| VID |
50124 |
| Severity |
30 |
| Port |
3689 |
| Protocol |
TCP |
| Class |
SMB |
| Detailed Description |
The version of Apple iTunes running on the remote host is prior to 12.6. It is, therefore, affected by multiple vulnerabilities :
- Multiple vulnerabilities exist in the expat component, the most severe of which are remote code execution vulnerabilities. An unauthenticated, remote attacker can exploit these vulnerabilities to cause a denial of service condition or the execution of arbitrary code in the context of the current user. (CVE-2009-3270, CVE-2009-3560, CVE-2009-3720, CVE-2012-1147, CVE-2012-1148, CVE-2012-6702, CVE-2015-1283, CVE-2016-0718, CVE-2016-4472, CVE-2016-5300)
- Multiple vulnerabilities exist in the SQLite component, the most severe of which are remote code execution vulnerabilities. An unauthenticated, remote attacker can exploit these vulnerabilities by convincing a user to open a specially crafted file, to cause a denial of service condition or the execution of arbitrary code in the context of the current user. (CVE-2013-7443, CVE-2015-3414, CVE-2015-3415, CVE-2015-3416, CVE-2015-3717, CVE-2015-6607, CVE-2016-6153)
- An information disclosure vulnerability exists in the APNs server component due to client certificates being transmitted in cleartext. A man-in-the-middle attacker can exploit this to disclose sensitive information. (CVE-2017-2383)
- A use-after-free error exists in the WebKit component due to improper handling of RenderBox objects. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2017-2463)
- Multiple universal cross-site scripting (XSS) vulnerabilities exist in the WebKit component due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit these vulnerabilities, by convincing a user to visit a specially crafted web page, to execute arbitrary script code in a user's browser session. (CVE-2017-2479, CVE-2017-2480, CVE-2017-2493)
- An integer overflow condition exists in the libxslt component in the xsltAddTextString() function in transform.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause an out-of-bounds write, resulting in the execution of arbitrary code. (CVE-2017-5029)
* References:
https://support.apple.com/en-us/HT207599
https://support.apple.com/en-us/HT207598
https://lists.apple.com/archives/security-announce/2017/Mar/msg00000.html
https://lists.apple.com/archives/security-announce/2017/Mar/msg00001.html
https://lists.apple.com/archives/security-announce/2017/Mar/msg00010.html
* Platforms Affected:
Apple Computer, Inc., iTunes versions prior to 12.6 |
| Recommendation |
Upgrade to the latest version of iTunes (12.6 or later), available from the Apple Download Web site at http://www.apple.com/itunes/download/ |
| Related URL |
CVE-2009-3270,CVE-2009-3560,CVE-2009-3720,CVE-2012-1147,CVE-2012-1148,CVE-2012-6702,CVE-2013-7443,CVE-2015-1283,CVE-2015-3414,CVE-2015-3415 (CVE) |
| Related URL |
36097,37203,52379,74228,75491,75973,76089,76970,79354,90729,91159,91483,91528,91546,96767,97175,97176 (SecurityFocus) |
| Related URL |
(ISS) |
|
