Apple Safari up to 5.1.7 feed URL Handler cross site scripting

VulDB: Apple Safari up to 5.1.7 feed URL Handler cross site scripting

General

Apple

scipID: 5870
Affected: Apple Safari up to 5.1.7
Published: 07/25/2012 (Masato Kinugawa)
Risk: problematic
Entry: 89.5% complete
Created: 08/08/2012
Updated: 09/03/2012

Summary

A vulnerability, which was classified as problematic, has been found in Apple Safari up to 5.1.7. Affected by this issue is an unknown function of the component feed URL Handler. The manipulation with an unknown input leads to a cross site scripting vulnerability. Impacted is confidentiality, integrity, and availability.

The weakness was published 07/25/2012 by Masato Kinugawa as HT5400 as knowledge base article (Apple Security Announce). The advisory is shared for download at support.apple.com. The public release has been coordinated with the vendor. This vulnerability is handled as CVE-2012-0678 since 01/12/2012. The exploitability is told to be easy. The attack may be launched remotely. No form of authentication is required for exploitation. Technical details are unknown but a private exploit is available.

Upgrading to version 6 eliminates this vulnerability. A possible mitigation has been published immediately after the disclosure of the vulnerability. The vulnerability is also documented in the databases at OSVDB (84213) and Secunia (SA50058).