Vulnerability Details : CVE-2018-4278
In Safari before 11.1.2, iTunes before 12.8 for Windows, iOS before 11.4.1, tvOS before 11.4.1, iCloud for Windows before 7.6, sound fetched through audio elements may be exfiltrated cross-origin. This issue was addressed with improved audio taint tracking.
Products affected by CVE-2018-4278
- cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*
- cpe:2.3:a:apple:itunes:*:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
- cpe:2.3:a:apple:icloud:*:*:*:*:*:*:*:*
- cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-4278
0.54%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 77 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-4278
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:N/A:N |
8.6
|
2.9
|
NIST | |
4.3
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N |
2.8
|
1.4
|
NIST |
References for CVE-2018-4278
-
https://support.apple.com/HT208938,
Page Not Found - Official Apple SupportBroken Link;Vendor Advisory
-
https://support.apple.com/HT208936,
Page Not Found - Official Apple SupportBroken Link;Vendor Advisory
-
https://support.apple.com/HT208932
About the security content of iCloud for Windows 7.6 - Apple SupportVendor Advisory
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/146479
Apple Safari security bypass CVE-2018-4278 Vulnerability ReportThird Party Advisory
-
https://support.apple.com/HT208934,
Page Not Found - Official Apple SupportBroken Link;Vendor Advisory
-
http://www.securitytracker.com/id/1041232
Apple iOS Multiple Flaws Let Remote Users Deny Service, Execute Arbitrary Code, and Spoof URLs, Remote and Local Users Obtain Potentially Sensitive Information, and Let Applications Gain Elevated PrivThird Party Advisory;VDB Entry
-
https://security.gentoo.org/glsa/201808-04
WebkitGTK+: Multiple vulnerabilities (GLSA 201808-04) — Gentoo securityThird Party Advisory
-
https://support.apple.com/HT208933,
Page Not Found - Official Apple SupportBroken Link;Vendor Advisory
-
https://usn.ubuntu.com/3743-1/
USN-3743-1: WebKitGTK+ vulnerabilities | Ubuntu security noticesThird Party Advisory
Jump to