
Trust: 1.7
url:http://secunia.com/advisories/44976
Trust: 1.7
url:http://osvdb.org/79848
Trust: 1.1
url:http://www.securitytracker.com/id?1026775
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-3844
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2011-3844
Trust: 0.8
url:http://www.nsfocus.net/vulndb/18985
Trust: 0.6
url:http://www.apple.com/safari/
Trust: 0.3
url:http://secunia.com/psi_30_beta_launch
Trust: 0.1
url:http://secunia.com/vulnerability_intelligence/
Trust: 0.1
url:http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
Trust: 0.1
url:http://secunia.com/advisories/secunia_security_advisories/
Trust: 0.1
url:http://secunia.com/advisories/44976/#comments
Trust: 0.1
url:https://ca.secunia.com/?page=viewadvisory&vuln_id=44976
Trust: 0.1
url:http://secunia.com/advisories/44976/
Trust: 0.1
url:http://secunia.com/vulnerability_scanning/personal/
Trust: 0.1
url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Trust: 0.1
url:http://secunia.com/advisories/about_secunia_advisories/
Trust: 0.1
sources:
            
            
            VULHUB: VHN-51789 // 
            
            
            
            BID: 52323 // 
            
            
            
            JVNDB: JVNDB-2012-001656 // 
            
            
            
            PACKETSTORM: 110549 // 
            
            
            
            CNNVD: CNNVD-201203-068 // 
            
            
            
            NVD: CVE-2011-3844

CREDITS
Krystian Kloskowski (h07)
Trust: 0.9
sources:
            
            
            BID: 52323 // 
            
            
            
            CNNVD: CNNVD-201203-068

SOURCES
db:VULHUBid:VHN-51789
db:BIDid:52323
db:JVNDBid:JVNDB-2012-001656
db:PACKETSTORMid:110549
db:CNNVDid:CNNVD-201203-068
db:NVDid:CVE-2011-3844

LAST UPDATE DATE
2025-04-11T23:03:08.284000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-51789date:2018-01-06T00:00:00
db:BIDid:52323date:2015-03-19T07:35:00
db:JVNDBid:JVNDB-2012-001656date:2012-03-09T00:00:00
db:CNNVDid:CNNVD-201203-068date:2012-03-09T00:00:00
db:NVDid:CVE-2011-3844date:2025-04-11T00:51:21.963

SOURCES RELEASE DATE
db:VULHUBid:VHN-51789date:2012-03-08T00:00:00
db:BIDid:52323date:2012-03-07T00:00:00
db:JVNDBid:JVNDB-2012-001656date:2012-03-09T00:00:00
db:PACKETSTORMid:110549date:2012-03-07T05:36:37
db:CNNVDid:CNNVD-201203-068date:2012-03-09T00:00:00
db:NVDid:CVE-2011-3844date:2012-03-08T04:15:02.607