CVE-2011-3218

2011-10-1410:55:00

CWE-79

[email protected]

web.nvd.nist.gov

cve-2011-3218

quicktime

apple

mac os x

xss

cross-site scripting

man-in-the-middle

local viewing

exported document

nvd

4.8 Medium

AI Score

Confidence

High

2.6 Low

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:H/Au:N/C:N/I:P/A:N

0.002 Low

EPSS

Percentile

50.6%

JSON

The “Save for Web” selection in QuickTime Player in Apple Mac OS X through 10.6.8 exports HTML documents that contain an http link to a script file, which allows man-in-the-middle attackers to conduct cross-site scripting (XSS) attacks by spoofing the http server during local viewing of an exported document.

CPENameOperatorVersion
apple:mac_os_xapple mac os xeq10.5.8
apple:mac_os_xapple mac os xeq10.4.3
apple:mac_os_x_serverapple mac os x servereq10.4.3
apple:mac_os_x_serverapple mac os x servereq10.3.2
apple:mac_os_x_serverapple mac os x servereq10.1.5
apple:mac_os_x_serverapple mac os x servereq10.1
apple:mac_os_x_serverapple mac os x servereq10.3.0
apple:mac_os_xapple mac os xeq10.2.5
apple:mac_os_x_serverapple mac os x servereq10.2.2
apple:mac_os_xapple mac os xeq10.6.7

CPE	Name	Operator	Version
apple:mac_os_x	apple mac os x	eq	10.5.8
apple:mac_os_x	apple mac os x	eq	10.4.3
apple:mac_os_x_server	apple mac os x server	eq	10.4.3
apple:mac_os_x_server	apple mac os x server	eq	10.3.2
apple:mac_os_x_server	apple mac os x server	eq	10.1.5
apple:mac_os_x_server	apple mac os x server	eq	10.1
apple:mac_os_x_server	apple mac os x server	eq	10.3.0
apple:mac_os_x	apple mac os x	eq	10.2.5
apple:mac_os_x_server	apple mac os x server	eq	10.2.2
apple:mac_os_x	apple mac os x	eq	10.6.7