CVE-2014-1346 — Improper Input Validation in Apple Safari

CWE-20 — Improper Input Validation5 documents5 sources

Severity

5.0MEDIUMNVD

EPSS

0.6%

top 30.08%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apple Safari

Timeline

PublishedMay 22

Latest updateMay 17

Description

WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4, does not properly interpret Unicode encoding, which allows remote attackers to spoof a postMessage origin, and bypass intended restrictions on sending a message to a connected frame or window, via crafted characters in a URL.

CVSS vector

AV:N/AC:L/C:N/I:P/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages1 packages

▶NVDapple/safari6.1.3+13

🔴Vulnerability Details

GHSA

GHSA-jg99-gc3w-rpvv: WebKit, as used in Apple Safari before 6↗2022-05-17

▶

OSV

CVE-2014-1346: WebKit, as used in Apple Safari before 6↗2014-05-22

▶

📋Vendor Advisories

Red Hat

webkitgtk: improper Unicode encoding interpretation (WSA-2015-0001)↗2015-01-26

▶

💬Community

Bugzilla

CVE-2014-1346 webkitgtk: improper Unicode encoding interpretation (WSA-2015-0001)↗2015-01-27

▶