Sign-up

ID

VAR-201306-0222


CVE

CVE-2013-1012


TITLE

Apple Safari Used in products such as WebKit Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2013-002891

DESCRIPTION

Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari before 6.0.5 allows remote attackers to inject arbitrary web script or HTML via vectors involving IFRAME elements. An attacker may leverage this issue to execute arbitrary script code in an unsuspecting user's browser in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Note: This issue was previously covered in BID 60330 (Apple Safari Prior to 6.0.5 Multiple Security Vulnerabilities), but has been given its own record to better document it. WebKit is a set of open source web browser engines jointly developed by companies such as KDE, Apple (Apple), and Google (Google), and is currently used by browsers such as Apple Safari and Google Chrome. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2013-06-04-2 Safari 6.0.5 Safari 6.0.5 is now available and addresses the following: WebKit Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.3 Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling. CVE-ID CVE-2013-0879 : Atte Kettunen of OUSPG CVE-2013-0991 : Jay Civelli of the Chromium development community CVE-2013-0992 : Google Chrome Security Team (Martin Barbella) CVE-2013-0993 : Google Chrome Security Team (Inferno) CVE-2013-0994 : David German of Google CVE-2013-0995 : Google Chrome Security Team (Inferno) CVE-2013-0996 : Google Chrome Security Team (Inferno) CVE-2013-0997 : Vitaliy Toropov working with HP's Zero Day Initiative CVE-2013-0998 : pa_kt working with HP's Zero Day Initiative CVE-2013-0999 : pa_kt working with HP's Zero Day Initiative CVE-2013-1000 : Fermin J. Serna of the Google Security Team CVE-2013-1001 : Ryan Humenick CVE-2013-1002 : Sergey Glazunov CVE-2013-1003 : Google Chrome Security Team (Inferno) CVE-2013-1004 : Google Chrome Security Team (Martin Barbella) CVE-2013-1005 : Google Chrome Security Team (Martin Barbella) CVE-2013-1006 : Google Chrome Security Team (Martin Barbella) CVE-2013-1007 : Google Chrome Security Team (Inferno) CVE-2013-1008 : Sergey Glazunov CVE-2013-1009 : Apple CVE-2013-1010 : miaubiz CVE-2013-1011 : Google Chrome Security Team (Inferno) CVE-2013-1023 : Google Chrome Security Team (Inferno) WebKit Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.3 Impact: Visiting a maliciously crafted website may lead to a cross- site scripting attack Description: A cross-site scripting issue existed in the handling of iframes. This issue was addressed through improved origin tracking. CVE-ID CVE-2013-1012 : Subodh Iyengar and Erling Ellingsen of Facebook WebKit Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.3 Impact: Copying and pasting a malicious HTML snippet may lead to a cross-site scripting attack Description: A cross-site scripting issue existed in the handling of copied and pasted data in HTML documents. This issue was addressed through additional validation of pasted content. CVE-ID CVE-2013-0926 : Aditya Gupta, Subho Halder, and Dev Kar of xys3c (xysec.com) WebKit Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.3 Impact: Following a maliciously crafted link could lead to unexpected behavior on the target site Description: XSS Auditor may rewrite URLs to prevent cross-site scripting attacks. This may lead to a malicious alteration of the behavior of a form submission. This issue was addressed through improved validation of URLs. CVE-ID CVE-2013-1013 : Sam Power of Pentest Limited For OS X Lion systems Safari 6.0.5 is available via the Apple Software Update application. For OS X Mountain Lion systems Safari 6.0.5 is included with OS X v10.8.4. Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJRrjeeAAoJEPefwLHPlZEwCm4P/3WseW2DFgYieiAHghpGQ07e /XuNWzqld4CpXyFUQDkw55DU1Y9dVIIl663rSR0VyXJDB5dMh6iHEBRHX4tarGym beZS0cDuakospFtX4MZgcKXu/8cV7b8lq9tzqH0pL419a61Fjhm1eRfDeM3snXkO kNCRi3nqOCmMroUiY+cJlKHi1x/t+2whISSM3QsIgpU5yyjEU3neMy2TPjuxC48h XZr9XaDX5cztv0MWCX+jkv+OpYPxVtPxBVw6rPLaX2eg7iwBM6yDbLF5i/4oY06t HzF2uCk8TlbFdk05Cr7HxmYV2qBei8VkcO1Mc4Ij3v3Q9iiKBRkr+d0CYQ1HSkrY igfCmfDiEpaKZfzCgwRsVFZ/UhuXTDipTFIzKrZSlbsglVyIQJtKVyyWEZDOKcYL kKCAS+ep0UyFIyeCCjFknd2hMneMR7a4u2XGJm1VtfRCA+ed3Cr0ROS+O9viGjYi Qcm+2yzlWg9vpfojv+uX+aqh6IsprhfqXuF4ypM6D98IQ3fJqx9a0tVIPniFaLuP O39M+UGtPLAw7BMiKkb4XyEajKFwJt1pfddWkC1YjKjtyRGf62BDOtY2KqEsyzpF 5nOzM3Vc+3urbur+69oqJLwRwC/PHkh1ym3LjrmqUW7+okckIGCQGt3iUwIWNKhp 2YgKISKdQYxVSfkzkqYY =jk2e -----END PGP SIGNATURE-----

