CVE-2017-2387

MEDIUM

Apple Music <2.0 - XSS

Title source: llm

Description

The Apple Music (aka com.apple.android.music) application before 2.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

References (3)

[Third Party Advisory] http://www.info-sec.ca/advisories/Apple-Music.html

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/97390

[Vendor Advisory] https://support.apple.com/HT207605

Scores

CVSS v3 4.8

EPSS 0.0017

EPSS Percentile 38.5%

Attack Vector ADJACENT_NETWORK

CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

Classification

CWE

CWE-295

Status published

Affected Products (2)

apple/apple_music

n/a/Apple Music before 2.0 for Android < Apple Music before 2.0 for Android

Timeline

Published Apr 07, 2017

Tracked Since Feb 18, 2026