CVE-2019-8754

MEDIUM Year: 2019
CVSS v3 Score
6.5
Medium
CVSS v2 Score
4.3
Medium
Weakness Type
CWE-346
View all →

Vulnerability Description

A cross-origin issue existed with "iframe" elements. This was addressed with improved tracking of security origins. This issue is fixed in macOS Catalina 10.15.1, Security Update 2019-001, and Security Update 2019-006. A malicious HTML document may be able to render iframes with sensitive user information.

Related Vulnerabilities

CVE-2018-12402

MEDIUM
CVSS:6.5(Medium)

The internal WebBrowserPersist code does not use correct origin context for a resource being saved. This manifests when sub-resources are loaded as part of "Save Page As..." functionality. For example...

CWE-3462018

CVE-2018-16072

MEDIUM
CVSS:6.5(Medium)

A missing origin check related to HLS manifests in Blink in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to bypass same origin policy via a crafted HTML page.

CWE-3462018

CVE-2018-18494

MEDIUM
CVSS:6.5(Medium)

A same-origin policy violation allowing the theft of cross-origin URL entries when using the Javascript location property to cause a redirection to another site using performance.getEntries(). This is...

CWE-3462018

CVE-2018-18499

MEDIUM
CVSS:6.5(Medium)

A same-origin policy violation allowing the theft of cross-origin URL entries when using a meta http-equiv="refresh" on a page to cause a redirection to another site using performance.getEntries(). Th...

CWE-3462018

CVE-2019-13664

MEDIUM
CVSS:6.5(Medium)

Insufficient policy enforcement in Blink in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to bypass content security policy via a crafted HTML page.

CWE-3462019

CVE-2019-13740

MEDIUM
CVSS:6.5(Medium)

Incorrect security UI in sharing in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to perform domain spoofing via a crafted HTML page.

CWE-3462019