Apple has reportedly fixed a stored cross-site scripting (XSS) vulnerability in the iCloud domain following its discovery by security researcher Vishal Bharad, ZDNet reports.
Stored XSS, also known as persistent XSS, vulnerabilities occur when an attacker finds a flaw in a Web application and injects malicious code into its server. Bharad reportedly found this bug in the Page/Keynotes feature of the iCloud website.
To exploit this vulnerability, an attacker would have to create new content in either Pages or Keynote and enter their XSS payload into the name field. They would have to save this and send it to, or collaborate with, another user. The attacker would then need to make some changes to the content, resave it, and then go to Settings > Browse All Versions.
The XSS would trigger after "Browse All Versions" was clicked, Bharad explains in a blog post.
Bharad reported the vulnerability to Apple on Aug. 7, 2020, and was rewarded $5,000 for his findings.