Apple iCloud 7.x < 7.13 / 10.x < 10.6 Multiple Vulnerabilities

High Nessus Plugin ID 127914

Synopsis

An iCloud software installed on the remote Windows host is affected by multiple vulnerabilities.

Description

According to its version, the iCloud application installed on the remote Windows host is 7.x prior to 7.13 or 10.x prior to 10.6. It is, therefore, affected by multiple vulnerabilities:

- Multiple arbitrary code execution vulnerabilities exist with in the WebKit due to improper handling of maliciously crafted content. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2019-8644, CVE-2019-8666, CVE-2019-8669, CVE-2019-8671, CVE-2019-8672, CVE-2019-8673, CVE-2019-8676, CVE-2019-8677, CVE-2019-8678, CVE-2019-8679, CVE-2019-8680, CVE-2019-8681, CVE-2019-8683, CVE-2019-8684, CVE-2019-8685, CVE-2019-8686, CVE-2019-8687, CVE-2019-8688, CVE-2019-8689)

- A cross-site scripting (XSS) vulnerability exists with in the WebKit due to improper handling synchronous page loads.
An unauthenticated, remote attacker can exploit this, by convincing a user to click a specially crafted URL, to execute arbitrary script code in a user's browser session. (CVE-2019-8649)

- A cross-site scripting (XSS) vulnerability exists with in the WebKit due to improper validation of user-supplied input before returning it to users. An unauthenticated, remote attacker can exploit this, by convincing a user to click a specially crafted URL, to execute arbitrary script code in a user's browser session. (CVE-2019-8658)

- A cross-site scripting (XSS) vulnerability exists with in the WebKit due to improper handling of document loads. An unauthenticated, remote attacker can exploit this, by convincing a user to click a specially crafted URL, to execute arbitrary script code in a user's browser session. (CVE-2019-8690)

- An information disclosure vulnerability exists in the included libxslt library due to improper input validation. An unauthenticated, remote attacker can exploit this, to disclose potentially sensitive information. (CVE-2019-13118)

Solution

Upgrade to iCloud version 7.13, 10.6, or later.

See Also

https://support.apple.com/en-us/HT210357

https://support.apple.com/en-us/HT210358

Plugin Details

Severity: High

ID: 127914

File Name: icloud_10_6.nasl

Version: 1.4

Type: local

Agent: windows

Family: Windows

Published: 2019/08/20

Updated: 2020/01/02

Dependencies: 58292

Risk Information

Risk Factor: High

CVSS Score Source: CVE-2019-8689

CVSS v2.0

Base Score: 9.3

Temporal Score: 7.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:POC/RL:OF/RC:C

CVSS v3.0

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:apple:icloud_for_windows

Required KB Items: installed_sw/iCloud

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2019/07/23

Vulnerability Publication Date: 2019/07/23

Reference Information

CVE: CVE-2019-8644, CVE-2019-8649, CVE-2019-8658, CVE-2019-8666, CVE-2019-8669, CVE-2019-8671, CVE-2019-8672, CVE-2019-8673, CVE-2019-8676, CVE-2019-8677, CVE-2019-8678, CVE-2019-8679, CVE-2019-8680, CVE-2019-8681, CVE-2019-8683, CVE-2019-8684, CVE-2019-8685, CVE-2019-8686, CVE-2019-8687, CVE-2019-8688, CVE-2019-8689, CVE-2019-8690, CVE-2019-13118

BID: 109323, 109328, 109329