5
CVSSv2

CVE-2017-2419

Published: 02/04/2017 Updated: 03/10/2019
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
VMScore: 446
Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N

Vulnerability Summary

An issue exists in certain Apple products. iOS prior to 10.3 is affected. Safari prior to 10.1 is affected. The issue involves the "WebKit" component. It allows remote malicious users to bypass a Content Security Policy protection mechanism via unspecified vectors.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.
Vulnerable Product Search on Vulmon Subscribe to Product

apple safari

apple iphone os

Vendor Advisories

An issue has been found in WebKit, allowing remote attackers to bypass a Content Security Policy protection mechanism via unspecified vectors ...
About Apple security updatesFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available Recent releases are listed on the Apple security updates page For more information about security, see the Apple Product Security page You can encrypt ...
Several security issues were fixed in WebKitGTK+ ...
About Apple security updatesFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available Recent releases are listed on the Apple security updates page For more information about security, see the Apple Product Security page You can encrypt ...
Arch Linux Security Advisory ASA-201704-9 ========================================= Severity: Critical Date : 2017-04-28 CVE-ID : CVE-2016-9642 CVE-2016-9643 CVE-2017-2367 CVE-2017-2376 CVE-2017-2377 CVE-2017-2386 CVE-2017-2392 CVE-2017-2394 CVE-2017-2395 CVE-2017-2396 CVE-2017-2405 CVE-2017-2415 CVE-2017-2419 CVE ...

Github Repositories

Here is a collection about Proof of Concepts of Common Vulnerabilities and Exposures, and you may also want to check out current Contents CVE-2011-2856 CVE-2011-3243 CVE-2013-2618 CVE-2013-6632 CVE-2014-1701 CVE-2014-1705 CVE-2014-1747 CVE-2014-3176 CVE-2014-6332 CVE-2014-7927 CVE-2014-7928 CVE-2015-0072 CVE-2015-0235 CVE-2015-0240 CVE-2015-1233 CVE-2015-1242 CVE-2015-1268 CV

Awesome CVE PoC A curated list of CVE PoCs Here is a collection about Proof of Concepts of Common Vulnerabilities and Exposures, and you may also want to check out awesome-web-security Please read the contribution guidelines before contributing This repo is full of PoCs for CVEs If you enjoy this awesome list and would like to support it, check out my Patreon page :

Recent Articles

Microsoft won't patch Edge browser content security bypass
The Register • Richard Chirgwin • 07 Sep 2017

Tells Cisco's Talos it's a feature, not a bug. Apple and Google disagree and fixed it

Which of Google, Apple and Microsoft think a content security bypass doesn't warrant a browser patch?
Thanks to Cisco Talos security bod Nicolai Grødum, who found the cross-site scripting bug that affects older Chrome and Safari plus current versions of Edge, we know the answer is "Microsoft".
Grødum posted news of Microsoft's attitude here, explaining that if you use Chrome 57.0.2987.98 or later, you're already protected against CVE-2017-5033. Ditto users of iOS later than 10.3 an...

Microsoft won't patch Edge browser content security bypass
The Register • Richard Chirgwin • 07 Sep 2017

Tells Cisco's Talos it's a feature, not a bug. Apple and Google disagree and fixed it

Which of Google, Apple and Microsoft think a content security bypass doesn't warrant a browser patch?
Thanks to Cisco Talos security bod Nicolai Grødum, who found the cross-site scripting bug that affects older Chrome and Safari plus current versions of Edge, we know the answer is "Microsoft".
Grødum posted news of Microsoft's attitude here, explaining that if you use Chrome 57.0.2987.98 or later, you're already protected against CVE-2017-5033. Ditto users of iOS later than 10.3 an...

Apple and Google Fix Browser Bug. Microsoft Does Not.
BleepingComputer • Catalin Cimpanu • 07 Sep 2017

Microsoft has declined to patch a security bug Cisco Talos researchers discovered in the Edge browser, claiming the reported issue is by design. Apple and Google patched a similar flaw in Safari (CVE-2017-2419) and Chrome (CVE-2017-5033), respectively.
According to Cisco Talos researcher Nicolai Grødum, the vulnerability can be classified as a bypass of the Content Security Policy (CSP), a mechanism that allows website developers to configure HTTP headers and instruct the browsers of peop...