Details of VAR-201309-0045

ID

VAR-201309-0045

CVE

CVE-2013-1034

TITLE

Apple Mac OS X Server of Wiki Server cross-site scripting vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2013-004211

DESCRIPTION

Multiple cross-site scripting (XSS) vulnerabilities in Wiki Server in Apple Mac OS X Server before 2.2.2 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2013-09-17-1 OS X Server v2.2.2 OS X Server v2.2.2 is now available and addresses the following: ClamAV Available for: OS X Mountain Lion v10.8 or later Impact: Multiple vulnerabilities in ClamAV Description: Multiple vulnerabilities existed in ClamAV, the most serious of which may lead to arbitrary code execution. This update addresses the issues by updating ClamAV to version 0.97.8. CVE-ID CVE-2013-2020 CVE-2013-2021 PostgreSQL Available for: OS X Mountain Lion v10.8 or later Impact: Multiple vulnerabilities in PostgreSQL Description: Multiple vulnerabilities existed in PostgreSQL, the most serious of which may lead to data corruption or privilege escalation. This update addresses the issues by updating PostgreSQL to version 9.2.4. These issues were addressed by improved encoding of HTML output. CVE-ID CVE-2013-1034 : David Hoyt of Hoyt LLC Research OS X Server v2.2.2 may be obtained from Mac App Store. Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJSOJFGAAoJEPefwLHPlZEwb1cQAIKRQDJfjJefWGq0xdIUQdtp QIZAU1OiWqThnAXSvGXINy1bj1LxtaTveS0ccxVpmWR6CxGhm3+CMHcIeLjXz16a ZKD1ABZiy+dfaVO+ESu9oA6FMkjUyUMoWiwlleHYRFtDWlAutcFKQYVcmRp0p+zz UYl7sHOIvWmOwY/If4EDOVPKtcBJe0u41PdpGJiNM7GRoWjk3MRlfdScpa+/EHqv r/QQBjt1ukFuyqPJqaBtyRbIEry2a364J7TlP/OeQcafU/GbYaXo0xF2BkxoLrkE zUyqJ1O+w3QzJfKOr2W/Xq3a2KLfBm/IF0tTkwRM8TFaGNoAd9nBExd285Xe/TUk m+/7C3KgbLvAbnBAUdCsnViPuW5KQc1bcM1DN6yjrh61ZOGttfvbNPWjRjx5FZM1 OrbXCWsmQA79wz1lzi2xK7XV1pYpQXVcUrPhkgfD8f+tt/VimL4nvcFRw+uylWoE UT93IvSaZ0lXCKrk4DNzDpji/IuFtddF6ZhGAC/mRgz9fsnJZ/dLrXTwhe6Hexlq 0v2oGvFKGJI7cGASCZ7EN6oK0bjbX+nGQHsuWfGh51B6eSdaPg7+9AtJGFNw2mSM 3vijZXbplvnRGIbajkpAHOk3o2fLnlZG4W4IMoe8GiT/lurnS2TOsY5AWnnPIC06 TqkNrkh5Zmj5JttbFNnt =UcAp -----END PGP SIGNATURE-----

Trust: 2.07

sources: NVD: CVE-2013-1034 // JVNDB: JVNDB-2013-004211 // BID: 62449 // VULHUB: VHN-61036 // PACKETSTORM: 123272

AFFECTED PRODUCTS

vendor:	apple	model:	os x server	scope:	eq	version:	2.0	Trust: 1.6
vendor:	apple	model:	os x server	scope:	eq	version:	2.1.1	Trust: 1.6
vendor:	apple	model:	os x server	scope:	eq	version:	2.2.0	Trust: 1.6
vendor:	apple	model:	os x server	scope:	eq	version:	2.1	Trust: 1.6
vendor:	apple	model:	os x server	scope:	lte	version:	2.2.1	Trust: 1.0
vendor:	apple	model:	macos server	scope:	lt	version:	v2.2.2 (apple mac os x v10.8 or later )	Trust: 0.8
vendor:	apple	model:	os x server	scope:	eq	version:	2.2.1	Trust: 0.6
vendor:	apple	model:	mac os server	scope:	eq	version:	x2.2.1	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x2.1.1	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x2.1	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	ne	version:	x2.2.2	Trust: 0.3

sources: BID: 62449 // JVNDB: JVNDB-2013-004211 // CNNVD: CNNVD-201309-307 // NVD: CVE-2013-1034

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2013-1034
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2013-1034
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201309-307
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-61036
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2013-1034
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-61036
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-61036 // JVNDB: JVNDB-2013-004211 // CNNVD: CNNVD-201309-307 // NVD: CVE-2013-1034

