var-201904-1460
Vulnerability from variot
A cross-site scripting issue existed in Safari. This issue was addressed with improved URL validation. This issue affected versions prior to iOS 12, tvOS 12, Safari 12, iTunes 12.9 for Windows, iCloud for Windows 7.7. plural Apple The product includes URL A cross-site scripting vulnerability exists due to a lack of validation processing.Information may be obtained and information may be altered. Apple Safari, etc. are all products of Apple (Apple). Apple Safari is a web browser that is the default browser included with the Mac OS X and iOS operating systems. Apple iOS is an operating system developed for mobile devices. Apple tvOS is a smart TV operating system. WebKit is one of the web browser engine components. A remote attacker could exploit this vulnerability via a specially crafted website to steal cross-origin image data. ========================================================================== Ubuntu Security Notice USN-3828-1 November 27, 2018
webkit2gtk vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.10
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in WebKitGTK+.
Software Description: - webkit2gtk: Web content engine library for GTK+
Details:
A large number of security issues were discovered in the WebKitGTK+ Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 18.10: libjavascriptcoregtk-4.0-18 2.22.4-0ubuntu0.18.10.1 libwebkit2gtk-4.0-37 2.22.4-0ubuntu0.18.10.1
Ubuntu 18.04 LTS: libjavascriptcoregtk-4.0-18 2.22.4-0ubuntu0.18.04.1 libwebkit2gtk-4.0-37 2.22.4-0ubuntu0.18.04.1
This update uses a new upstream release, which includes additional bug fixes. After a standard system update you need to restart any applications that use WebKitGTK+, such as Epiphany, to make all the necessary changes.
References: https://usn.ubuntu.com/usn/usn-3828-1 CVE-2018-4345, CVE-2018-4372, CVE-2018-4386
Package Information: https://launchpad.net/ubuntu/+source/webkit2gtk/2.22.4-0ubuntu0.18.10.1 https://launchpad.net/ubuntu/+source/webkit2gtk/2.22.4-0ubuntu0.18.04.1 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
APPLE-SA-2018-9-24-6 Additional information for APPLE-SA-2018-9-17-3 tvOS 12
tvOS 12 addresses the following:
Auto Unlock Available for: Apple TV 4K and Apple TV (4th generation) Impact: A malicious application may be able to access local users AppleIDs Description: A validation issue existed in the entitlement verification. CVE-2018-4321: Min (Spark) Zheng, Xiaolong Bai of Alibaba Inc. Entry added September 24, 2018
Bluetooth Available for: Apple TV (4th generation) Impact: An attacker in a privileged network position may be able to intercept Bluetooth traffic Description: An input validation issue existed in Bluetooth. CVE-2018-5383: Lior Neumann and Eli Biham
iTunes Store Available for: Apple TV 4K and Apple TV (4th generation) Impact: An attacker in a privileged network position may be able to spoof password prompts in the iTunes Store Description: An input validation issue was addressed with improved input validation. CVE-2018-4305: Jerry Decime
Kernel Available for: Apple TV 4K and Apple TV (4th generation) Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2018-4336: Brandon Azad CVE-2018-4344: The UK's National Cyber Security Centre (NCSC) Entry added September 24, 2018
Kernel Available for: Apple TV 4K and Apple TV (4th generation) Impact: An application may be able to read restricted memory Description: An input validation issue existed in the kernel. CVE-2018-4363: Ian Beer of Google Project Zero
Safari Available for: Apple TV 4K and Apple TV (4th generation) Impact: A local user may be able to discover websites a user has visited Description: A consistency issue existed in the handling of application snapshots. CVE-2018-4313: 11 anonymous researchers, David Scott, Enes Mert Ulu of Abdullah MA1/4rAide AzA1/4nenek Anadolu Lisesi - Ankara/TA1/4rkiye, Mehmet Ferit DaAtan of Van YA1/4zA1/4ncA1/4 YA+-l University, Metin Altug Karakaya of Kaliptus Medical Organization, Vinodh Swami of Western Governor's University (WGU)
Security Available for: Apple TV 4K and Apple TV (4th generation) Impact: An attacker may be able to exploit weaknesses in the RC4 cryptographic algorithm Description: This issue was addressed by removing RC4. CVE-2018-4345: an anonymous researcher Entry added September 24, 2018
WebKit Available for: Apple TV 4K and Apple TV (4th generation) Impact: Unexpected interaction causes an ASSERT failure Description: A memory corruption issue was addressed with improved validation. CVE-2018-4191: found by OSS-Fuzz Entry added September 24, 2018
WebKit Available for: Apple TV 4K and Apple TV (4th generation) Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved state management. CVE-2018-4316: crixer, Hanming Zhang (@4shitak4) of Qihoo 360 Vulcan Team Entry added September 24, 2018
WebKit Available for: Apple TV 4K and Apple TV (4th generation) Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2018-4299: Samuel GroI2 (saelo) working with Trend Micro's Zero Day Initiative CVE-2018-4323: Ivan Fratric of Google Project Zero CVE-2018-4328: Ivan Fratric of Google Project Zero CVE-2018-4358: @phoenhex team (@bkth_ @5aelo @_niklasb) working with Trend Micro's Zero Day Initiative CVE-2018-4359: Samuel GroA (@5aelo) Entry added September 24, 2018
WebKit Available for: Apple TV 4K and Apple TV (4th generation) Impact: A malicious website may be able to execute scripts in the context of another website Description: A cross-site scripting issue existed in Safari. CVE-2018-4309: an anonymous researcher working with Trend Micro's Zero Day Initiative Entry added September 24, 2018
WebKit Available for: Apple TV 4K and Apple TV (4th generation) Impact: Unexpected interaction causes an ASSERT failure Description: A memory consumption issue was addressed with improved memory handling. CVE-2018-4361: found by Google OSS-Fuzz Entry added September 24, 2018
Additional recognition
Assets We would like to acknowledge Brandon Azad for their assistance.
