Vulnerability Details : CVE-2020-9952
An input validation issue was addressed with improved input validation. This issue is fixed in iOS 14.0 and iPadOS 14.0, tvOS 14.0, watchOS 7.0, Safari 14.0, iCloud for Windows 11.4, iCloud for Windows 7.21. Processing maliciously crafted web content may lead to a cross site scripting attack.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2020-9952
- cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
- cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*
- cpe:2.3:a:apple:icloud:*:*:*:*:*:windows:*:*
- cpe:2.3:a:apple:icloud:*:*:*:*:*:windows:*:*
- cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*
- cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
- cpe:2.3:a:webkit:webkitgtk\+:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-9952
0.22%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 60 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-9952
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.8
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:P |
8.6
|
4.9
|
NIST | |
|
7.1
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L |
2.8
|
3.7
|
NIST |
CWE ids for CVE-2020-9952
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-9952
-
http://seclists.org/fulldisclosure/2020/Nov/18
Full Disclosure: APPLE-SA-2020-11-13-5 Additional information for APPLE-SA-2020-09-16-3 Safari 14.0Mailing List;Third Party Advisory
-
https://support.apple.com/HT211843
About the security content of tvOS 14.0 - Apple SupportRelease Notes;Vendor Advisory
-
http://seclists.org/fulldisclosure/2020/Nov/22
Full Disclosure: APPLE-SA-2020-11-13-6 Additional information for APPLE-SA-2020-09-16-4 watchOS 7.0Mailing List;Third Party Advisory
-
https://security.gentoo.org/glsa/202012-10
WebkitGTK+: Multiple vulnerabilities (GLSA 202012-10) — Gentoo securityThird Party Advisory
-
https://support.apple.com/HT211846
About the security content of iCloud for Windows 11.4 - Apple SupportRelease Notes;Vendor Advisory
-
http://seclists.org/fulldisclosure/2020/Nov/20
Full Disclosure: APPLE-SA-2020-11-13-3 Additional information for APPLE-SA-2020-09-16-1 iOS 14.0 and iPadOS 14.0Mailing List;Third Party Advisory
-
https://support.apple.com/HT211847
About the security content of iCloud for Windows 7.21 - Apple SupportRelease Notes;Vendor Advisory
-
https://support.apple.com/HT211850
About the security content of iOS 14.0 and iPadOS 14.0 - Apple SupportVendor Advisory
-
http://www.openwall.com/lists/oss-security/2020/11/23/3
oss-security - WebKitGTK and WPE WebKit Security Advisory WSA-2020-0008Mailing List
-
http://seclists.org/fulldisclosure/2020/Nov/19
Full Disclosure: APPLE-SA-2020-11-13-4 Additional information for APPLE-SA-2020-09-16-2 tvOS 14.0Mailing List;Third Party Advisory
-
https://support.apple.com/HT211844
About the security content of watchOS 7.0 - Apple SupportRelease Notes;Vendor Advisory
-
https://support.apple.com/HT211845
About the security content of Safari 14.0 - Apple SupportRelease Notes;Vendor Advisory
Jump to