7.8
CVSSv3

CVE-2021-30860

Published: 24/08/2021 Updated: 06/04/2022
CVSS v2 Base Score: 6.8 | Impact Score: 6.4 | Exploitability Score: 8.6
CVSS v3 Base Score: 7.8 | Impact Score: 5.9 | Exploitability Score: 1.8
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Summary

Apple iOS 14.8 and iPadOS 14.8 update: An integer overflow was addressed with improved input validation. Processing a maliciously crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. Updates are available for iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

apple ipados

apple iphone os

apple mac os x

apple mac os x 10.15.7

apple macos

apple watchos

Mailing Lists

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2021-09-13-3 macOS Big Sur 116 macOS Big Sur 116 addresses the following issues Information about the security content is also available at supportapplecom/HT212804 CoreGraphics Available for: macOS Big Sur Impact: Processing a maliciously crafted PDF may lead to arbitrary co ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2021-09-13-1 iOS 148 and iPadOS 148 iOS 148 and iPadOS 148 addresses the following issues Information about the security content is also available at supportapplecom/HT212807 CoreGraphics Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2021-09-23-1 iOS 1255 iOS 1255 addresses the following issues Information about the security content is also available at supportapplecom/HT212824 CoreGraphics Available for: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generat ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2021-09-13-2 watchOS 762 watchOS 762 addresses the following issues Information about the security content is also available at supportapplecom/HT212806 CoreGraphics Available for: Apple Watch Series 3 and later Impact: Processing a maliciously crafted PDF may lead to arbit ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2021-09-13-4 Security Update 2021-005 Catalina Security Update 2021-005 Catalina addresses the following issues Information about the security content is also available at supportapplecom/HT212805 CoreGraphics Available for: macOS Catalina Impact: Processing a maliciously craft ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2021-09-20-8 Additional information for APPLE-SA-2021-09-13-4 Security Update 2021-005 Catalina Security Update 2021-005 Catalina addresses the following issues Information about the security content is also available at supportapplecom/HT212805 CoreGraphics Available for: macO ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2021-09-20-6 Additional information for APPLE-SA-2021-09-13-1 iOS 148 and iPadOS 148 iOS 148 and iPadOS 148 addresses the following issues Information about the security content is also available at supportapplecom/HT212807 Bluetooth Available for: iPhone 6s and later, iPad ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2021-09-20-7 Additional information for APPLE-SA-2021-09-13-3 macOS Big Sur 116 macOS Big Sur 116 addresses the following issues Information about the security content is also available at supportapplecom/HT212804 CoreGraphics Available for: macOS Big Sur Impact: Processing ...

Github Repositories

CVE-2021-30860 CVE-2021-30860 (FORCEDENTRY) is a known vulnerability in MacOS, iOS, and WatchOS It allows arbitrary code execution by sending a victim device a "maliciously crafted PDF" This vulnerability was patched by Apple on September 13, 2021 with the following versions: iOS 148 OSX Big Sur 116, Security Update 2021-005 Catalina WatchOS 762 However, it ha

CVE-2021-30860 Exploit An integer overflow was addressed with improved input validation This issue is fixed in Security Update 2021-005 Catalina, iOS 148 and iPadOS 148, macOS Big Sur 116, watchOS 762 Processing a maliciously crafted PDF may lead to arbitrary code execution Apple is aware of a report that this issue may have been actively exploited Windows Binary PoC

PIA Ingresa el siguiente comando en tu terminal si tienes alguna duda acerca de las --flags que usa el script y para qué sirve cada una: $ python3 piapy -h Tabla de contenidos: Archivos Descripción mainpy Este archivo se usará para ejecutar todas las funciones del script que desees, aunque puedes usar el arch

CVE-T4PDF CVEs and Techniques used PDF as an attack vector Table of contents List of CVEs List of Techniques List of CVEs Name Description PoC CVE-2022-30775 xpdf 404 allocates excessive memory when presented with crafted input This can be triggered by (for example) sending a crafted PDF document to the pdftoppm binary It is most easily reproduced with the DCMAKE

PoC in GitHub 2022 CVE-2022-0185 (2022-02-11) A heap-based buffer overflow flaw was found in the way the legacy_parse_param function in the Filesystem Context functionality of the Linux kernel verified the supplied parameters length An unprivileged (in case of unprivileged user namespaces enabled, otherwise needs namespaced CAP_SYS_ADMIN privilege) local user able to open a f

PoC in GitHub 2021 CVE-2021-1056 (2021-01-07) NVIDIA GPU Display Driver for Linux, all versions, contains a vulnerability in the kernel mode layer (nvidiako) in which it does not completely honor operating system file system permissions to provide GPU device-level isolation, which may lead to denial of service or information disclosure pokerfaceSad/CVE-2021-1056 CVE-2021-

Recent Articles

Pegasus Spyware Takes Flight Again
Symantec Threat Intelligence Blog • Kevin Watkins • 23 Sep 2022

Symantec solutions help detect, filter, and block the threat.

