SB2019083019 - Cross-site scripting in webkit2gtk (Alpine package)
Published: August 30, 2019
Security Bulletin ID
SB2019083019
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Cross-site scripting (CVE-ID: CVE-2019-8649)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
A logic issue existed in the handling of synchronous page loads. This issue was addressed with improved state management. This issue is fixed in iOS 12.4, macOS Mojave 10.14.6, tvOS 12.4, Safari 12.1.2, iTunes for Windows 12.9.6, iCloud for Windows 7.13, iCloud for Windows 10.6. Processing maliciously crafted web content may lead to universal cross site scripting.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=2606d2b27c5e6739d86229be7a7a042584225ff2
- https://git.alpinelinux.org/aports/commit/?id=245aaafa114a2cc0e958b7431e14be68ad694cff
- https://git.alpinelinux.org/aports/commit/?id=0e2731f051905b883dcd7a4267d8c63026b20f91
- https://git.alpinelinux.org/aports/commit/?id=19abb7bb2c68ae9ed87a81bec158fd16f08cab97