Sign-up

ID

VAR-202010-1233


CVE

CVE-2020-9912


TITLE

Safari Logic vulnerabilities in

Trust: 0.8

sources: JVNDB: JVNDB-2020-009853

DESCRIPTION

A logic issue was addressed with improved restrictions. This issue is fixed in Safari 13.1.2. A malicious attacker may be able to change the origin of a frame for a download in Safari Reader mode. Apple Safari is a web browser of Apple (Apple), the default browser included with Mac OS X and iOS operating systems. Safari Downloads is one of the download components. A security vulnerability exists in the Safari Downloads component in versions of Apple Safari prior to 13.1.2. CVE-2020-9912: Nikhil Mittal (@c0d3G33k) of Payatu Labs (payatu.com) Safari Login AutoFill Available for: macOS Mojave and macOS High Sierra, and included in macOS Catalina Impact: A malicious attacker may cause Safari to suggest a password for the wrong domain Description: A logic issue was addressed with improved restrictions. CVE-2020-9903: Nikhil Mittal (@c0d3G33k) of Payatu Labs (payatu.com) Safari Reader Available for: macOS Mojave and macOS High Sierra, and included in macOS Catalina Impact: An issue in Safari Reader mode may allow a remote attacker to bypass the Same Origin Policy Description: A logic issue was addressed with improved restrictions. CVE-2020-9911: Nikhil Mittal (@c0d3G33k) of Payatu Labs (payatu.com) WebKit Available for: macOS Mojave and macOS High Sierra, and included in macOS Catalina Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution Description: An out-of-bounds read was addressed with improved input validation. CVE-2020-9894: 0011 working with Trend Micro Zero Day Initiative WebKit Available for: macOS Mojave and macOS High Sierra, and included in macOS Catalina Impact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced Description: An access issue existed in Content Security Policy. CVE-2020-9915: an anonymous researcher WebKit Available for: macOS Mojave and macOS High Sierra, and included in macOS Catalina Impact: Processing maliciously crafted web content may lead to universal cross site scripting Description: A logic issue was addressed with improved state management. CVE-2020-9925: an anonymous researcher WebKit Available for: macOS Mojave and macOS High Sierra, and included in macOS Catalina Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution Description: A use after free issue was addressed with improved memory management. CVE-2020-9893: 0011 working with Trend Micro Zero Day Initiative CVE-2020-9895: Wen Xu of SSLab, Georgia Tech WebKit Available for: macOS Mojave and macOS High Sierra, and included in macOS Catalina Impact: A malicious attacker with arbitrary read and write capability may be able to bypass Pointer Authentication Description: Multiple issues were addressed with improved logic. CVE-2020-9910: Samuel Groß of Google Project Zero WebKit Page Loading Available for: macOS Mojave and macOS High Sierra, and included in macOS Catalina Impact: A malicious attacker may be able to conceal the destination of a URL Description: A URL Unicode encoding issue was addressed with improved state management. CVE-2020-9916: Rakesh Mane (@RakeshMane10) WebKit Web Inspector Available for: macOS Mojave and macOS High Sierra, and included in macOS Catalina Impact: Copying a URL from Web Inspector may lead to command injection Description: A command injection issue existed in Web Inspector. CVE-2020-9862: Ophir Lojkine (@lovasoa) Installation note: Safari 13.1.2 may be obtained from the Mac App Store. -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEM5FaaFRjww9EJgvRBz4uGe3y0M0FAl8PNx4ACgkQBz4uGe3y 0M2+ZQ/7ByKUtmzMw18WfXzQZlxvfEulMz/QgCiHe1VvmHh1OuMspM9Et3AIVnZP wU1IfSeOKp9y62L8pPAU1mg/BnqXx2vNsoDrZq7dcPYIDTrfGsZQRrYy66E2VA9P TQyIeY8ZWXG8jKJ4kBczu/hmy+q+0HVNlZcU4Q4PsjkE0p53DzSSuPgBbqN5fXlr fbZthRYEa1jXfI/om7NLYAu9rLw/2ngXZjI1PR3m4iRbNBG4gqXXQ7Sl5xVz4oDv Nb6PbR8LTQCdmLaq8gXfc4koEnCsFK1k1194nXgYg88hlbT/zqO55Fiofw9y70aK NC0JJFznC3DT5wgZHE9j5/g1USrC34OTZNenipud4VWFm2gTamgGe7c0Bji3NLeG buHa13M7Z2PpGmB/fszdipj8iLvm3uRZjVJtHDOxmuztriTFwpytk2TwlzayW+/v l4knuEohMnHQljRsQgLC9jzs2/udAXWxW7lv7FNGlfnxHJVY+cC9vNl7PPeGNaed 4khxlLZUn2Bc5gog8GZv0ryuWLvmlo4XVkZSnrsOXHlP0oseSJntz9/GxcAgCRww PoFu8DOc9f6orbNsQEF3ZbCyXVG/EwSKOmQPtP1ihv+yjamDGw8yNd61/qqDvwIT db5tmKrslK49r8jkup7RuiKpgRgXI29dws+qwIV4808FNZQaYzU= =hpCf -----END PGP SIGNATURE-----

Trust: 1.89

sources: NVD: CVE-2020-9912 // JVNDB: JVNDB-2020-009853 // VULHUB: VHN-188037 // VULMON: CVE-2020-9912 // PACKETSTORM: 158466

AFFECTED PRODUCTS

vendor:applemodel:safariscope:ltversion:13.1.2

Trust: 1.0

vendor:applemodel:safariscope:eqversion:13.1.2 未満 (macos high sierra)

