7.5

CVE-2008-3434

Apple iTunes before 10.5.1 does not properly verify the authenticity of updates, which allows man-in-the-middle attackers to execute arbitrary code via a Trojan horse update, as demonstrated by evilgrade and DNS cache poisoning.

Data is provided by the National Vulnerability Database (NVD)
AppleiTunes Version <= 6.0.5
AppleiTunes Version1.0
AppleiTunes Version1.1
AppleiTunes Version1.1.1
AppleiTunes Version1.1.2
AppleiTunes Version2.0
AppleiTunes Version2.0.1
AppleiTunes Version2.0.2
AppleiTunes Version2.0.3
AppleiTunes Version2.0.4
AppleiTunes Version3.0
AppleiTunes Version3.0.1
AppleiTunes Version4.0
AppleiTunes Version4.0.1
AppleiTunes Version4.1
AppleiTunes Version4.2
AppleiTunes Version4.5
AppleiTunes Version4.6
AppleiTunes Version4.7
AppleiTunes Version4.7.1
AppleiTunes Version4.8
AppleiTunes Version4.9
AppleiTunes Version5.0
AppleiTunes Version5.0.1
AppleiTunes Version6.0
AppleiTunes Version6.0.1
AppleiTunes Version6.0.2
AppleiTunes Version6.0.3
AppleiTunes Version6.0.4
AppleiTunes Version6.0.4.2
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.7% 0.696
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 7.5 10 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:P
CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.