Kaspersky LabKLA11455KLA11455 Multiple vulnerabilities in Apple iTunes
9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
9.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
9.8 High
AI Score
Confidence
High
0.84 High
EPSS
Percentile
98.5%
Multiple vulnerabilities were found in Apple iTunes. Malicious users can exploit these vulnerabilities to execute arbitrary code, perform cross-site scripting attack, obtain sensitive information, bypass security restrictions and gain privileges.
Below is a complete list of vulnerabilities:
- A type confusion vulnerability in WebKit can be exploited remotely to execute arbitrary code;
- Multiple memory corruption vulnerabilities can be exploited remotely to execute arbitrary code;
- Multiple logic vulnerabilities in WebKit can be exploited remotely to perform cross-site scripting attack;
- A validation vulnerability in WebKit can be exploited remotely to obtain sensitive information;
- A memory corruption vulnerability can be exploited loccaly to bypass security restrictions;
- A buffer overflow vulnerability in CoreCrypto can be exploited locally to elevate privileges;
- A cross-origin vulnerability in WebKit can be exploited locally to obtain sensitive information;
Original advisories
Exploitation
Malware exists for this vulnerability. Usually such malware is classified as Exploit. More details.
Related products
CVE list
CVE-2019-7285 critical
CVE-2019-6201 critical
CVE-2019-8506 critical
CVE-2019-8518 critical
CVE-2019-8563 high
CVE-2019-8544 critical
CVE-2019-8551 warning
CVE-2019-8535 critical
CVE-2019-8523 critical
CVE-2019-8559 high
CVE-2019-8558 high
CVE-2019-8503 critical
CVE-2019-8556 high
CVE-2019-7292 warning
CVE-2019-8562 high
CVE-2019-8524 high
CVE-2019-8536 critical
CVE-2019-8542 high
CVE-2019-8515 warning
CVE-2019-8639 high
CVE-2019-8638 high
Solution
Update to the latest version
Impacts
- ACE
Arbitrary code execution. Exploitation of vulnerabilities with this impact can lead to executing by abuser any code or commands at vulnerable machine or process.
- OSI
Obtain sensitive information. Exploitation of vulnerabilities with this impact can lead to capturing by abuser information, critical for user or system.
- SB
Security bypass. Exploitation of vulnerabilities with this impact can lead to performing actions restricted by current security settings.
- PE
Privilege escalation. Exploitation of vulnerabilities with this impact can lead to performing by abuser actions, which are normally disallowed for current role.
- XSS/CSS
Cross site scripting. Exploitation of vulnerabilities with this impact can lead to partial interception of information transmitted between user and site.
Affected Products
- Apple iTunes earlier than 12.9.4
Related
9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
9.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
9.8 High
AI Score
Confidence
High
0.84 High
EPSS
Percentile
98.5%