CVE-2008-1999

Apple Safari 3.1.1 allows remote attackers to spoof the address bar by placing many "invisible" characters in the userinfo subcomponent of the authority component of the URL (aka the user field), as demonstrated by %E3%80%80 sequences.

CVSS v2.0 5.0 MEDIUM

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:N/I:P/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://es.geocities.com/jplopezy/pruebasafari3.html
http://secunia.com/advisories/29900	Vendor Advisory
http://securityreason.com/securityalert/3833
http://www.securityfocus.com/archive/1/491192/100/0/threaded
http://www.vupen.com/english/advisories/2008/1347
https://exchange.xforce.ibmcloud.com/vulnerabilities/41981

Configurations

Configuration 1 (hide)

cpe:2.3:a:apple:safari:3.1.1:*:*:*:*:*:*:*

History

No history.

Information

Published : 2008-04-28 20:05

Updated : 2018-10-11 20:38

NVD link : CVE-2008-1999

Mitre link : CVE-2008-1999

CVE.ORG link : CVE-2008-1999

JSON object : View

Products Affected

apple

safari

CWE

NVD-CWE-Other

{"id": "CVE-2008-1999", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2008-04-28T20:05:00.000", "references": [{"url": "http://es.geocities.com/jplopezy/pruebasafari3.html", "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/29900", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://securityreason.com/securityalert/3833", "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/archive/1/491192/100/0/threaded", "source": "cve@mitre.org"}, {"url": "http://www.vupen.com/english/advisories/2008/1347", "source": "cve@mitre.org"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41981", "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "Apple Safari 3.1.1 allows remote attackers to spoof the address bar by placing many \"invisible\" characters in the userinfo subcomponent of the authority component of the URL (aka the user field), as demonstrated by %E3%80%80 sequences."}, {"lang": "es", "value": "Apple Safari 3.1.1 permite a atacantes remotos falsificar la barra de direcciones colocando varios caracteres \"invisibles\" en el subcomponente userinfo del componente authority de la URL -tambi\u00e9n conocido como el fichero del usuario (user file)-; como se ha demostrado con las secuencias %E3%80%80."}], "lastModified": "2018-10-11T20:38:42.967", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apple:safari:3.1.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C453B588-15FD-4A9C-8BC1-6202A21DAE02"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}