Information Disclosure in Storage Access API for Apple Products
CVE-2019-8898

4.3MEDIUM

Key Information:

Vendor
Apple
Status
iOS And iPad OS
TV OS
Safari
Itunes For Windows
Vendor
CVE Published:
27 October 2020

Summary

An information disclosure issue was found in the handling of the Storage Access API within various Apple products. This vulnerability allows a user’s browsing history to be potentially revealed when visiting a specially crafted malicious website. The issue has been addressed in updates including iOS 13.3, iPadOS 13.3, tvOS 13.3, Safari 13.0.4, and iTunes 12.10.3 for Windows, which incorporate improved logic to mitigate the risk of such exposure.

Affected Version(s)

iOS and iPadOS < 13.3

iTunes for Windows < 12.10

Safari < 13.0

References

https://support.apple.com/en-us/HT210785
x_refsource_MISC
https://support.apple.com/en-us/HT210790
x_refsource_MISC
https://support.apple.com/en-us/HT210793
x_refsource_MISC

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.