CVE-2017-2363

MEDIUM

Apple <10.2.1, <10.0.3, <10.1.1, <3.1.3 - CSRF

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-2363. PoCs published by Google Security Research.

AI-analyzed exploit summary This exploit leverages a UXSS (Universal Cross-Site Scripting) vulnerability in WebKit's FrameLoader::clear function, allowing arbitrary JavaScript execution in the context of a new document's window via crafted unload event handlers. Tested on Safari 10.0.2.

Description

An issue was discovered in certain Apple products. iOS before 10.2.1 is affected. Safari before 10.0.3 is affected. tvOS before 10.1.1 is affected. watchOS before 3.1.3 is affected. The issue involves the "WebKit" component. It allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via a crafted web site.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Google Security Research · htmlwebappsmacos

https://www.exploit-db.com/exploits/41449

View Code ZIP pw:eip

This exploit leverages a UXSS (Universal Cross-Site Scripting) vulnerability in WebKit's FrameLoader::clear function, allowing arbitrary JavaScript execution in the context of a new document's window via crafted unload event handlers. Tested on Safari 10.0.2.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Moderate

Reliability

Reliable

Target: Apple Safari 10.0.2 (WebKit)

No auth needed

Prerequisites: Victim must visit a malicious webpage

MITRE ATT&CK