Trust: 2.07

sources: NVD: CVE-2013-1012 // JVNDB: JVNDB-2013-002891 // BID: 60361 // VULHUB: VHN-61014 // PACKETSTORM: 121925

AFFECTED PRODUCTS

vendor:applemodel:safariscope:eqversion:6.0.3

Trust: 1.9

vendor:applemodel:safariscope:eqversion:6.0.2

Trust: 1.9

vendor:applemodel:safariscope:eqversion:6.0.1

Trust: 1.9

vendor:applemodel:safariscope:eqversion:6.0

Trust: 1.9

vendor:applemodel:safariscope:lteversion:6.0.4

Trust: 1.0

vendor:applemodel:safariscope:eqversion:6.0.4

Trust: 0.9

vendor:applemodel:iosscope:ltversion:7 (ipad 2 or later )

Trust: 0.8

vendor:applemodel:iosscope:ltversion:7 (iphone 4 or later )

Trust: 0.8

vendor:applemodel:iosscope:ltversion:7 (ipod touch first 5 after generation )

Trust: 0.8

vendor:applemodel:safariscope:ltversion:6.0.5

Trust: 0.8

vendor:webkitmodel:open source project webkitscope:eqversion:0

Trust: 0.3

vendor:applemodel:safariscope:eqversion:5.0.6

Trust: 0.3

vendor:applemodel:safari for windowsscope:eqversion:6.0.1

Trust: 0.3

vendor:applemodel:safari for windowsscope:eqversion:6.0

Trust: 0.3

vendor:applemodel:safari for windowsscope:eqversion:5.1.7

Trust: 0.3

vendor:applemodel:safariscope:eqversion:5.1.7

Trust: 0.3

vendor:applemodel:safari for windowsscope:eqversion:5.1.5

Trust: 0.3

vendor:applemodel:safari for windowsscope:eqversion:5.1.4

Trust: 0.3

vendor:applemodel:safariscope:eqversion:5.1.4

Trust: 0.3

vendor:applemodel:safari for windowsscope:eqversion:5.1.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:5.1.1

Trust: 0.3

vendor:applemodel:safari for windowsscope:eqversion:5.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:5.1

Trust: 0.3

vendor:applemodel:safari for windowsscope:eqversion:5.0.6

Trust: 0.3

vendor:applemodel:safari for windowsscope:eqversion:5.0.5

Trust: 0.3

vendor:applemodel:safariscope:eqversion:5.0.5

Trust: 0.3

vendor:applemodel:safari for windowsscope:eqversion:5.0.4

Trust: 0.3

vendor:applemodel:safariscope:eqversion:5.0.4

Trust: 0.3

vendor:applemodel:safari for windowsscope:eqversion:5.0.3

Trust: 0.3

vendor:applemodel:safariscope:eqversion:5.0.3

Trust: 0.3

vendor:applemodel:safari for windowsscope:eqversion:5.0.2

Trust: 0.3

vendor:applemodel:safariscope:eqversion:5.0.2

Trust: 0.3

vendor:applemodel:safari for windowsscope:eqversion:5.0.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:5.0.1

Trust: 0.3

vendor:applemodel:safari for windowsscope:eqversion:5.0

Trust: 0.3

vendor:applemodel:safariscope:eqversion:5.0

Trust: 0.3

vendor:applemodel:ipod touchscope:eqversion:0

Trust: 0.3

vendor:applemodel:iphonescope:eqversion:0

Trust: 0.3

vendor:applemodel:ipadscope:eqversion:0

Trust: 0.3

vendor:applemodel:iosscope:eqversion:6.1.3

Trust: 0.3

vendor:applemodel:iosscope:eqversion:6.1

Trust: 0.3

vendor:applemodel:iosscope:eqversion:6.0.2

Trust: 0.3

vendor:applemodel:iosscope:eqversion:6.0.1

Trust: 0.3

vendor:applemodel:ios for developerscope:eqversion:6

Trust: 0.3

vendor:applemodel:ios betascope:eqversion:64

Trust: 0.3

vendor:applemodel:iosscope:eqversion:6

Trust: 0.3

vendor:applemodel:safari for windowsscope:neversion:6.0.5

Trust: 0.3

vendor:applemodel:safariscope:neversion:6.0.5

Trust: 0.3

vendor:applemodel:iosscope:neversion:7

Trust: 0.3

sources: BID: 60361 // JVNDB: JVNDB-2013-002891 // CNNVD: CNNVD-201306-084 // NVD: CVE-2013-1012

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2013-1012
value: MEDIUM

Trust: 1.0

NVD: CVE-2013-1012
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201306-084
value: MEDIUM

Trust: 0.6

VULHUB: VHN-61014
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2013-1012
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-61014
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-61014 // JVNDB: JVNDB-2013-002891 // CNNVD: CNNVD-201306-084 // NVD: CVE-2013-1012

