← back
CVE-2022-46695

CVE-2022-46695

CVSS 6.5 MEDIUMEPSS 1.3%CWE-1021
In short

A website could trick users by displaying fake UI elements through framed content, making them think they're interacting with legitimate parts of the interface. This was fixed by improving how Apple systems validate URLs.

Technical detail

URL spoofing vulnerability in Apple platforms' frame handling mechanism allowed attackers to craft malicious web content that, when framed, could visually spoof legitimate UI elements. The attack requires user interaction (visiting a malicious website) and was mitigated through enhanced input validation of URL parameters across affected OS versions.

Summary generated and translated by AI from the official description.
A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation. This issue is fixed in tvOS 16.2, macOS Ventura 13.1, iOS 15.7.2 and iPadOS 15.7.2, iOS 16.2 and iPadOS 16.2, watchOS 9.2. Visiting a website that frames malicious content may lead to UI spoofing.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Affected products
Apple · tvOSApple · watchOS

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://seclists.org/fulldisclosure/2022/Dec/20http://seclists.org/fulldisclosure/2022/Dec/21http://seclists.org/fulldisclosure/2022/Dec/23http://seclists.org/fulldisclosure/2022/Dec/26http://seclists.org/fulldisclosure/2022/Dec/27https://support.apple.com/en-us/HT213530https://support.apple.com/en-us/HT213531https://support.apple.com/en-us/HT213532https://support.apple.com/en-us/HT213535https://support.apple.com/en-us/HT213536