Core Data We would like to acknowledge Andreas Kurtz (@aykay) of NESO Security Labs GmbH for their assistance.
SQLite We would like to acknowledge Andreas Kurtz (@aykay) of NESO Security Labs GmbH for their assistance.
WebKit We would like to acknowledge Cary Hartline, Hanming Zhang from 360 Vuclan team, and Zach Malone of CA Technologies for their assistance.
Installation note:
Apple TV will periodically check for software updates. Alternatively, you may manually check for software updates by selecting "Settings -> System -> Software Update -> Update Software."
To check the current version of software, select "Settings -> General -> About."
Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEDNXJVNCJJEAVmJdZeC9tht7TK3EFAlupFUMACgkQeC9tht7T K3H35Q//UwJyTZpRVx33z/T3GxYfFX9dxg2fwdkVFxCGWR/yGCL/pMwNH/UwerQH qcdzG3VopySXXJy/goEJD+w+f8QNtueysfE7+MrYvogVD1OVALDc0xaZvudKmSoo d0APBDtlkkLn4evwwpIYfl6Ikje/j40ZOfzSZ8+9hsoq6b+tkhSo8UC+hphUBi4L lMshXi5OmekimBWgGdPGN77UQoFAJriMQHLppQ4x46qHuiMSAKHeCz+AdL4Xk1dh fzdbizI4p7CssUzJHOPU61NPB28AoPsVJ8yEQpKDvHcnkPxtgtAzoIBWl0MwUCXg OaT+8poN/HsMVJYtM2vi322IJGfMtcWtU/TJ1TbhAih6Bal2paIEj4zBirEXc9sF dQyWB+EB8h+g4MtXyo6ax7OyO3UmRsISyCQhCNKWhXjTt4/9Q6xMbGxfW6X7EtHN mgM/74rqkM53Tfy3kqywBDi90v4aNMUGdbYcK3YJldayW++K2J6OtxZZmflfYkbU GTnAaEFIa0dLX/e+uqGRtz2F0K8mr9/9VwiwrH3et2FALvU6RyFLX7jqnKFyGpUp LdXH6Mz6xBYS7Rg2vKVjUsHXlutpknmDxyx8Orirgb2gNHN97w8GDCnmOAd2euoL HZdlwhs4SLaLqyNegbG3y3MD7gK8oRTZx3tXeJRmYV6UGp+d9QI= =pj7d -----END PGP SIGNATURE----- . ------------------------------------------------------------------------ WebKitGTK+ and WPE WebKit Security Advisory WSA-2018-0008
Date reported : November 21, 2018 Advisory ID : WSA-2018-0008 WebKitGTK+ Advisory URL : https://webkitgtk.org/security/WSA-2018-0008.html WPE WebKit Advisory URL : https://wpewebkit.org/security/WSA-2018-0008.html CVE identifiers : CVE-2018-4345, CVE-2018-4372, CVE-2018-4373, CVE-2018-4375, CVE-2018-4376, CVE-2018-4378, CVE-2018-4382, CVE-2018-4386, CVE-2018-4392, CVE-2018-4416.
Several vulnerabilities were discovered in WebKitGTK+ and WPE WebKit.
CVE-2018-4345 Versions affected: WebKitGTK+ before 2.22.3 and WPE WebKit before 2.22.1. Credit to an anonymous researcher.
CVE-2018-4372 Versions affected: WebKitGTK+ before 2.22.4 and WPE WebKit before 2.22.2. Credit to HyungSeok Han, DongHyeon Oh, and Sang Kil Cha of KAIST Softsec Lab, Korea. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling.
CVE-2018-4373 Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. Credit to ngg, alippai, DirtYiCE, KT of Tresorit working with Trend Microys Zero Day Initiative. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling.
CVE-2018-4375 Versions affected: WebKitGTK+ before 2.22.1 and WPE WebKit before 2.22.0. Credit to Yu Haiwan and Wu Hongjun From Nanyang Technological University working with Trend Micro's Zero Day Initiative. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling.
CVE-2018-4376 Versions affected: WebKitGTK+ before 2.22.1 and WPE WebKit before 2.22.0. Credit to 010 working with Trend Micro's Zero Day Initiative. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling.
