CVE-2014-4465

Apple WebKit SVG CSS Token - Same Origin Policy Bypass

Title source: manual
STIX 2.1

Description

WebKit in Apple Safari before 6.2.1, 7.x before 7.1.1, and 8.x before 8.0.1 allows remote attackers to bypass the Same Origin Policy via crafted Cascading Style Sheets (CSS) token sequences within an SVG file in the SRC attribute of an IMG element.

References (6)

Core 6
Core References
Vendor Advisory x_refsource_confirm
http://support.apple.com/HT204245
Vendor Advisory x_refsource_confirm
http://support.apple.com/HT204246
Vendor Advisory vendor-advisory x_refsource_apple
http://lists.apple.com/archives/security-announce/2015/Jan/msg00001.html
Vendor Advisory vendor-advisory x_refsource_apple
http://lists.apple.com/archives/security-announce/2015/Jan/msg00000.html
Vendor Advisory x_refsource_confirm
http://support.apple.com/kb/HT6596
Vendor Advisory vendor-advisory x_refsource_apple
http://lists.apple.com/archives/security-announce/2014/Dec/msg00000.html

Scores

EPSS 0.0220
EPSS Percentile 80.4%

Details

CWE
CWE-20
Status published
Products (5)
apple/iphone_os < 8.1.2
apple/safari 7.1.0
apple/safari 8.0.0
apple/safari < 6.2.0
apple/tvos < 7.0.1
Published Dec 10, 2014
Tracked Since Feb 18, 2026