CVE-2008-5914 - An unspecified function in the JavaScript implementation in Apple Safari creates and exposes a "temp

CVE-2008-5914

Summary

An unspecified function in the JavaScript implementation in Apple Safari creates and exposes a "temporary footprint" when there is a current login to a web site, which makes it easier for remote attackers to trick a user into acting upon a spoofed pop-up message, aka an "in-session phishing attack." NOTE: as of 20090116, the only disclosure is a vague pre-advisory with no actionable information. However, because it is from a well-known researcher, it is being assigned a CVE identifier for tracking purposes.

References

Vulnerable Configurations

cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*
cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*

CVSS

Base:	2.1 (as of 23-01-2009 - 15:44)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	HIGH	SINGLE

Impact

Confidentiality	Integrity	Availability
NONE	PARTIAL	NONE

cvss-vector via4

AV:N/AC:H/Au:S/C:N/I:P/A:N

refmap via4

bid	33276
misc	http://arstechnica.com/news.ars/post/20090113-new-method-of-phishmongering-could-fool-experienced-users.html http://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=212900161 http://www.infoworld.com/article/09/01/13/Browser_bug_could_allow_phishing_without_email_1.html http://www.trusteer.com/files/In-session-phishing-advisory-2.pdf

Last major update

23-01-2009 - 15:44

Published

20-01-2009 - 16:30

Last modified

23-01-2009 - 15:44