CVE-2019-8690

MEDIUM

iCloud < 7.13 - Universal Cross-Site Scripting via Malicious Web Content

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-8690. PoCs published by Google Security Research.

AI-analyzed exploit summary This exploit leverages a UXSS vulnerability in WebKit (CVE-2019-8690) by manipulating XSLT transformations and frame navigation to bypass the `m_documentIsBeingReplaced` flag, allowing cross-origin script execution. The PoC demonstrates how an attacker can trigger JavaScript execution in a victim frame via a crafted stylesheet and frame hierarchy.

Description

A logic issue existed in the handling of document loads. This issue was addressed with improved state management. This issue is fixed in iOS 12.4, macOS Mojave 10.14.6, tvOS 12.4, Safari 12.1.2, iTunes for Windows 12.9.6, iCloud for Windows 7.13, iCloud for Windows 10.6. Processing maliciously crafted web content may lead to universal cross site scripting.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Google Security Research · textdosmultiple

https://www.exploit-db.com/exploits/47237

View Code ZIP pw:eip

This exploit leverages a UXSS vulnerability in WebKit (CVE-2019-8690) by manipulating XSLT transformations and frame navigation to bypass the `m_documentIsBeingReplaced` flag, allowing cross-origin script execution. The PoC demonstrates how an attacker can trigger JavaScript execution in a victim frame via a crafted stylesheet and frame hierarchy.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Complex

Reliability

Reliable

Target: WebKit (Safari) revision 245321 and earlier

No auth needed

Prerequisites: Victim must visit a malicious webpage · WebKit-based browser (e.g., Safari)

MITRE ATT&CK