CVE-2008-2540 — Improper Input Validation in Apple Safari

CWE-20 — Improper Input Validation5 documents3 sources

Severity

9.3CRITICALNVD

NVD2.6

EPSS

43.1%

top 2.50%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apple Safari Mozilla Firefox

Timeline

PublishedJun 3

Latest updateMay 1

Description

Apple Safari on Mac OS X, and before 3.1.2 on Windows, does not prompt the user before downloading an object that has an unrecognized content type, which allows remote attackers to place malware into the (1) Desktop directory on Windows or (2) Downloads directory on Mac OS X, and subsequently allows remote attackers to execute arbitrary code on Windows by leveraging an untrusted search path vulnerability in (a) Internet Explorer 7 on Windows XP or (b) the SearchPath function in Windows XP, Vista…

CVSS vector

AV:N/AC:M/C:C/I:C/A:CExploitability: 8.6 | Impact: 10.0

Affected Packages2 packages

▶NVDapple/safari< 3.1.2

▶NVDmozilla/firefox2.0.0.15+62

Patches

Patch: www.microsoft.com ↗Patch: www.microsoft.com ↗

🔴Vulnerability Details

GHSA

GHSA-6mfp-r743-cc3p: Apple Safari on Mac OS X, and before 3↗2022-05-01

▶

GHSA

GHSA-9wm7-g493-2j99: Mozilla Firefox before 2↗2022-05-01

▶

📋Vendor Advisories

Red Hat

Firefox command line URL launches multi-tabs↗2008-07-15

▶