Safari information disclosure vulnerability


Safari contains an information disclosure vulnerability caused the by the improper handling of XML files.

Takayoshi Isayama from Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 2.6 (Low) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None
Affected Products

Apple Inc.
  • Safari versions prior to 6.0


When opening a specially crafted XML file as a local file, the contents of another local file may be disclosed.

[Update the software]
Update to the latest version according to the information provided by the developer.

As of May 31, 2013, Safari 6.0.1 for Windows has not been released.
Users of the Windows version of Safari are recommended to stop using the product.
Vendor Information

Apple Inc.
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)


  1. JVN : JVN#07354844
Revision History

  • [2013/05/31]
      Web page was published