8.8
CVSSv3

CVE-2017-2446

Published: 02/04/2017 Updated: 03/10/2019
CVSS v2 Base Score: 6.8 | Impact Score: 6.4 | Exploitability Score: 8.6
CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8
VMScore: 693
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Summary

An issue exists in certain Apple products. iOS prior to 10.3 is affected. Safari prior to 10.1 is affected. tvOS prior to 10.2 is affected. The issue involves the "WebKit" component. It allows remote malicious users to execute arbitrary code via a crafted web site that leverages the mishandling of strict mode functions.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

apple tvos

apple safari

apple iphone os

Vendor Advisories

An issue has been found in WebKit, allowing remote attackers to execute arbitrary code via a crafted web site that leverages the mishandling of strict mode functions ...
Several security issues were fixed in WebKitGTK+ ...
Arch Linux Security Advisory ASA-201704-9 ========================================= Severity: Critical Date : 2017-04-28 CVE-ID : CVE-2016-9642 CVE-2016-9643 CVE-2017-2367 CVE-2017-2376 CVE-2017-2377 CVE-2017-2386 CVE-2017-2392 CVE-2017-2394 CVE-2017-2395 CVE-2017-2396 CVE-2017-2405 CVE-2017-2415 CVE-2017-2419 CVE ...

Exploits

<!-- Source: bugschromiumorg/p/project-zero/issues/detail?id=1036 There is a type confusion vulnerability when calling DateTimeFormatformat This function is provided as a bound function by a getter in the DateTimeFormat class Binding the function ensures that the this object is of the right type However, when the bound function is ...
<!-- Source: bugschromiumorg/p/project-zero/issues/detail?id=1032 If a builtin script in webkit is in strict mode, but then calls a function that is not strict, this function is allowed to call Functioncaller and can obtain a reference to the strict function This is inconsistent with the behavior when executing non-builtin scripts i ...

Github Repositories

35C3CTF - WebKid Writeup Introduction It's been a long time since I've wanted to get into browser exploitation and this 35c3ctf challenge seemed like a perfect opportunity to start This writeup will be written from the perspective of a complete beginner on the subject Hopefully it will help people starting get a better understanding of some nuances The Challenge Th

https://github.com/qazbnm456/awesome-web-security

Awesome Web Security Curated list of Web Security materials and resources Needless to say, most websites suffer from various types of bugs which may eventually lead to vulnerabilities Why would this happen so often? There can be many factors involved including misconfiguration, shortage of engineers' security skills, etc To combat this, here is a curated list of We

Cybersecurity Web Security The World of Web Security in Cybersecurity : A collection of Web Security materials, libraries, documents, books, resources and cool stuff about in Cybersecurity Thanks to all contributors, you're awesome and wouldn't be possible without you! Our goal is to build a categorized community-driven collection of very well-known resources Ensu

An updated collection of resources targeting browser-exploitation.

Browser-Pwn The world of Browsers is dominated by 4 major players: Chromium/Chrome (Blink-Engine) Firefox (Gecko-Engine) Safari (WebKit-Engine) Edge (Blink-Engine (former EdgeHTML-Engine) The following is split into two parts: Information that helps to understand their architecture and implementation and how to build them from sources Information that helps finding their cal

Awesome Web Security Curated list of Web Security materials and resources Needless to say, most websites suffer from various types of bugs which may eventually lead to vulnerabilities Why would this happen so often? There can be many factors involved including misconfiguration, shortage of engineers' security skills, etc To combat this, here is a curated list of W

Awesome Web Security Curated list of Web Security materials and resources Needless to say, most websites suffer from various types of bugs which may eventually lead to vulnerabilities Why would this happen so often? There can be many factors involved including misconfiguration, shortage of engineers' security skills, etc To combat this, here is a curated list of We

A curated list of Web Security materials and resources.

Awesome Web Security Curated list of Web Security materials and resources Needless to say, most websites suffer from various types of bugs which may eventually lead to vulnerabilities Why would this happen so often? There can be many factors involved including misconfiguration, shortage of engineers' security skills, etc To combat this, here is a curated list of We

Exploiting a V8 OOB write(2017) saelo - Attacking JavaScript Engines: A case study of JavaScriptCore and CVE-2016-4622 (2016-10-27) $hell on Earth: From Browser to System Compromise(2016) Heap spraying high addresses in 32-bit Chrome/Firefox on 64-bit Windows(2016) Smashing The Browser: From Vulnerability Discovery To Exploit(2014) Microsoft Edge 浏览器远程代码执行漏

A collection of JavaScript engine CVEs with PoCs

Case Study of JavaScript Engine Vulnerabilities V8 CVE Number Feature Keywords Credit CVE-2013-6632 TypedArray Integer Overflow, OOB Pinkie Pie CVE-2014-1705 TypedArray Invalid Array Length, OOB geohot CVE-2014-3176 Arrayconcat Side Effect, OOB lokihardt CVE-2014-7927 Optimization asmjs, OOB Christian Holler CVE-2014-7928 Optimization Array Christian Holler C

Here is a collection about Proof of Concepts of Common Vulnerabilities and Exposures, and you may also want to check out current Contents CVE-2011-2856 CVE-2011-3243 CVE-2013-2618 CVE-2013-6632 CVE-2014-1701 CVE-2014-1705 CVE-2014-1747 CVE-2014-3176 CVE-2014-6332 CVE-2014-7927 CVE-2014-7928 CVE-2015-0072 CVE-2015-0235 CVE-2015-0240 CVE-2015-1233 CVE-2015-1242 CVE-2015-1268 CV

Awesome CVE PoC A curated list of CVE PoCs Here is a collection about Proof of Concepts of Common Vulnerabilities and Exposures, and you may also want to check out awesome-web-security Please read the contribution guidelines before contributing This repo is full of PoCs for CVEs If you enjoy this awesome list and would like to support it, check out my Patreon page :