Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
kasperskyKaspersky LabKLA11282
HistoryMay 29, 2018 - 12:00 a.m.

KLA11282 Multiple vulnerabilities in Apple iTunes

2018-05-2900:00:00
Kaspersky Lab
threats.kaspersky.com
41

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

8.9 High

AI Score

Confidence

High

0.935 High

EPSS

Percentile

99.1%

JSON

Multiple serious vulnerabilities have been found in Apple iTunes. Malicious users can exploit these vulnerabilities to execute arbitrary code, spoof user interface and obtain sensitive information.

Below is a complete list of vulnerabilities:

  1. An out-of-bounds read vulnerability in CoreGraphics can be exploited remotely via specially crafted website to execute arbitrary code;
  2. Unspecified vulnerabilities can be exploited locally to obtain sensitive information;
  3. A race condition vulnerability in WebKit can be exploited remotely via specially crafted website to execute arbitrary code;
  4. A type confussion vulnerability in WebKit can be exploited remotely via specially crafted website to execute arbitrary code;
  5. Multiple memory corruption vulnerabilities in WebKit can be exploited remotely via specially crafted website to execute arbitrary code;
  6. An unspecified vulnerability in WebKit can be exploited remotely via specially crafted website to spoof user interface;
  7. A buffer overflow vulnerability in WebKit can be exploited remotely via specially crafted website to execute arbitrary code;
  8. An unspecified vulnerability in WebKit can be exploited remotely via specially crafted website to obtain sensitive information;
  9. An out-of-bounds read vulnerability in WebKit can be exploited remotely via specially crafted website to execute arbitrary code.

Original advisories

About the security content of iTunes 12.7.5 for Windows

Exploitation

Public exploits exist for this vulnerability.

Malware exists for this vulnerability. Usually such malware is classified as Exploit. More details.

Related products

Apple-iTunes

CVE list

CVE-2018-4194 high

CVE-2018-4218 high

CVE-2018-4246 high

CVE-2018-4222 high

CVE-2018-4224 warning

CVE-2018-4225 warning

CVE-2018-4226 warning

CVE-2018-4232 warning

CVE-2018-4233 high

CVE-2018-4188 warning

CVE-2018-4190 warning

CVE-2018-4192 high

CVE-2018-4199 high

CVE-2018-4200 high

CVE-2018-4201 high

CVE-2018-4204 high

CVE-2018-4214 high

Solution

Update to the latest version

Download iTunes

Impacts

  • ACE

Arbitrary code execution. Exploitation of vulnerabilities with this impact can lead to executing by abuser any code or commands at vulnerable machine or process.

  • OSI

Obtain sensitive information. Exploitation of vulnerabilities with this impact can lead to capturing by abuser information, critical for user or system.

  • SB

Security bypass. Exploitation of vulnerabilities with this impact can lead to performing actions restricted by current security settings.

  • SUI

Spoof user interface. Exploitation of vulnerabilities with this impact can lead to changes in user interface to beguile user into inaccurate behavior.