CVE-2018-4378 Versions affected: WebKitGTK+ before 2.22.1 and WPE WebKit before 2.22.0. Credit to an anonymous researcher, zhunki of 360 ESG Codesafe Team. Processing maliciously crafted web content may lead to code execution.
CVE-2018-4382 Versions affected: WebKitGTK+ before 2.22.1 and WPE WebKit before 2.22.0. Credit to lokihardt of Google Project Zero. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling.
CVE-2018-4386 Versions affected: WebKitGTK+ before 2.22.3 and WPE WebKit before 2.22.1. Credit to lokihardt of Google Project Zero. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling.
CVE-2018-4392 Versions affected: WebKitGTK+ before 2.22.1 and WPE WebKit before 2.22.0. Credit to zhunki of 360 ESG Codesafe Team. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling.
CVE-2018-4416 Versions affected: WebKitGTK+ before 2.22.1 and WPE WebKit before 2.22.0. Credit to lokihardt of Google Project Zero. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling.
We recommend updating to the latest stable versions of WebKitGTK+ and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases.
Further information about WebKitGTK+ and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/.
The WebKitGTK+ and WPE WebKit team, November 21, 2018 . CVE-2018-4329: Hugo S. CVE-2018-4195: xisigr of Tencent's Xuanwu Lab (www.tencent.com)
Security Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14 Impact: A malicious website may be able to exfiltrate autofilled data in Safari Description: A logic issue was addressed with improved state management.
Installation note:
Safari 12 may be obtained from the Mac App Store
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201904-1460",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "itunes",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "12.9"
},
{
"model": "safari",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "12"
},
{
"model": "tvos",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "12"
},
{
"model": "icloud",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "7.7"
},
{
"model": "iphone os",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "12.0"
},
{
"model": "icloud",
"scope": "lt",
"trust": 0.8,
"vendor": "apple",
"version": "for windows 7.7 (windows 7 or later )"
},
{
"model": "ios",
"scope": "lt",
"trust": 0.8,
"vendor": "apple",
"version": "12 (ipad air or later )"
},
{
"model": "ios",
"scope": "lt",
"trust": 0.8,
"vendor": "apple",
"version": "12 (iphone 5s or later )"
},
{
"model": "ios",
"scope": "lt",
"trust": 0.8,
"vendor": "apple",
"version": "12 (ipod touch first 6 generation )"
},
{
"model": "itunes",
"scope": "lt",
"trust": 0.8,
"vendor": "apple",
"version": "for windows 12.9 (windows 7 or later )"
},
{
"model": "safari",
"scope": "lt",
"trust": 0.8,
"vendor": "apple",
"version": "12 (macos high sierra 10.13.6)"
},
{
"model": "safari",
"scope": "lt",
"trust": 0.8,
"vendor": "apple",
"version": "12 (macos mojave 10.14)"
},
{
"model": "safari",
"scope": "lt",
"trust": 0.8,
"vendor": "apple",
"version": "12 (macos sierra 10.12.6)"
},
{
"model": "tvos",
"scope": "lt",
"trust": 0.8,
"vendor": "apple",
"version": "12 (apple tv 4k)"
},
{
"model": "tvos",
"scope": "lt",
"trust": 0.8,
"vendor": "apple",
"version": "12 (apple tv first 4 generation )"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-014993"
},
{
"db": "NVD",
"id": "CVE-2018-4345"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "12.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "12",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "12",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:apple:icloud:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "7.7",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apple:itunes:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "12.9",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2018-4345"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apple",
"sources": [
{
"db": "PACKETSTORM",
"id": "150115"
},
{
"db": "PACKETSTORM",
"id": "149516"
},
{
"db": "PACKETSTORM",
"id": "150114"
},
{
"db": "PACKETSTORM",
"id": "149511"
},
{
"db": "PACKETSTORM",
"id": "149513"
},
{
"db": "PACKETSTORM",
"id": "149722"
}
],
"trust": 0.6
},
"cve": "CVE-2018-4345",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": true,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 4.3,
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2018-4345",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "VHN-134376",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:N/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 6.1,
"baseSeverity": "Medium",
"confidentialityImpact": "Low",
"exploitabilityScore": null,
"id": "CVE-2018-4345",
"impactScore": null,
"integrityImpact": "Low",
"privilegesRequired": "None",
"scope": "Changed",
"trust": 0.8,
"userInteraction": "Required",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2018-4345",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201809-1162",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-134376",