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-61014 // JVNDB: JVNDB-2013-002891 // NVD: CVE-2013-1012

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201306-084

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201306-084

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2013-002891

PATCH
title:APPLE-SA-2013-09-18-2url:http://lists.apple.com/archives/security-announce/2013/Sep/msg00006.html
Trust: 0.8
title:APPLE-SA-2013-06-04-2url:http://lists.apple.com/archives/security-announce/2013/Jun/msg00001.html
Trust: 0.8
title:HT5934url:http://support.apple.com/kb/HT5934
Trust: 0.8
title:HT5785url:http://support.apple.com/kb/HT5785
Trust: 0.8
title:HT5934url:http://support.apple.com/kb/HT5934?viewlocale=ja_JP
Trust: 0.8
title:HT5785url:http://support.apple.com/kb/HT5785?viewlocale=ja_JP
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2013-002891

EXTERNAL IDS
db:NVDid:CVE-2013-1012
Trust: 2.9
db:SECUNIAid:54886
Trust: 1.1
db:JVNid:JVNVU98681940
Trust: 0.8
db:JVNDBid:JVNDB-2013-002891
Trust: 0.8
db:CNNVDid:CNNVD-201306-084
Trust: 0.7
db:APPLEid:APPLE-SA-2013-06-04-2
Trust: 0.6
db:SECUNIAid:53711
Trust: 0.6
db:BIDid:60361
Trust: 0.4
db:VULHUBid:VHN-61014
Trust: 0.1
db:PACKETSTORMid:121925
Trust: 0.1
sources:
            
            
            VULHUB: VHN-61014 // 
            
            
            
            BID: 60361 // 
            
            
            
            JVNDB: JVNDB-2013-002891 // 
            
            
            
            PACKETSTORM: 121925 // 
            
            
            
            CNNVD: CNNVD-201306-084 // 
            
            
            
            NVD: CVE-2013-1012

REFERENCES
url:http://support.apple.com/kb/ht5785
Trust: 2.0
url:http://lists.apple.com/archives/security-announce/2013/jun/msg00001.html
Trust: 1.7
url:http://lists.apple.com/archives/security-announce/2013/sep/msg00006.html
Trust: 1.1
url:http://support.apple.com/kb/ht5934
Trust: 1.1
url:http://secunia.com/advisories/54886
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-1012
Trust: 0.8
url:http://jvn.jp/cert/jvnvu98681940/index.html
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-1012
Trust: 0.8
url:http://secunia.com/advisories/53711
Trust: 0.6
url:http://www.webkit.org/
Trust: 0.3
url:url: http://lists.apple.com/archives/security-announce/2013/sep/msg00006.html
Trust: 0.3
url:https://nvd.nist.gov/vuln/detail/cve-2013-0997
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2013-0996
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2013-0879
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2013-1000
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2013-1010
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2013-1001
Trust: 0.1
url:http://support.apple.com/kb/ht1222
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2013-0995
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2013-0992
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2013-1003
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2013-1012
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2013-1005
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2013-1011
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2013-1002
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2013-0993
Trust: 0.1
url:https://www.apple.com/support/security/pgp/
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2013-1004
Trust: 0.1
url:http://gpgtools.org
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2013-0991
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2013-1013
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2013-0999
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2013-1009
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2013-0994
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2013-1007
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2013-0926
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2013-0998
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2013-1006
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2013-1008
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2013-1023
Trust: 0.1
sources:
            
            
            VULHUB: VHN-61014 // 
            
            
            
            BID: 60361 // 
            
            
            
            JVNDB: JVNDB-2013-002891 // 
            
            
            
            PACKETSTORM: 121925 // 
            
            
            
            CNNVD: CNNVD-201306-084 // 
            
            
            
            NVD: CVE-2013-1012

CREDITS
Subodh Iyengar and Erling Ellingsen of Facebook
Trust: 0.3
sources:
            
            
            BID: 60361

SOURCES
db:VULHUBid:VHN-61014
db:BIDid:60361
db:JVNDBid:JVNDB-2013-002891
db:PACKETSTORMid:121925
db:CNNVDid:CNNVD-201306-084
db:NVDid:CVE-2013-1012

LAST UPDATE DATE
2025-04-11T20:31:31.230000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-61014date:2013-09-27T00:00:00
db:BIDid:60361date:2015-03-19T08:29:00
db:JVNDBid:JVNDB-2013-002891date:2013-10-09T00:00:00
db:CNNVDid:CNNVD-201306-084date:2013-06-06T00:00:00
db:NVDid:CVE-2013-1012date:2025-04-11T00:51:21.963

SOURCES RELEASE DATE
db:VULHUBid:VHN-61014date:2013-06-05T00:00:00
db:BIDid:60361date:2013-06-05T00:00:00
db:JVNDBid:JVNDB-2013-002891date:2013-06-06T00:00:00
db:PACKETSTORMid:121925date:2013-06-06T14:44:44
db:CNNVDid:CNNVD-201306-084date:2013-06-06T00:00:00
db:NVDid:CVE-2013-1012date:2013-06-05T14:39:55.583