Affected Products

  • Apple iTunes earlier than 12.7.5

Related

apple 18
openvas 19
nessus 24
mageia 2
fedora 5
suse 2
ubuntu 3
zdt 7
cve 17
prion 17
nvd 17
seebug 2
debiancve 12
packetstorm 4
checkpoint_advisories 4
cvelist 17
ubuntucve 13
redhatcve 2
archlinux 1
zdi 3
alpinelinux 1
vulnrichment 1
gentoo 1
thn 1
metasploit 2
exploitdb 1
googleprojectzero 1
centos 1
redhat 1
apple
apple
About the security content of iCloud for Windows 7.5
2018-06-01 00:00:00
About the security content of iCloud for Windows 7.5 - Apple Support
2019-10-08 03:48:52
About the security content of iTunes 12.7.5 for Windows
2018-05-29 00:00:00
openvas
openvas
Apple iTunes Security Updates (HT208852)
2018-06-06 00:00:00
Apple iCloud Security Updates (HT208853)
2018-06-06 00:00:00
Apple Safari Security Updates (HT208854)
2018-06-04 00:00:00
nessus
nessus
Apple iTunes < 12.7.5 Multiple Vulnerabilities (uncredentialed check)
2018-06-06 00:00:00
Apple iTunes < 12.7.5 Multiple Vulnerabilities (credentialed check)
2018-06-06 00:00:00
macOS : Apple Safari < 11.1.1 Multiple Vulnerabilities
2019-07-02 00:00:00
mageia
mageia
Updated webkit2 packages fix security vulnerability
2018-07-01 20:17:14
Updated webkit2 packages fix security vulnerabilities
2018-05-29 22:41:14
fedora
fedora
[SECURITY] Fedora 27 Update: webkitgtk4-2.20.3-1.fc27
2018-06-29 08:06:09
[SECURITY] Fedora 28 Update: webkit2gtk3-2.20.3-1.fc28
2018-06-16 20:20:25
[SECURITY] Fedora 27 Update: webkitgtk4-2.20.2-1.fc27
2018-05-15 19:54:33
suse
suse
Security update for webkit2gtk3 (moderate)
2018-08-10 03:08:49
Security update for webkit2gtk3 (moderate)
2018-10-26 00:11:58
ubuntu
ubuntu
WebKitGTK+ vulnerabilities
2018-06-18 00:00:00
WebKitGTK+ vulnerability
2018-05-08 00:00:00
WebKitGTK+ vulnerabilities
2018-08-16 00:00:00
zdt
zdt
WebKitGTK+ Memory Corruption / Code Execution Vulnerability
2018-05-09 00:00:00
WebKit - WebAssembly Compilation Info Leak Exploit
2018-06-09 00:00:00
WebKit WebCore::jsElementScrollHeightGette Use-After-Free Exploit
2018-05-02 00:00:00
cve
cve
CVE-2018-4224
2018-06-08 18:29:01
CVE-2018-4222
2018-06-08 18:29:01
CVE-2018-4232
2018-06-08 18:29:01
prion
prion
Code injection
2018-06-08 18:29:00
Memory corruption
2018-06-08 18:29:00
Code injection
2018-06-08 18:29:00
nvd
nvd
CVE-2018-4224
2018-06-08 18:29:01
CVE-2018-4222
2018-06-08 18:29:01
CVE-2018-4225
2018-06-08 18:29:01
seebug
seebug
WebKit: Info leak in WebAssembly Compilation(CVE-2018-4222)
2018-06-08 00:00:00
WebKit: Use-after-free when resuming generator(CVE-2018-4218)
2018-06-08 00:00:00
debiancve
debiancve
CVE-2018-4222
2018-06-08 18:29:01
CVE-2018-4200
2018-06-08 18:29:00
CVE-2018-4232
2018-06-08 18:29:01
packetstorm
packetstorm
WebKit WebCore::jsElementScrollHeightGette Use-After-Free
2018-05-01 00:00:00
JavaScript Core Arbitrary Code Execution
2018-07-18 00:00:00
Safari Webkit Proxy Object Type Confusion
2019-06-02 00:00:00
checkpoint_advisories
checkpoint_advisories
KDE WebKit Use-after-free Memory Corruption (CVE-2018-4200)
2018-05-07 00:00:00
Apple WebKit Out Of Bounds Read (CVE-2018-4222)
2018-07-30 00:00:00
Apple WebKit Memory Corruption (CVE-2018-4233)
2018-12-31 00:00:00
cvelist
cvelist
CVE-2018-4232
2018-06-08 18:00:00
CVE-2018-4226
2018-06-08 18:00:00
CVE-2018-4222
2018-06-08 18:00:00
ubuntucve
ubuntucve
CVE-2018-4222
2018-06-08 00:00:00
CVE-2018-4199
2018-06-08 00:00:00
CVE-2018-4232
2018-06-08 00:00:00
redhatcve
redhatcve
CVE-2018-4200
2020-01-19 03:34:24
CVE-2018-4204
2018-05-12 09:25:15
archlinux
archlinux
[ASA-201805-9] webkit2gtk: arbitrary code execution
2018-05-13 00:00:00
zdi
zdi
(Pwn2Own) Apple Safari SVG Heap-based Buffer Overflow Remote Code Execution Vulnerability
2018-07-26 00:00:00
(Pwn2Own) Apple Safari CreateThis Type Confusion Remote Code Execution Vulnerability
2018-10-30 00:00:00
Apple Safari Array splice Out-Of-Bounds Access Remote Code Execution Vulnerability
2018-07-26 00:00:00
alpinelinux
alpinelinux
CVE-2018-4246
2018-06-08 18:29:02
vulnrichment
vulnrichment
CVE-2018-4233
2018-06-08 18:00:00
gentoo
gentoo
WebkitGTK+: Multiple vulnerabilities
2018-08-22 00:00:00
thn
thn
LightSpy Spyware's macOS Variant Found with Advanced Surveillance Capabilities
2024-06-07 15:44:00
metasploit
metasploit
Safari Webkit Proxy Object Type Confusion
2019-06-02 02:19:24
Safari Proxy Object Type Confusion
2018-11-15 00:44:18
exploitdb
exploitdb
Safari - Proxy Object Type Confusion (Metasploit)
2018-12-14 00:00:00
googleprojectzero
googleprojectzero
The Problems and Promise of WebAssembly
2018-08-16 00:00:00
centos
centos
PackageKit, accountsservice, adwaita, appstream, at, atk, baobab, bolt, brasero, cairo, cheese, clutter, compat, control, dconf, devhelp, ekiga, empathy, eog, evince, evolution, file, flatpak, folks, fontconfig, freetype, fribidi, fwupd, fwupdate, gcr, gdk, gdm, gedit, geoclue2, geocode, gjs, glade, glib, glib2, glibmm24, gnome, gnote, gobject, gom, google, grilo, gsettings, gspell, gssdp, gstreamer1, gtk, gtk3, gtksourceview3, gucharmap, gupnp, gvfs, harfbuzz, json, libappstream, libchamplain, libcroco, libgdata, libgee, libgepub, libgexiv2, libgnomekbd, libgovirt, libgtop2, libgweather, libgxps, libical, libmediaart, libosinfo, libpeas, librsvg2, libsecret, libsoup, libwayland, libwnck3, mozjs52, mutter, nautilus, openchange, osinfo, pango, poppler, python2, rest, rhythmbox, seahorse, shotwell, sushi, totem, upower, vala, valadoc, vino, vte, vte291, wayland, webkitgtk4, xdg, yelp, zenity security update
2018-11-15 18:43:07
redhat
redhat
(RHSA-2018:3140) Moderate: GNOME security, bug fix, and enhancement update
2018-10-30 04:22:45

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

8.9 High

AI Score

Confidence

High

0.935 High

EPSS

Percentile

99.1%

JSON
Related for KLA11282
apple18openvas19nessus24mageia2fedora5suse2ubuntu3zdt7cve17prion17nvd17seebug2debiancve12packetstorm4checkpoint_advisories4cvelist17ubuntucve13redhatcve2archlinux1zdi3alpinelinux1vulnrichment1gentoo1thn1metasploit2exploitdb1googleprojectzero1centos1redhat1