Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in iOS 13.2 and iPadOS 13.2, tvOS 13.2, watchOS 6.1, Safari 13.0.3, iTunes for Windows 12.10.2. Processing maliciously crafted web content may lead to arbitrary code execution.

Released October 28, 2019

**WebKit**

Available for: macOS Mojave 10.14.6 and macOS High Sierra 10.13.6, and included in macOS Catalina 10.15.1

Impact: Processing maliciously crafted web content may lead to universal cross site scripting

Description: A logic issue was addressed with improved state management.

CVE-2019-8813: an anonymous researcher

**WebKit**

Available for: macOS Mojave 10.14.6 and macOS High Sierra 10.13.6, and included in macOS Catalina 10.15.1

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: Multiple memory corruption issues were addressed with improved memory handling.

CVE-2019-8782: Cheolung Lee of LINE+ Security Team

CVE-2019-8783: Cheolung Lee of LINE+ Graylab Security Team

CVE-2019-8808: found by OSS-Fuzz

CVE-2019-8811: Soyeon Park of SSLab at Georgia Tech

CVE-2019-8812: JunDong Xie of Ant-financial Light-Year Security Lab

CVE-2019-8814: Cheolung Lee of LINE+ Security Team

CVE-2019-8816: Soyeon Park of SSLab at Georgia Tech

CVE-2019-8819: Cheolung Lee of LINE+ Security Team

CVE-2019-8820: Samuel Groß of Google Project Zero

CVE-2019-8821: Sergei Glazunov of Google Project Zero

CVE-2019-8822: Sergei Glazunov of Google Project Zero

CVE-2019-8823: Sergei Glazunov of Google Project Zero

Entry updated November 18, 2019

**WebKit**

Available for: macOS Mojave 10.14.6 and macOS High Sierra 10.13.6, and included in macOS Catalina 10.15.1

Impact: Visiting a maliciously crafted website may reveal the sites a user has visited

Description: The HTTP referrer header may be used to leak browsing history. The issue was resolved by downgrading all third party referrers to their origin.

CVE-2019-8827: Artur Janc, Krzysztof Kotowicz, Lukas Weichselbaum, and Roberto Clapis of Google Security Team

Entry added February 3, 2020

**WebKit Process Model**

Available for: macOS Mojave 10.14.6 and macOS High Sierra 10.13.6, and included in macOS Catalina 10.15.1

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: Multiple memory corruption issues were addressed with improved memory handling.

CVE-2019-8815: Apple

CVE-2019-8812: About the security content of Safari 13.0.3

Zoho ManageEngine Applications Manager before 13640 allows a remote authenticated SQL injection via the Agent servlet agentid parameter to the Agent.java process function.

CVE-2019-19650: Release Notes - New features

MediaWiki through 1.33.1 allows attackers to bypass the Title_blacklist protection mechanism by starting with an arbitrary title, establishing a non-resolvable redirect for the associated page, and using redirect=1 in the action API when editing that page.

**

Possible to circumvent title-blacklist (CVE-2019-19709)



**

*   Edit Task
*   Edit Related Tasks...
*   Edit Related Objects...

*   Mute Notifications
*   Protect as security issue
*   Award Token
*   Flag For Later

*   Task Graph
*   Mentions

**Event Timeline**

Comment Actions

Yes, that's indeed the case. TitleBlacklist thinks the page being created is "w:Google.123.html", which doesn't match the specific rule in question. Rules beginning with .\*, like most on the current blacklist, do not seem able to be bypassed in this manner since the .\* will match the spurious interwiki prefix.

Comment Actions

@sbassett: I'm backporting the fix for this to Wikimedia sites now. I'll leave it to your team to backport the fix to 1.34 and earlier, if you feel that would be desirable.

Comment Actions

@Anomie - sounds good, I can try to pick 554084 to each supported release branch and see how it goes. I might solicit some help if those are more complicated than what gerrit can handle. I'm going to make this task public now since the code is on master, wmf.5 and wmf.8 and has been deployed. This probably warrants a CVE as well.

Comment Actions

**Update:** Picked to supported release branches and the bot updates are on the other bug (T239428). There was a minor conflict in includes/api/ApiEditPage.php for each of these, so I kept the old conditional instead of the newer ternary operator statement for now. Patches tested fine, they just need a +2, which I'll do if nobody else does.

This was kind of a strange one in that it was technically a security issue that was incidentally fixed by a well-timed, separate public task/patch. @Reedy is tracking it for the next release in T233495, but it wasn't "held" due to the aforementioned process oddities. I'll still request a CVE and update this bug once I have it.

sbassett renamed this task from Possible to circumvent title-blacklist to Possible to circumvent title-blacklist (CVE-2019-19709).Dec 11 2019, 3:06 PM

Comment Actions

At a quick glance, I don't see any indication that the bug has ever not existed since the redirect parameter was added in MW 1.17. But I haven't actually tested.

Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL

CVE-2019-19709: ⚓ T239466 Possible to circumvent title-blacklist (CVE-2019-19709)

Incorrect security UI in external protocol handling in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to spoof security UI via a crafted HTML page.

CVE-2019-13743

Insufficient policy enforcement in Omnibox in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name.

CVE-2019-13739

Insufficient policy enforcement in navigation in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to bypass site isolation via a crafted HTML page.

CVE-2019-13738

Insufficient policy enforcement in autocomplete in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.

CVE-2019-13737

Incorrect security UI in Omnibox in Google Chrome on iOS prior to 79.0.3945.79 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted domain name.

CVE-2019-13742

Insufficient policy enforcement in payments in Google Chrome prior to 79.0.3945.79 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page.

CVE-2019-13763

Incorrect security UI in Omnibox in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name.

Tag

#google