CVE-2020-9805 – CVE-2020-9805 is a universal cross-site scripti... (How to Fix)

Q: What is the severity of CVE-2020-9805?

CVE-2020-9805 has a CVSS score of 7.1 (HIGH). CVE-2020-9805 is a universal cross-site scripting (XSS) vulnerability in Apple's WebKit browser engine. Processing malicious web content could allow attackers to execute arbitrary JavaScript in the context of any website. This affects users of Apple's iOS, iPadOS, tvOS, watchOS, Safari, iTunes for Windows, and iCloud for Windows.

📋 TL;DR

CVE-2020-9805 is a universal cross-site scripting (XSS) vulnerability in Apple's WebKit browser engine. Processing malicious web content could allow attackers to execute arbitrary JavaScript in the context of any website. This affects users of Apple's iOS, iPadOS, tvOS, watchOS, Safari, iTunes for Windows, and iCloud for Windows.

💻 Affected Systems

Products:

iOS
iPadOS
tvOS
watchOS
Safari
iTunes for Windows
iCloud for Windows

Versions: Versions before iOS 13.5, iPadOS 13.5, tvOS 13.4.5, watchOS 6.2.5, Safari 13.1.1, iTunes 12.10.7 for Windows, iCloud for Windows 11.2, iCloud for Windows 7.19

Operating Systems: iOS, iPadOS, tvOS, watchOS, Windows

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations of affected Apple products are vulnerable. The vulnerability exists in WebKit, which powers Safari and other Apple browsers.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, credentials, or sensitive data from any website the user visits, potentially leading to account takeover and data exfiltration.

🟠

Likely Case

Attackers could inject malicious scripts into legitimate websites to steal user data or redirect to phishing sites.

🟢

If Mitigated

With proper web security controls like Content Security Policy (CSP) and modern browser protections, impact would be limited to specific contexts.

🌐 Internet-Facing: HIGH - Web browsers process untrusted internet content by design, making exploitation straightforward via malicious websites.

🏢 Internal Only: MEDIUM - Internal web applications could be targeted if users access them with vulnerable browsers.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user interaction (visiting a malicious website) but no authentication. The logic issue in WebKit makes XSS payloads execute in broader contexts than typical XSS.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: iOS 13.5, iPadOS 13.5, tvOS 13.4.5, watchOS 6.2.5, Safari 13.1.1, iTunes 12.10.7 for Windows, iCloud for Windows 11.2, iCloud for Windows 7.19

Vendor Advisory: https://support.apple.com/HT211168

Restart Required: Yes

Instructions:

1. Update iOS/iPadOS: Settings > General > Software Update. 2. Update Safari: App Store > Updates. 3. Update iTunes/iCloud for Windows: Open application > Help > Check for Updates. 4. Restart devices after updating.

🔧 Temporary Workarounds

Disable JavaScript

all

Disabling JavaScript in Safari/iOS settings prevents XSS exploitation but breaks most modern websites.

Settings > Safari > Advanced > JavaScript > Toggle Off

Use Alternative Browser

all

Use browsers not based on WebKit (e.g., Firefox, Chrome) until patches are applied.

🧯 If You Can't Patch

Implement strict Content Security Policy (CSP) headers on web applications to limit script execution.
Use browser extensions that block malicious scripts (e.g., NoScript) and educate users about phishing risks.

🔍 How to Verify

Check if Vulnerable:

Check device/software version against affected versions list. For iOS: Settings > General > About > Version.

Check Version:

iOS: Settings > General > About. Safari: Safari > About Safari. Windows: Help > About in iTunes/iCloud.

Verify Fix Applied:

Confirm version is equal to or newer than patched versions listed in fix_official.patch_version.

📡 Detection & Monitoring

Log Indicators:

Unusual JavaScript execution patterns in web server logs
Multiple failed script load attempts from same IP

Network Indicators:

Suspicious script tags in HTTP requests
Unusual outbound connections from browsers to unknown domains

SIEM Query:

source="web_logs" AND (http_user_agent CONTAINS "Safari" OR "AppleWebKit") AND (url CONTAINS "<script>" OR "javascript:")

📊 Metadata

CVE ID: CVE-2020-9805

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

CWE: CWE-79

Published: June 9, 2020

Last Updated: November 21, 2024

🔗 References

https://support.apple.com/HT211168 Release Notes,Vendor Advisory
https://support.apple.com/HT211171 Release Notes,Vendor Advisory
https://support.apple.com/HT211175 Release Notes,Vendor Advisory
https://support.apple.com/HT211177 Release Notes,Vendor Advisory
https://support.apple.com/HT211178 Release Notes,Vendor Advisory
https://support.apple.com/HT211179 Release Notes,Vendor Advisory
https://support.apple.com/HT211181 Release Notes,Vendor Advisory
https://support.apple.com/HT211168 Release Notes,Vendor Advisory
https://support.apple.com/HT211171 Release Notes,Vendor Advisory
https://support.apple.com/HT211175 Release Notes,Vendor Advisory
https://support.apple.com/HT211177 Release Notes,Vendor Advisory
https://support.apple.com/HT211178 Release Notes,Vendor Advisory
https://support.apple.com/HT211179 Release Notes,Vendor Advisory
https://support.apple.com/HT211181 Release Notes,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-9805, you might also want to check these: