Input validation error in products

#VU33457 Input validation error in products

Cybersecurity Help s.r.o.

Published: 2020-08-04

Vulnerability identifier: #VU33457

Vulnerability risk: Medium

CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2017-2371

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: Yes

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

An issue was discovered in certain Apple products. iOS before 10.2.1 is affected. The issue involves the "WebKit" component, which allows remote attackers to launch popups via a crafted web site.

Mitigation
Install update from vendor's website.

External links
http://www.securityfocus.com/bid/95735
http://www.securitytracker.com/id/1037668
http://security.gentoo.org/glsa/201706-15
http://support.apple.com/HT207482
http://www.exploit-db.com/exploits/41451/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

Latest bulletins with this vulnerability

Input validation error in webkit2gtk (Alpine package)

Arch Linux update for webkit2gtk