"trust": 0.1,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2018-4345",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-134376"
},
{
"db": "VULMON",
"id": "CVE-2018-4345"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-014993"
},
{
"db": "CNNVD",
"id": "CNNVD-201809-1162"
},
{
"db": "NVD",
"id": "CVE-2018-4345"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "A cross-site scripting issue existed in Safari. This issue was addressed with improved URL validation. This issue affected versions prior to iOS 12, tvOS 12, Safari 12, iTunes 12.9 for Windows, iCloud for Windows 7.7. plural Apple The product includes URL A cross-site scripting vulnerability exists due to a lack of validation processing.Information may be obtained and information may be altered. Apple Safari, etc. are all products of Apple (Apple). Apple Safari is a web browser that is the default browser included with the Mac OS X and iOS operating systems. Apple iOS is an operating system developed for mobile devices. Apple tvOS is a smart TV operating system. WebKit is one of the web browser engine components. A remote attacker could exploit this vulnerability via a specially crafted website to steal cross-origin image data. ==========================================================================\nUbuntu Security Notice USN-3828-1\nNovember 27, 2018\n\nwebkit2gtk vulnerabilities\n==========================================================================\n\nA security issue affects these releases of Ubuntu and its derivatives:\n\n- Ubuntu 18.10\n- Ubuntu 18.04 LTS\n\nSummary:\n\nSeveral security issues were fixed in WebKitGTK+. \n\nSoftware Description:\n- webkit2gtk: Web content engine library for GTK+\n\nDetails:\n\nA large number of security issues were discovered in the WebKitGTK+ Web and\nJavaScript engines. If a user were tricked into viewing a malicious\nwebsite, a remote attacker could exploit a variety of issues related to web\nbrowser security, including cross-site scripting attacks, denial of service\nattacks, and arbitrary code execution. \n\nUpdate instructions:\n\nThe problem can be corrected by updating your system to the following\npackage versions:\n\nUbuntu 18.10:\n libjavascriptcoregtk-4.0-18 2.22.4-0ubuntu0.18.10.1\n libwebkit2gtk-4.0-37 2.22.4-0ubuntu0.18.10.1\n\nUbuntu 18.04 LTS:\n libjavascriptcoregtk-4.0-18 2.22.4-0ubuntu0.18.04.1\n libwebkit2gtk-4.0-37 2.22.4-0ubuntu0.18.04.1\n\nThis update uses a new upstream release, which includes additional bug\nfixes. After a standard system update you need to restart any applications\nthat use WebKitGTK+, such as Epiphany, to make all the necessary changes. \n\nReferences:\n https://usn.ubuntu.com/usn/usn-3828-1\n CVE-2018-4345, CVE-2018-4372, CVE-2018-4386\n\nPackage Information:\n https://launchpad.net/ubuntu/+source/webkit2gtk/2.22.4-0ubuntu0.18.10.1\n https://launchpad.net/ubuntu/+source/webkit2gtk/2.22.4-0ubuntu0.18.04.1\n. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\nAPPLE-SA-2018-9-24-6 Additional information for\nAPPLE-SA-2018-9-17-3 tvOS 12\n\ntvOS 12 addresses the following:\n\nAuto Unlock\nAvailable for: Apple TV 4K and Apple TV (4th generation)\nImpact: A malicious application may be able to access local users\nAppleIDs\nDescription: A validation issue existed in the entitlement\nverification. \nCVE-2018-4321: Min (Spark) Zheng, Xiaolong Bai of Alibaba Inc. \nEntry added September 24, 2018\n\nBluetooth\nAvailable for: Apple TV (4th generation)\nImpact: An attacker in a privileged network position may be able to\nintercept Bluetooth traffic\nDescription: An input validation issue existed in Bluetooth. \nCVE-2018-5383: Lior Neumann and Eli Biham\n\niTunes Store\nAvailable for: Apple TV 4K and Apple TV (4th generation)\nImpact: An attacker in a privileged network position may be able to\nspoof password prompts in the iTunes Store\nDescription: An input validation issue was addressed with improved\ninput validation. \nCVE-2018-4305: Jerry Decime\n\nKernel\nAvailable for: Apple TV 4K and Apple TV (4th generation)\nImpact: An application may be able to execute arbitrary code with\nkernel privileges\nDescription: A memory corruption issue was addressed with improved\nmemory handling. \nCVE-2018-4336: Brandon Azad\nCVE-2018-4344: The UK\u0027s National Cyber Security Centre (NCSC)\nEntry added September 24, 2018\n\nKernel\nAvailable for: Apple TV 4K and Apple TV (4th generation)\nImpact: An application may be able to read restricted memory\nDescription: An input validation issue existed in the kernel. \nCVE-2018-4363: Ian Beer of Google Project Zero\n\nSafari\nAvailable for: Apple TV 4K and Apple TV (4th generation)\nImpact: A local user may be able to discover websites a user has\nvisited\nDescription: A consistency issue existed in the handling of\napplication snapshots. \nCVE-2018-4313: 11 anonymous researchers, David Scott, Enes Mert Ulu\nof Abdullah MA1/4rAide AzA1/4nenek Anadolu Lisesi - Ankara/TA1/4rkiye,\nMehmet Ferit DaAtan of Van YA1/4zA1/4ncA1/4 YA+-l University, Metin Altug\nKarakaya of Kaliptus Medical Organization, Vinodh Swami of Western\nGovernor\u0027s