CVE-2021-30862

MEDIUM

iTunes U < 3.8.3 - Remote Code Execution via Malicious URL Processing

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-30862. PoCs published by 3h6-1.

AI-analyzed exploit summary This repository contains a functional proof-of-concept exploit for CVE-2021-30862, targeting a logic bug in iTunes U's URL scheme handling. The exploit demonstrates memory corruption via a use-after-free (UAF) vulnerability, leveraging iTunes API functions to achieve potential remote code execution (RCE).

Description

A validation issue was addressed with improved input sanitization. This issue is fixed in iTunes U 3.8.3. Processing a maliciously crafted URL may lead to arbitrary javascript code execution.

Exploits (1)

nomisec WORKING POC 1 stars

by 3h6-1 · poc

https://github.com/3h6-1/CVE-2021-30862

View Code ZIP pw:eip

This repository contains a functional proof-of-concept exploit for CVE-2021-30862, targeting a logic bug in iTunes U's URL scheme handling. The exploit demonstrates memory corruption via a use-after-free (UAF) vulnerability, leveraging iTunes API functions to achieve potential remote code execution (RCE).

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Theoretical

Target: iTunes U (versions prior to 3.8.3)

No auth needed

Prerequisites: Victim interaction to trigger the malicious URL scheme · iTunes U installed on the target system

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1

Core References

Vendor Advisory x_refsource_misc

https://support.apple.com/en-us/HT212809

Scores

CVSS v3 6.1

EPSS 0.0180

EPSS Percentile 75.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-20

Status published

Products (1)

apple/itunes_u < 3.8.3

Published Aug 24, 2021

Tracked Since Feb 18, 2026