#VU1095 Information disclosure in iTunes - CVE-2016-4613

Cybersecurity Help s.r.o.

Published: 2016-10-28 | Updated: 2016-10-31

Vulnerability identifier: #VU1095

Vulnerability risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2016-4613

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
iTunes
Client/Desktop applications / Multimedia software

Vendor: Apple Inc.

Description
The vulnerability allows a remote unauthenticated user to obtain potentially sensitive information on the target system.
The weakness is due to input validation flaw. By persuading the victim to load a specially crafted web content, a remote attacker can gain access to important data.
Successful exploitation of the vulnerability results in disclosure of potentially sensitive information.

Mitigation
Update to version 12.5.2.

Vulnerable software versions

iTunes: 7.3.2 - 12.5.2

External links
https://support.apple.com/en-us/HT207274

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Information disclosure in Apple iTunes