University (WGU)\n\nSecurity\nAvailable for: Apple TV 4K and Apple TV (4th generation)\nImpact: An attacker may be able to exploit weaknesses in the RC4\ncryptographic algorithm\nDescription: This issue was addressed by removing RC4. \nCVE-2018-4345: an anonymous researcher\nEntry added September 24, 2018\n\nWebKit\nAvailable for: Apple TV 4K and Apple TV (4th generation)\nImpact: Unexpected interaction causes an ASSERT failure\nDescription: A memory corruption issue was addressed with improved\nvalidation. \nCVE-2018-4191: found by OSS-Fuzz\nEntry added September 24, 2018\n\nWebKit\nAvailable for: Apple TV 4K and Apple TV (4th generation)\nImpact: Processing maliciously crafted web content may lead to\narbitrary code execution\nDescription: A memory corruption issue was addressed with improved\nstate management. \nCVE-2018-4316: crixer, Hanming Zhang (@4shitak4) of Qihoo 360 Vulcan\nTeam\nEntry added September 24, 2018\n\nWebKit\nAvailable for: Apple TV 4K and Apple TV (4th generation)\nImpact: Processing maliciously crafted web content may lead to\narbitrary code execution\nDescription: Multiple memory corruption issues were addressed with\nimproved memory handling. \nCVE-2018-4299: Samuel GroI2 (saelo) working with Trend Micro\u0027s Zero\nDay Initiative\nCVE-2018-4323: Ivan Fratric of Google Project Zero\nCVE-2018-4328: Ivan Fratric of Google Project Zero\nCVE-2018-4358: @phoenhex team (@bkth_ @5aelo @_niklasb) working with\nTrend Micro\u0027s Zero Day Initiative\nCVE-2018-4359: Samuel GroA (@5aelo)\nEntry added September 24, 2018\n\nWebKit\nAvailable for: Apple TV 4K and Apple TV (4th generation)\nImpact: A malicious website may be able to execute scripts in the\ncontext of another website\nDescription: A cross-site scripting issue existed in Safari. \nCVE-2018-4309: an anonymous researcher working with Trend Micro\u0027s\nZero Day Initiative\nEntry added September 24, 2018\n\nWebKit\nAvailable for: Apple TV 4K and Apple TV (4th generation)\nImpact: Unexpected interaction causes an ASSERT failure\nDescription: A memory consumption issue was addressed with improved\nmemory handling. \nCVE-2018-4361: found by Google OSS-Fuzz\nEntry added September 24, 2018\n\nAdditional recognition\n\nAssets\nWe would like to acknowledge Brandon Azad for their assistance. \n\nCore Data\nWe would like to acknowledge Andreas Kurtz (@aykay) of NESO Security\nLabs GmbH for their assistance. \n\nSQLite\nWe would like to acknowledge Andreas Kurtz (@aykay) of NESO Security\nLabs GmbH for their assistance. \n\nWebKit\nWe would like to acknowledge Cary Hartline, Hanming Zhang from 360\nVuclan team, and Zach Malone of CA Technologies for their assistance. \n\nInstallation note:\n\nApple TV will periodically check for software updates. Alternatively,\nyou may manually check for software updates by selecting\n\"Settings -\u003e System -\u003e Software Update -\u003e Update Software.\"\n\nTo check the current version of software, select\n\"Settings -\u003e General -\u003e About.\"\n\nInformation will also be posted to the Apple Security Updates\nweb site: https://support.apple.com/kb/HT201222\n\nThis message is signed with Apple\u0027s Product Security PGP key,\nand details are available at:\nhttps://www.apple.com/support/security/pgp/\n-----BEGIN PGP SIGNATURE-----\n\niQIzBAEBCAAdFiEEDNXJVNCJJEAVmJdZeC9tht7TK3EFAlupFUMACgkQeC9tht7T\nK3H35Q//UwJyTZpRVx33z/T3GxYfFX9dxg2fwdkVFxCGWR/yGCL/pMwNH/UwerQH\nqcdzG3VopySXXJy/goEJD+w+f8QNtueysfE7+MrYvogVD1OVALDc0xaZvudKmSoo\nd0APBDtlkkLn4evwwpIYfl6Ikje/j40ZOfzSZ8+9hsoq6b+tkhSo8UC+hphUBi4L\nlMshXi5OmekimBWgGdPGN77UQoFAJriMQHLppQ4x46qHuiMSAKHeCz+AdL4Xk1dh\nfzdbizI4p7CssUzJHOPU61NPB28AoPsVJ8yEQpKDvHcnkPxtgtAzoIBWl0MwUCXg\nOaT+8poN/HsMVJYtM2vi322IJGfMtcWtU/TJ1TbhAih6Bal2paIEj4zBirEXc9sF\ndQyWB+EB8h+g4MtXyo6ax7OyO3UmRsISyCQhCNKWhXjTt4/9Q6xMbGxfW6X7EtHN\nmgM/74rqkM53Tfy3kqywBDi90v4aNMUGdbYcK3YJldayW++K2J6OtxZZmflfYkbU\nGTnAaEFIa0dLX/e+uqGRtz2F0K8mr9/9VwiwrH3et2FALvU6RyFLX7jqnKFyGpUp\nLdXH6Mz6xBYS7Rg2vKVjUsHXlutpknmDxyx8Orirgb2gNHN97w8GDCnmOAd2euoL\nHZdlwhs4SLaLqyNegbG3y3MD7gK8oRTZx3tXeJRmYV6UGp+d9QI=\n=pj7d\n-----END PGP SIGNATURE-----\n. ------------------------------------------------------------------------\nWebKitGTK+ and WPE WebKit Security Advisory WSA-2018-0008\n------------------------------------------------------------------------\n\nDate reported : November 21, 2018\nAdvisory ID : WSA-2018-0008\nWebKitGTK+ Advisory URL : \nhttps://webkitgtk.org/security/WSA-2018-0008.html\nWPE WebKit Advisory URL : \nhttps://wpewebkit.org/security/WSA-2018-0008.html\nCVE identifiers : CVE-2018-4345, CVE-2018-4372, CVE-2018-4373,\n CVE-2018-4375, CVE-2018-4376, CVE-2018-4378,\n CVE-2018-4382, CVE-2018-4386, CVE-2018-4392,\n CVE-2018-4416. \n\nSeveral vulnerabilities were discovered in WebKitGTK+ and WPE WebKit. \n\nCVE-2018-4345\n Versions affected: WebKitGTK+ before 2.22.3 and WPE WebKit before\n 2.22.1. \n Credit to an anonymous researcher. \n\nCVE-2018-4372\n Versions affected: WebKitGTK+ before 2.22.4 and WPE WebKit before\n 2.22.2. \n Credit to HyungSeok Han, DongHyeon