Trust: 0.8

vendor:applemodel:safariscope:eqversion:13.1.2 未満 (macos mojave)

Trust: 0.8

vendor:applemodel:safariscope:eqversion:13.1.2 未満 (macos catalina)

Trust: 0.8

sources: JVNDB: JVNDB-2020-009853 // NVD: CVE-2020-9912

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-9912
value: LOW

Trust: 1.0

NVD: JVNDB-2020-009853
value: LOW

Trust: 0.8

CNNVD: CNNVD-202007-1171
value: LOW

Trust: 0.6

VULHUB: VHN-188037
value: LOW

Trust: 0.1

VULMON: CVE-2020-9912
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2020-9912
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:N/I:P/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

NVD: JVNDB-2020-009853
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:N/I:P/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-188037
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:N/I:P/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-9912
baseSeverity: LOW
baseScore: 3.3
vectorString: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 1.8
impactScore: 1.4
version: 3.1

Trust: 1.0

NVD: JVNDB-2020-009853
baseSeverity: LOW
baseScore: 3.3
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-188037 // VULMON: CVE-2020-9912 // JVNDB: JVNDB-2020-009853 // CNNVD: CNNVD-202007-1171 // NVD: CVE-2020-9912

PROBLEMTYPE DATA

problemtype:NVD-CWE-noinfo

Trust: 1.0

sources: NVD: CVE-2020-9912

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202007-1171

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202007-1171

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2020-009853

PATCH
title:HT211292url:https://support.apple.com/en-us/HT211292
Trust: 0.8
title:HT211292url:https://support.apple.com/ja-jp/HT211292
Trust: 0.8
title:Apple Safari Download Fixes for component security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=124613
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2020-009853 // 
            
            
            
            CNNVD: CNNVD-202007-1171

EXTERNAL IDS
db:NVDid:CVE-2020-9912
Trust: 2.7
db:JVNid:JVNVU94090210
Trust: 0.8
db:JVNDBid:JVNDB-2020-009853
Trust: 0.8
db:CNNVDid:CNNVD-202007-1171
Trust: 0.7
db:PACKETSTORMid:158466
Trust: 0.7
db:AUSCERTid:ESB-2020.2434
Trust: 0.6
db:NSFOCUSid:50118
Trust: 0.6
db:CNVDid:CNVD-2020-65919
Trust: 0.1
db:VULHUBid:VHN-188037
Trust: 0.1
db:VULMONid:CVE-2020-9912
Trust: 0.1
sources:
            
            
            VULHUB: VHN-188037 // 
            
            
            
            VULMON: CVE-2020-9912 // 
            
            
            
            JVNDB: JVNDB-2020-009853 // 
            
            
            
            PACKETSTORM: 158466 // 
            
            
            
            CNNVD: CNNVD-202007-1171 // 
            
            
            
            NVD: CVE-2020-9912

REFERENCES
url:https://support.apple.com/ht211292
Trust: 1.8
url:https://nvd.nist.gov/vuln/detail/cve-2020-9912
Trust: 1.5
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-9912
Trust: 0.8
url:http://jvn.jp/vu/jvnvu94090210/index.html
Trust: 0.8
url:http://www.nsfocus.net/vulndb/50118
Trust: 0.6
url:https://support.apple.com/en-us/ht211292
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2020.2434/
Trust: 0.6
url:https://support.apple.com/kb/ht211292
Trust: 0.6
url:https://packetstormsecurity.com/files/158466/apple-security-advisory-2020-07-15-5.html
Trust: 0.6
url:https://cwe.mitre.org/data/definitions/.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/185380
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-9911
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-9915
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-9903
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-9916
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-9893
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-9862
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-9925
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-9895
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-9910
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-9894
Trust: 0.1
sources:
            
            
            VULHUB: VHN-188037 // 
            
            
            
            VULMON: CVE-2020-9912 // 
            
            
            
            JVNDB: JVNDB-2020-009853 // 
            
            
            
            PACKETSTORM: 158466 // 
            
            
            
            CNNVD: CNNVD-202007-1171 // 
            
            
            
            NVD: CVE-2020-9912

CREDITS
Apple
Trust: 0.7
sources:
            
            
            PACKETSTORM: 158466 // 
            
            
            
            CNNVD: CNNVD-202007-1171

SOURCES
db:VULHUBid:VHN-188037
db:VULMONid:CVE-2020-9912
db:JVNDBid:JVNDB-2020-009853
db:PACKETSTORMid:158466
db:CNNVDid:CNNVD-202007-1171
db:NVDid:CVE-2020-9912

LAST UPDATE DATE
2024-11-23T21:01:06.063000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-188037date:2020-10-20T00:00:00
db:VULMONid:CVE-2020-9912date:2020-10-20T00:00:00
db:JVNDBid:JVNDB-2020-009853date:2020-12-10T08:04:56
db:CNNVDid:CNNVD-202007-1171date:2021-10-29T00:00:00
db:NVDid:CVE-2020-9912date:2024-11-21T05:41:30.877

SOURCES RELEASE DATE
db:VULHUBid:VHN-188037date:2020-10-16T00:00:00
db:VULMONid:CVE-2020-9912date:2020-10-16T00:00:00
db:JVNDBid:JVNDB-2020-009853date:2020-12-10T08:04:56
db:PACKETSTORMid:158466date:2020-07-17T19:35:50
db:CNNVDid:CNNVD-202007-1171date:2020-07-15T00:00:00
db:NVDid:CVE-2020-9912date:2020-10-16T17:15:16.857