CVE-2008-1999 - Apple Safari 3.1.1 allows remote attackers to spoof the address bar by placing many "invisible" char

CVE-2008-1999

Summary

Apple Safari 3.1.1 allows remote attackers to spoof the address bar by placing many "invisible" characters in the userinfo subcomponent of the authority component of the URL (aka the user field), as demonstrated by %E3%80%80 sequences.

References

http://es.geocities.com/jplopezy/pruebasafari3.html
http://secunia.com/advisories/29900
http://securityreason.com/securityalert/3833
http://www.securityfocus.com/archive/1/491192/100/0/threaded
http://www.vupen.com/english/advisories/2008/1347
https://exchange.xforce.ibmcloud.com/vulnerabilities/41981

Vulnerable Configurations

cpe:2.3:a:apple:safari:3.1.1:*:*:*:*:*:*:*
cpe:2.3:a:apple:safari:3.1.1:*:*:*:*:*:*:*

CVSS

Base:	5.0 (as of 11-10-2018 - 20:38)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
NONE	PARTIAL	NONE

cvss-vector via4

AV:N/AC:L/Au:N/C:N/I:P/A:N

refmap via4

bugtraq	20080422 Safari 3.1.1 Multiple Vulnerabilities for windows
misc	http://es.geocities.com/jplopezy/pruebasafari3.html
secunia	29900
sreason	3833
vupen	ADV-2008-1347
xf	apple-safari-user-addressbar-spoofing(41981)

Last major update

11-10-2018 - 20:38

Published

28-04-2008 - 20:05

Last modified

11-10-2018 - 20:38