Oh, and Sang Kil Cha of KAIST\n Softsec Lab, Korea. \n Processing maliciously crafted web content may lead to arbitrary\n code execution. Multiple memory corruption issues were addressed\n with improved memory handling. \n\nCVE-2018-4373\n Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. \n Credit to ngg, alippai, DirtYiCE, KT of Tresorit working with Trend\n Microys Zero Day Initiative. \n Processing maliciously crafted web content may lead to arbitrary\n code execution. Multiple memory corruption issues were addressed\n with improved memory handling. \n\nCVE-2018-4375\n Versions affected: WebKitGTK+ before 2.22.1 and WPE WebKit before\n 2.22.0. \n Credit to Yu Haiwan and Wu Hongjun From Nanyang Technological\n University working with Trend Micro\u0027s Zero Day Initiative. \n Processing maliciously crafted web content may lead to arbitrary\n code execution. Multiple memory corruption issues were addressed\n with improved memory handling. \n\nCVE-2018-4376\n Versions affected: WebKitGTK+ before 2.22.1 and WPE WebKit before\n 2.22.0. \n Credit to 010 working with Trend Micro\u0027s Zero Day Initiative. \n Processing maliciously crafted web content may lead to arbitrary\n code execution. Multiple memory corruption issues were addressed\n with improved memory handling. \n\nCVE-2018-4378\n Versions affected: WebKitGTK+ before 2.22.1 and WPE WebKit before\n 2.22.0. \n Credit to an anonymous researcher, zhunki of 360 ESG Codesafe Team. \n Processing maliciously crafted web content may lead to code\n execution. \n\nCVE-2018-4382\n Versions affected: WebKitGTK+ before 2.22.1 and WPE WebKit before\n 2.22.0. \n Credit to lokihardt of Google Project Zero. \n Processing maliciously crafted web content may lead to arbitrary\n code execution. Multiple memory corruption issues were addressed\n with improved memory handling. \n\nCVE-2018-4386\n Versions affected: WebKitGTK+ before 2.22.3 and WPE WebKit before\n 2.22.1. \n Credit to lokihardt of Google Project Zero. \n Processing maliciously crafted web content may lead to arbitrary\n code execution. Multiple memory corruption issues were addressed\n with improved memory handling. \n\nCVE-2018-4392\n Versions affected: WebKitGTK+ before 2.22.1 and WPE WebKit before\n 2.22.0. \n Credit to zhunki of 360 ESG Codesafe Team. \n Processing maliciously crafted web content may lead to arbitrary\n code execution. Multiple memory corruption issues were addressed\n with improved memory handling. \n\nCVE-2018-4416\n Versions affected: WebKitGTK+ before 2.22.1 and WPE WebKit before\n 2.22.0. \n Credit to lokihardt of Google Project Zero. \n Processing maliciously crafted web content may lead to arbitrary\n code execution. Multiple memory corruption issues were addressed\n with improved memory handling. \n\n\nWe recommend updating to the latest stable versions of WebKitGTK+ and\nWPE WebKit. It is the best way to ensure that you are running safe\nversions of WebKit. Please check our websites for information about the\nlatest stable releases. \n\nFurther information about WebKitGTK+ and WPE WebKit security advisories\ncan be found at: https://webkitgtk.org/security.html or\nhttps://wpewebkit.org/security/. \n\nThe WebKitGTK+ and WPE WebKit team,\nNovember 21, 2018\n. \nCVE-2018-4329: Hugo S. \nCVE-2018-4195: xisigr of Tencent\u0027s Xuanwu Lab (www.tencent.com)\n\nSecurity\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS\nMojave 10.14\nImpact: A malicious website may be able to exfiltrate autofilled data\nin Safari\nDescription: A logic issue was addressed with improved state\nmanagement. \n\nInstallation note:\n\nSafari 12 may be obtained from the Mac App Store",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-4345"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-014993"
},
{
"db": "VULHUB",
"id": "VHN-134376"
},
{
"db": "VULMON",
"id": "CVE-2018-4345"
},
{
"db": "PACKETSTORM",
"id": "150483"
},
{
"db": "PACKETSTORM",
"id": "150115"
},
{
"db": "PACKETSTORM",
"id": "149516"
},
{
"db": "PACKETSTORM",
"id": "150114"
},
{
"db": "PACKETSTORM",
"id": "149511"
},
{
"db": "PACKETSTORM",
"id": "150431"
},
{
"db": "PACKETSTORM",
"id": "149513"
},
{
"db": "PACKETSTORM",
"id": "149722"
}
],
"trust": 2.52
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-134376",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-134376"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2018-4345",
"trust": 3.4
},
{
"db": "JVN",
"id": "JVNVU92800088",
"trust": 0.8
},
{
"db": "JVN",
"id": "JVNVU93341447",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2018-014993",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201809-1162",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "150483",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "150431",
"trust": 0.2
},
{
"db": "VULHUB",
"id": "VHN-134376",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2018-4345",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "150115",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "149516",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "150114",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "149511",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "149513",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "149722",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-134376"
