Sign-up

ID

VAR-200706-0341


CVE

CVE-2007-2391


TITLE

Apple Safari for Windows Window.setTimeout Content Spoofing Vulnerability

Trust: 0.9

sources: BID: 24457 // CNNVD: CNNVD-200706-254

DESCRIPTION

Cross-site scripting (XSS) vulnerability in Apple Safari Beta 3.0.1 for Windows allows remote attackers to inject arbitrary web script or HTML via a web page that includes a windows.setTimeout function that is activated after the user has moved from the current page. During such an attack, the originating URL and window title reportedly still display the originating domain rather than the attacking domain. This issue affects Safari 3.0 (522.11.3) on Windows 2003 SE SP2 and Windows XP SP2. NOTE: Apple has released Safari 3.0.1 Beta for Windows

Trust: 1.98

sources: NVD: CVE-2007-2391 // JVNDB: JVNDB-2007-001940 // BID: 24457 // VULHUB: VHN-25753

AFFECTED PRODUCTS

vendor:applemodel:safariscope:eqversion:3.0.1

Trust: 1.6

vendor:applemodel:safariscope:eqversion:windows edition beta 3.0.1

Trust: 0.8

vendor:applemodel:safari betascope:eqversion:3

Trust: 0.3

vendor:applemodel:safari beta for windowsscope:neversion:3.0.1

Trust: 0.3

sources: BID: 24457 // JVNDB: JVNDB-2007-001940 // CNNVD: CNNVD-200706-254 // NVD: CVE-2007-2391

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2007-2391
value: MEDIUM

Trust: 1.0

NVD: CVE-2007-2391
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-200706-254
value: MEDIUM

Trust: 0.6

VULHUB: VHN-25753
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2007-2391
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-25753
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-25753 // JVNDB: JVNDB-2007-001940 // CNNVD: CNNVD-200706-254 // NVD: CVE-2007-2391

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-25753 // JVNDB: JVNDB-2007-001940 // NVD: CVE-2007-2391

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200706-254

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-200706-254

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2007-001940

PATCH
title:APPLE-SA-2007-06-14url:http://lists.apple.com/archives/security-announce/2007/Jun/msg00000.html
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2007-001940

EXTERNAL IDS
db:NVDid:CVE-2007-2391
Trust: 2.8
db:BIDid:24457
Trust: 2.0
db:VUPENid:ADV-2007-2192
Trust: 1.7
db:SECTRACKid:1018238
Trust: 1.7
db:OSVDBid:36605
Trust: 1.1
db:JVNDBid:JVNDB-2007-001940
Trust: 0.8
db:BUGTRAQid:20070613 RE: [FULL-DISCLOSURE] APPLE SAFARI: COOKIE STEALING
Trust: 0.6
db:BUGTRAQid:20070613 APPLE SAFARI: COOKIE STEALING
Trust: 0.6
db:XFid:34847
Trust: 0.6
db:APPLEid:APPLE-SA-2007-06-14
Trust: 0.6
db:CNNVDid:CNNVD-200706-254
Trust: 0.6
db:VULHUBid:VHN-25753
Trust: 0.1
sources:
            
            
            VULHUB: VHN-25753 // 
            
            
            
            BID: 24457 // 
            
            
            
            JVNDB: JVNDB-2007-001940 // 
            
            
            
            CNNVD: CNNVD-200706-254 // 
            
            
            
            NVD: CVE-2007-2391

REFERENCES
url:http://lists.apple.com/archives/security-announce/2007/jun/msg00000.html
Trust: 1.7
url:http://www.securityfocus.com/bid/24457
Trust: 1.7
url:http://www.securityfocus.com/archive/1/471255/100/0/threaded
Trust: 1.7
url:http://securitytracker.com/id?1018238
Trust: 1.7
url:http://www.securityfocus.com/archive/1/471266/100/0/threaded
Trust: 1.1
url:http://osvdb.org/36605
Trust: 1.1
url:http://www.vupen.com/english/advisories/2007/2192
Trust: 1.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/34847
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2007-2391
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2007-2391
Trust: 0.8
url:http://xforce.iss.net/xforce/xfdb/34847
Trust: 0.6
url:http://www.securityfocus.com/archive/1/archive/1/471266/100/0/threaded
Trust: 0.6
url:http://www.frsirt.com/english/advisories/2007/2192
Trust: 0.6
url:http://www.apple.com/safari/
Trust: 0.3
sources:
            
            
            VULHUB: VHN-25753 // 
            
            
            
            BID: 24457 // 
            
            
            
            JVNDB: JVNDB-2007-001940 // 
            
            
            
            CNNVD: CNNVD-200706-254 // 
            
            
            
            NVD: CVE-2007-2391

CREDITS
Robert Swiecki is credited with the discovery of this vulnerability.
Trust: 0.9
sources:
            
            
            BID: 24457 // 
            
            
            
            CNNVD: CNNVD-200706-254

SOURCES
db:VULHUBid:VHN-25753
db:BIDid:24457
db:JVNDBid:JVNDB-2007-001940
db:CNNVDid:CNNVD-200706-254
db:NVDid:CVE-2007-2391

LAST UPDATE DATE
2024-08-14T14:59:00.991000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-25753date:2018-10-16T00:00:00
db:BIDid:24457date:2007-06-14T20:59:00
db:JVNDBid:JVNDB-2007-001940date:2012-06-26T00:00:00
db:CNNVDid:CNNVD-200706-254date:2007-06-19T00:00:00
db:NVDid:CVE-2007-2391date:2018-10-16T16:43:17.960

SOURCES RELEASE DATE
db:VULHUBid:VHN-25753date:2007-06-14T00:00:00
db:BIDid:24457date:2007-06-13T00:00:00
db:JVNDBid:JVNDB-2007-001940date:2012-06-26T00:00:00
db:CNNVDid:CNNVD-200706-254date:2007-06-14T00:00:00
db:NVDid:CVE-2007-2391date:2007-06-14T18:30:00