Lucene search

F-SecureUSCVELIST:CVE-2021-40835

HistoryDec 16, 2021 - 10:58 a.m.

CVE-2021-40835 URL Address Bar Spoofing in F-Secure SAFE Browser for iOS

2021-12-1610:58:55

F-SecureUS

www.cve.org

4.6 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

4.9 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

49.1%

JSON

An URL Address bar spoofing vulnerability was discovered in Safe Browser for iOS. When user clicks on a specially crafted a malicious URL, if user does not carefully pay attention to url, user may be tricked to think content may be coming from a valid domain, while it comes from another. This is performed by using a very long username part of the url so that user cannot see the domain name. A remote attacker can leverage this to perform url address bar spoofing attack. The fix is, browser no longer shows the user name part in address bar.

CNA Affected

[
  {
    "platforms": [
      "iOS"
    ],
    "product": "F-Secure Mobile Security",
    "vendor": "F-Secure",
    "versions": [
      {
        "lessThan": "18.5",
        "status": "affected",
        "version": "18.3",
        "versionType": "custom"
      }
    ]
  }
]

References

www.f-secure.com/en/business/programs/vulnerability-reward-program/hall-of-fame

www.f-secure.com/en/business/support-and-downloads/security-advisories