Posted: 23 Sep, 20213 Min ReadThreat Intelligence SubscribeFollowtwitterlinkedinPegasus Spyware Takes Flight AgainSymantec solutions help detect, filter, and block the threat.The recent iOS 14.8 update fixes a zero-day, zero-click exploit for a vulnerability affecting every mobile iOS device. The flaw, dubbed FORCEDENTRY (CVE-2021-30860), resided in Apple’s iMessage and, according to a report by The Citizen Lab, was used to push NSO Group...

Facebook locks out 1,500 fake accounts used by cyber-spy firms to snoop on people, alerts 50k potential targets
The Register • Thomas Claburn in San Francisco • 17 Dec 2021

Get our weekly newsletter Meta adverse to internet mercenaries using its social networks to help governments violate human rights

Facebook successor Meta on Thursday said it canceled 1,500 social media accounts used by seven surveillance-for-hire firms to conduct online attacks against government critics and members of civil society.
These accounts were primarily used to observe targets and lure them into visiting malicious websites, or receiving booby-trapped messages, typically, that compromise their devices and online profiles. Tens of thousands of people potentially targeted by these groups have been privately al...

Apple Patches 3 More Zero-Days Under Active Attack
Threatpost • Elizabeth Montalbano • 24 Sep 2021

Apple has patched three actively exploited zero-day security vulnerabilities in updates to iOS and macOS, one of which can allow an attacker to execute arbitrary code with kernel privileges.
Apple released two updates on Thursday: iOS 12.5.5, which patches three zero-days that affect older versions of iPhone and iPod devices, and Security Update 2021-006 Catalina for macOS Catalina, which patches one of same vulnerabilities, CVE-2021-30869, that also affects macOS.
The XNU kernel vul...

Apple emergency patches fix zero-click iMessage bug used to inject NSO spyware
The Register • Thomas Claburn in San Francisco • 13 Sep 2021

Get our weekly newsletter Separate flaw in WebKit also under attack squashed, too – and two zero-days in Chrome, as well

Updated Apple on Monday issued security patches for its mobile and desktop operating systems, and for its WebKit browser engine, to address two security flaws, at least one of which was, it is said, used by autocratic governments to spy on human rights advocates.
A day before the iGiant is expected to announce the iPhone 13, it released updates for iOS 14.8 and iPadOS 14.8, watchOS 7.6.2, and macOS Big Sur 11.6. Previous macOS releases Catalina (10.15) and Mojave (10.14) received updated v...

Google tracked record 58 exploited-in-the-wild zero-day security holes in 2021
The Register • Jessica Lyons Hardcastle • 01 Jan 1970

Get our weekly newsletter Friends are always tellin' me, you're a user ... Just be good to free()

Google's bug hunters say they spotted 58 zero-day vulnerabilities being exploited in the wild last year, which is the most-ever recorded since its Project Zero team started analyzing these in mid-2014.
This is more than double the earlier record of 28 zero-day exploits detected in 2015. And miscreants are still using the same old techniques to get away with their mischief.
"With this record number of in-the-wild zero-days to analyze we saw that attacker methodology hasn't actually ha...

Apple fixes iOS zero-day used to deploy NSO iPhone spyware
BleepingComputer • Lawrence Abrams • 01 Jan 1970

Apple has released security updates to fix two zero-day vulnerabilities that have been seen exploited in the wild to attack iPhones and Macs. One is known to be used to install the Pegasus spyware on iPhones.
The vulnerabilities are tracked as CVE-2021-30860 and CVE-2021-30858, and both allow maliciously crafted documents to execute commands when opened on vulnerable devices.
The CVE-2021-30860 CoreGraphics vulnerability is an integer overflow bug discovered by
that allow...

Apple emits emergency fix for exploited-in-the-wild WebKit vulnerability
The Register • Thomas Claburn in San Francisco • 01 Jan 1970

Get our weekly newsletter Flaw imperils Safari – and every iOS browser because of Cupertino's T&Cs

Apple on Thursday patched a zero-day security vulnerability in its WebKit browser engine, issuing updates for iOS, iPadOS, and macOS.
Its Safari browser, based on WebKit, received the security update separately for instances where it is being used with an older version of macOS, like Big Sur. Apple's tvOS was also refreshed, but without the security fix.
The updates – iOS 15.3.1, iPadOS 15.3.1, and macOS Monterey 12.2.1 – address CVE-2022-22620, reported to Apple by an anonymous ...