Search for vulnerabilities
Vulnerability details: VCID-mfnb-qtnt-x3c8
Vulnerability ID VCID-mfnb-qtnt-x3c8
Aliases CVE-2020-9850
Summary A logic issue was addressed with improved restrictions. This issue is fixed in iOS 13.5 and iPadOS 13.5, tvOS 13.4.5, watchOS 6.2.5, Safari 13.1.1, iTunes 12.10.7 for Windows, iCloud for Windows 11.2, iCloud for Windows 7.19. A remote attacker may be able to cause arbitrary code execution.
Status Published
Exploitability 2.0
Weighted Severity 9.0
Risk 10.0
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-841 Improper Enforcement of Behavioral Workflow
System Score Found at
cvssv3 7.3 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-9850.json
epss 0.83602 https://api.first.org/data/v1/epss?cve=CVE-2020-9850
epss 0.83602 https://api.first.org/data/v1/epss?cve=CVE-2020-9850
epss 0.83602 https://api.first.org/data/v1/epss?cve=CVE-2020-9850
epss 0.83602 https://api.first.org/data/v1/epss?cve=CVE-2020-9850
epss 0.83602 https://api.first.org/data/v1/epss?cve=CVE-2020-9850
epss 0.8397 https://api.first.org/data/v1/epss?cve=CVE-2020-9850
epss 0.8397 https://api.first.org/data/v1/epss?cve=CVE-2020-9850
epss 0.84339 https://api.first.org/data/v1/epss?cve=CVE-2020-9850
epss 0.84339 https://api.first.org/data/v1/epss?cve=CVE-2020-9850
cvssv3.1 7.3 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv2 7.5 https://nvd.nist.gov/vuln/detail/CVE-2020-9850
cvssv3.1 9.8 https://nvd.nist.gov/vuln/detail/CVE-2020-9850
archlinux Critical https://security.archlinux.org/AVG-1203
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-9850.json
https://api.first.org/data/v1/epss?cve=CVE-2020-9850
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13753
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9802
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9803
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9805
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9806
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9807
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9843
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9850
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
1879568 https://bugzilla.redhat.com/show_bug.cgi?id=1879568
ASA-202007-1 https://security.archlinux.org/ASA-202007-1
AVG-1203 https://security.archlinux.org/AVG-1203
cpe:2.3:a:apple:icloud:*:*:*:*:*:windows:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apple:icloud:*:*:*:*:*:windows:*:*
cpe:2.3:a:apple:itunes:*:*:*:*:*:windows:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apple:itunes:*:*:*:*:*:windows:*:*
cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*
CVE-2020-9850 https://nvd.nist.gov/vuln/detail/CVE-2020-9850
RHSA-2020:4451 https://access.redhat.com/errata/RHSA-2020:4451
RHSA-2025:10364 https://access.redhat.com/errata/RHSA-2025:10364
USN-4422-1 https://usn.ubuntu.com/4422-1/
Data source Metasploit
Description This module exploits an incorrect side-effect modeling of the 'in' operator. The DFG compiler assumes that the 'in' operator is side-effect free, however the <embed> element with the PDF plugin provides a callback that can trigger side-effects leading to type confusion (CVE-2020-9850). The type confusion can be used as addrof and fakeobj primitives that then lead to arbitrary read/write of memory. These primitives allow us to write shellcode into a JIT region (RWX memory) containing the next stage of the exploit. The next stage uses CVE-2020-9856 to exploit a heap overflow in CVM Server, and extracts a macOS application containing our payload into /var/db/CVMS. The payload can then be opened with CVE-2020-9801, executing the payload as a user but without sandbox restrictions.
Note 
Reliability:
  - repeatable-session
SideEffects:
  - ioc-in-logs
Stability:
  - crash-safe
Ransomware campaign use Unknown
Source publication date March 18, 2020
Source URL https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/osx/browser/safari_in_operator_side_effect.rb
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-9850.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P Found at https://nvd.nist.gov/vuln/detail/CVE-2020-9850
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2020-9850
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.99233
EPSS Score 0.83602
Published At July 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T08:36:17.872520+00:00 Alpine Linux Importer Import https://secdb.alpinelinux.org/v3.12/community.json 37.0.0