},
{
"db": "VULMON",
"id": "CVE-2018-4345"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-014993"
},
{
"db": "PACKETSTORM",
"id": "150483"
},
{
"db": "PACKETSTORM",
"id": "150115"
},
{
"db": "PACKETSTORM",
"id": "149516"
},
{
"db": "PACKETSTORM",
"id": "150114"
},
{
"db": "PACKETSTORM",
"id": "149511"
},
{
"db": "PACKETSTORM",
"id": "150431"
},
{
"db": "PACKETSTORM",
"id": "149513"
},
{
"db": "PACKETSTORM",
"id": "149722"
},
{
"db": "CNNVD",
"id": "CNNVD-201809-1162"
},
{
"db": "NVD",
"id": "CVE-2018-4345"
}
]
},
"id": "VAR-201904-1460",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-134376"
}
],
"trust": 0.01
},
"last_update_date": "2024-07-23T21:40:45.159000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "HT209141",
"trust": 0.8,
"url": "https://support.apple.com/en-us/ht209141"
},
{
"title": "HT209106",
"trust": 0.8,
"url": "https://support.apple.com/en-us/ht209106"
},
{
"title": "HT209107",
"trust": 0.8,
"url": "https://support.apple.com/en-us/ht209107"
},
{
"title": "HT209109",
"trust": 0.8,
"url": "https://support.apple.com/en-us/ht209109"
},
{
"title": "HT209140",
"trust": 0.8,
"url": "https://support.apple.com/en-us/ht209140"
},
{
"title": "HT209106",
"trust": 0.8,
"url": "https://support.apple.com/ja-jp/ht209106"
},
{
"title": "HT209107",
"trust": 0.8,
"url": "https://support.apple.com/ja-jp/ht209107"
},
{
"title": "HT209109",
"trust": 0.8,
"url": "https://support.apple.com/ja-jp/ht209109"
},
{
"title": "HT209140",
"trust": 0.8,
"url": "https://support.apple.com/ja-jp/ht209140"
},
{
"title": "HT209141",
"trust": 0.8,
"url": "https://support.apple.com/ja-jp/ht209141"
},
{
"title": "Multiple Apple product WebKit Fixes for cross-site scripting vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=85196"
},
{
"title": "Ubuntu Security Notice: webkit2gtk vulnerabilities",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice\u0026qid=usn-3828-1"
},
{
"title": "BleepingComputer",
"trust": 0.1,
"url": "https://www.bleepingcomputer.com/news/security/apple-releases-security-updates-for-ios-and-icloud-fixes-passcode-bypass/"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2018-4345"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-014993"
},
{
"db": "CNNVD",
"id": "CNNVD-201809-1162"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-79",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-134376"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-014993"
},
{
"db": "NVD",
"id": "CVE-2018-4345"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4345"
},
{
"trust": 1.8,
"url": "https://support.apple.com/kb/ht209106"
},
{
"trust": 1.8,
"url": "https://support.apple.com/kb/ht209107"
},
{
"trust": 1.8,
"url": "https://support.apple.com/kb/ht209109"
},
{
"trust": 1.8,
"url": "https://support.apple.com/kb/ht209140"
},
{
"trust": 1.8,
"url": "https://support.apple.com/kb/ht209141"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-4345"
},
{
"trust": 0.8,
"url": "https://jvn.jp/vu/jvnvu93341447/index.html"
},
{
"trust": 0.8,
"url": "https://jvn.jp/vu/jvnvu92800088/index.html"
},
{
"trust": 0.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4323"
},
{
"trust": 0.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4318"
},
{
"trust": 0.6,
"url": "https://support.apple.com/kb/ht201222"
},
{
"trust": 0.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4191"
},
{
"trust": 0.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4361"
},
{
"trust": 0.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4309"
},
{
"trust": 0.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4315"
},
{
"trust": 0.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4197"
},
{
"trust": 0.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4316"
},
{
"trust": 0.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4359"
},
{
"trust": 0.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4317"
},
{
"trust": 0.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4306"
},
{
"trust": 0.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4358"
},
{
"trust": 0.6,
"url": "https://www.apple.com/support/security/pgp/"
},
{
"trust": 0.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4312"
},
{
"trust": 0.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4328"
},
{
"trust": 0.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4314"
},
{
"trust": 0.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4299"
},
{
"trust": 0.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4319"
},
{
"trust": 0.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4311"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4360"
},
{
"trust": 0.2,
"url": "https://support.apple.com/ht204283"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4412"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4414"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4126"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4347"