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-61036 // JVNDB: JVNDB-2013-004211 // NVD: CVE-2013-1034

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201309-307

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201309-307

CONFIGURATIONS

sources: JVNDB: JVNDB-2013-004211

PATCH

title:	APPLE-SA-2013-09-17-1	url:	http://lists.apple.com/archives/security-announce/2013/Sep/msg00004.html	Trust: 0.8
title:	HT5892	url:	http://support.apple.com/kb/HT5892	Trust: 0.8
title:	HT5892	url:	http://support.apple.com/kb/HT5892?viewlocale=ja_JP	Trust: 0.8

sources: JVNDB: JVNDB-2013-004211

EXTERNAL IDS

db:	NVD	id:	CVE-2013-1034	Trust: 2.9
db:	JVNDB	id:	JVNDB-2013-004211	Trust: 0.8
db:	CNNVD	id:	CNNVD-201309-307	Trust: 0.7
db:	APPLE	id:	APPLE-SA-2013-09-17-1	Trust: 0.6
db:	BID	id:	62449	Trust: 0.4
db:	VULHUB	id:	VHN-61036	Trust: 0.1
db:	PACKETSTORM	id:	123272	Trust: 0.1

sources: VULHUB: VHN-61036 // BID: 62449 // JVNDB: JVNDB-2013-004211 // PACKETSTORM: 123272 // CNNVD: CNNVD-201309-307 // NVD: CVE-2013-1034

REFERENCES

url:	http://support.apple.com/kb/ht5892	Trust: 2.0
url:	http://lists.apple.com/archives/security-announce/2013/sep/msg00004.html	Trust: 1.7
url:	http://www.cloudscan.me/2013/09/cve-2013-1034-stored-xss-xxe-os-x.html	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-1034	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-1034	Trust: 0.8
url:	http://software.cisco.com/download/navigator.html?mdfid=283613663	Trust: 0.3
url:	http://www.apple.com/server/macosx/	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2013-1899	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2013-2020	Trust: 0.1
url:	https://www.apple.com/support/security/pgp/	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2013-1901	Trust: 0.1
url:	http://support.apple.com/kb/ht1222	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2013-2021	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2013-1900	Trust: 0.1
url:	http://gpgtools.org	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2013-1034	Trust: 0.1

sources: VULHUB: VHN-61036 // BID: 62449 // JVNDB: JVNDB-2013-004211 // PACKETSTORM: 123272 // CNNVD: CNNVD-201309-307 // NVD: CVE-2013-1034

CREDITS

David Hoyt of Hoyt LLC Research

Trust: 0.3

sources: BID: 62449

SOURCES

db:	VULHUB	id:	VHN-61036
db:	BID	id:	62449
db:	JVNDB	id:	JVNDB-2013-004211
db:	PACKETSTORM	id:	123272
db:	CNNVD	id:	CNNVD-201309-307
db:	NVD	id:	CVE-2013-1034

LAST UPDATE DATE

2025-04-11T22:35:30.651000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-61036	date:	2017-09-16T00:00:00
db:	BID	id:	62449	date:	2013-09-17T00:00:00
db:	JVNDB	id:	JVNDB-2013-004211	date:	2013-09-27T00:00:00
db:	CNNVD	id:	CNNVD-201309-307	date:	2013-09-22T00:00:00
db:	NVD	id:	CVE-2013-1034	date:	2025-04-11T00:51:21.963

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-61036	date:	2013-09-19T00:00:00
db:	BID	id:	62449	date:	2013-09-17T00:00:00
db:	JVNDB	id:	JVNDB-2013-004211	date:	2013-09-24T00:00:00
db:	PACKETSTORM	id:	123272	date:	2013-09-17T22:48:59
db:	CNNVD	id:	CNNVD-201309-307	date:	2013-09-22T00:00:00
db:	NVD	id:	CVE-2013-1034	date:	2013-09-19T10:27:55.617