Login Sign Up

CVE-2020-9952

7.1 HIGH
Cross-Site Scripting

📋 TL;DR

CVE-2020-9952 is a cross-site scripting (XSS) vulnerability in Apple's web content processing components. It allows attackers to execute malicious scripts in users' browsers by crafting malicious web content. Affected users include those running vulnerable versions of iOS, iPadOS, tvOS, watchOS, Safari, and iCloud for Windows.

💻 Affected Systems

Products:
  • iOS
  • iPadOS
  • tvOS
  • watchOS
  • Safari
  • iCloud for Windows
Versions: Versions before iOS 14.0, iPadOS 14.0, tvOS 14.0, watchOS 7.0, Safari 14.0, iCloud for Windows 11.4, iCloud for Windows 7.21
Operating Systems: iOS, iPadOS, tvOS, watchOS, Windows (iCloud for Windows)
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations of affected products are vulnerable. The vulnerability exists in the web content processing engine.

📦 What is this software?

Icloud by Apple

View all CVEs affecting Icloud →

Icloud by Apple

View all CVEs affecting Icloud →

Ipados by Apple

View all CVEs affecting Ipados →

Iphone Os by Apple

View all CVEs affecting Iphone Os →

Safari by Apple

View all CVEs affecting Safari →

Tvos by Apple

View all CVEs affecting Tvos →

Watchos by Apple

View all CVEs affecting Watchos →

Webkitgtk\+ by Webkit

View all CVEs affecting Webkitgtk\+ →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover, session hijacking, credential theft, and malware distribution to affected users.

🟠

Likely Case

Session hijacking, credential theft, and unauthorized actions performed in the context of the victim user.

🟢

If Mitigated

Limited impact with proper input validation and output encoding in place, potentially only affecting specific functionality.

🌐 Internet-Facing: HIGH - Web browsers and web content processing applications are directly exposed to malicious content from the internet.
🏢 Internal Only: MEDIUM - Internal users could be targeted through phishing or compromised internal websites.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

XSS vulnerabilities are commonly exploited and weaponized. The references include detailed disclosure information.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: iOS 14.0, iPadOS 14.0, tvOS 14.0, watchOS 7.0, Safari 14.0, iCloud for Windows 11.4, iCloud for Windows 7.21

Vendor Advisory: https://support.apple.com/en-us/HT211850

Restart Required: Yes

Instructions:

1. Update iOS/iPadOS to version 14.0 or later via Settings > General > Software Update. 2. Update tvOS to version 14.0 or later via Settings > System > Software Updates. 3. Update watchOS to version 7.0 or later via iPhone Watch app > General > Software Update. 4. Update Safari to version 14.0 or later via System Preferences > Software Update. 5. Update iCloud for Windows to version 11.4 or 7.21 via Microsoft Store or Apple Software Update.

🔧 Temporary Workarounds

Disable JavaScript

all

Disable JavaScript in Safari and other affected browsers to prevent XSS execution.

Safari: Safari > Preferences > Security > uncheck 'Enable JavaScript'

Use Content Security Policy

all

Implement Content Security Policy headers to restrict script execution.

Add header: Content-Security-Policy: script-src 'self'

🧯 If You Can't Patch

  • Implement web application firewalls (WAF) with XSS filtering rules
  • Use browser extensions that block malicious scripts (like NoScript)

🔍 How to Verify

Check if Vulnerable:

Check current version against affected versions list. For iOS: Settings > General > About > Version. For Safari: Safari > About Safari.

Check Version:

iOS: Settings > General > About > Version; macOS: Safari > About Safari; Windows: iCloud for Windows > Help > About iCloud

Verify Fix Applied:

Verify version is equal to or greater than patched versions: iOS 14.0+, iPadOS 14.0+, tvOS 14.0+, watchOS 7.0+, Safari 14.0+, iCloud for Windows 11.4+ or 7.21+.

📡 Detection & Monitoring

Log Indicators:

  • Unusual JavaScript execution patterns
  • Suspicious script tags in web requests
  • Unexpected redirects to malicious domains

Network Indicators:

  • Requests to known malicious domains from affected devices
  • Unusual outbound traffic patterns from browsers

SIEM Query:

source="web_proxy" AND (url="*<script>*" OR url="*javascript:*") AND user_agent="*Safari*"

📊 Metadata

CVE ID: CVE-2020-9952
CVSS v3 Score: 7.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
CWE: CWE-79
Published: October 16, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-9952, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)