},
{
"trust": 0.2,
"url": "https://www.apple.com/itunes/download/"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/79.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://usn.ubuntu.com/3828-1/"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/webkit2gtk/2.22.4-0ubuntu0.18.04.1"
},
{
"trust": 0.1,
"url": "https://usn.ubuntu.com/usn/usn-3828-1"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/webkit2gtk/2.22.4-0ubuntu0.18.10.1"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4336"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4305"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4344"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-5383"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4313"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-1777"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4321"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4363"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4386"
},
{
"trust": 0.1,
"url": "https://webkitgtk.org/security/wsa-2018-0008.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4375"
},
{
"trust": 0.1,
"url": "https://webkitgtk.org/security.html"
},
{
"trust": 0.1,
"url": "https://wpewebkit.org/security/wsa-2018-0008.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4392"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4372"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4378"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4382"
},
{
"trust": 0.1,
"url": "https://wpewebkit.org/security/."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4373"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4416"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4376"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4307"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4195"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-4329"
},
{
"trust": 0.1,
"url": "https://www.tencent.com)"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-134376"
},
{
"db": "VULMON",
"id": "CVE-2018-4345"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-014993"
},
{
"db": "PACKETSTORM",
"id": "150483"
},
{
"db": "PACKETSTORM",
"id": "150115"
},
{
"db": "PACKETSTORM",
"id": "149516"
},
{
"db": "PACKETSTORM",
"id": "150114"
},
{
"db": "PACKETSTORM",
"id": "149511"
},
{
"db": "PACKETSTORM",
"id": "150431"
},
{
"db": "PACKETSTORM",
"id": "149513"
},
{
"db": "PACKETSTORM",
"id": "149722"
},
{
"db": "CNNVD",
"id": "CNNVD-201809-1162"
},
{
"db": "NVD",
"id": "CVE-2018-4345"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-134376"
},
{
"db": "VULMON",
"id": "CVE-2018-4345"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-014993"
},
{
"db": "PACKETSTORM",
"id": "150483"
},
{
"db": "PACKETSTORM",
"id": "150115"
},
{
"db": "PACKETSTORM",
"id": "149516"
},
{
"db": "PACKETSTORM",
"id": "150114"
},
{
"db": "PACKETSTORM",
"id": "149511"
},
{
"db": "PACKETSTORM",
"id": "150431"
},
{
"db": "PACKETSTORM",
"id": "149513"
},
{
"db": "PACKETSTORM",
"id": "149722"
},
{
"db": "CNNVD",
"id": "CNNVD-201809-1162"
},
{
"db": "NVD",
"id": "CVE-2018-4345"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-04-03T00:00:00",
"db": "VULHUB",
"id": "VHN-134376"
},
{
"date": "2019-04-03T00:00:00",
"db": "VULMON",
"id": "CVE-2018-4345"
},
{
"date": "2019-04-18T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-014993"
},
{
"date": "2018-11-28T01:29:36",
"db": "PACKETSTORM",
"id": "150483"
},
{
"date": "2018-10-31T16:10:39",
"db": "PACKETSTORM",
"id": "150115"
},
{
"date": "2018-09-25T16:32:23",
"db": "PACKETSTORM",
"id": "149516"
},
{
"date": "2018-10-31T16:10:29",
"db": "PACKETSTORM",
"id": "150114"
},
{
"date": "2018-09-25T16:20:49",
"db": "PACKETSTORM",
"id": "149511"
},
{
"date": "2018-11-22T14:44:44",
"db": "PACKETSTORM",
"id": "150431"
},
{
"date": "2018-09-25T16:25:47",
"db": "PACKETSTORM",
"id": "149513"
},
{
"date": "2018-10-09T16:58:43",
"db": "PACKETSTORM",
"id": "149722"
},
{
"date": "2018-09-27T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201809-1162"
},
{
"date": "2019-04-03T18:29:09.267000",
"db": "NVD",
"id": "CVE-2018-4345"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-04-05T00:00:00",
"db": "VULHUB",
"id": "VHN-134376"
},
{
"date": "2019-04-05T00:00:00",
"db": "VULMON",
"id": "CVE-2018-4345"
},
{
"date": "2019-04-18T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-014993"
},
{
"date": "2019-04-09T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201809-1162"
},
{
"date": "2019-04-05T13:48:24.453000",
"db": "NVD",
"id": "CVE-2018-4345"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "150483"
},
{
"db": "CNNVD",
"id": "CNNVD-201809-1162"
}
],
"trust": 0.7
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "plural Apple Product cross-site scripting vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-014993"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "XSS",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201809-1162"
}
],
"trust": 0.6
}
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.