VYPR
← All advisories
Unrated severityNVD Advisory· Published Oct 14, 2011· Updated Apr 29, 2026

CVE-2011-3218

CVE-2011-3218

Description

The "Save for Web" selection in QuickTime Player in Apple Mac OS X through 10.6.8 exports HTML documents that contain an http link to a script file, which allows man-in-the-middle attackers to conduct cross-site scripting (XSS) attacks by spoofing the http server during local viewing of an exported document.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

QuickTime Player's 'Save for Web' feature on Mac OS X through 10.6.8 exports HTML with an unsecured http script link, enabling MITM cross-site scripting when the document is viewed locally.

Vulnerability

The "Save for Web" feature in QuickTime Player on Apple Mac OS X through 10.6.8 exports HTML documents that include an HTTP link to a script file. This design allows a man-in-the-middle attacker to inject cross-site scripting (XSS) by spoofing the HTTP server during local viewing of the exported document. Affected versions are Mac OS X v10.6.8 and earlier.

Exploitation

An attacker must be in a position to perform a man-in-the-middle attack on the network connection when the user views the exported HTML document locally. The attacker spoofs the HTTP server referenced in the exported HTML, serving a malicious script instead of the legitimate one. No authentication or user interaction beyond viewing the exported file is required.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the locally viewed HTML document, leading to cross-site scripting (XSS). This could result in information disclosure or other actions depending on the local environment.

Mitigation

Apple addressed this issue in Security Update 2011-006 for Mac OS X v10.6.8 and in OS X Lion v10.7.2 [1]. Users should apply the appropriate update via Software Update or Apple Downloads. No workaround is documented.

References
  1. About the security content of OS X Lion v10.7.2 and Security Update 2011-006 - Apple Support

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

133
  • Apple Inc./Mac Os X66 versions
    cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*+ 65 more
    • cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*range: <=10.6.8
    • cpe:2.3:o:apple:mac_os_x:10.0:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.0.0:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.0.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.0.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.0.3:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.0.4:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.1.0:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.1.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.1.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.1.3:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.1.4:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.1.5:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.2.0:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.2.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.2.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.2.3:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.2.4:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.2.5:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.2.6:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.2.7:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.2.8:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.3:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.3.0:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.3.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.3.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.3.3:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.3.4:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.3.5:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.3.6:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.3.7:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.3.8:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.3.9:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.4:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.4.0:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.4.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.4.10:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.4.11:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.4.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.4.3:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.4.4:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.4.5:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.4.6:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.4.7:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.4.8:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.4.9:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.5:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.5.0:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.5.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.5.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.5.3:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.5.4:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.5.5:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.5.6:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.5.7:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.5.8:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.6.0:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.6.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.6.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.6.3:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.6.4:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.6.5:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.6.6:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.6.7:*:*:*:*:*:*:*
  • Apple Inc./Mac Os X Server66 versions
    cpe:2.3:o:apple:mac_os_x_server:*:*:*:*:*:*:*:*+ 65 more
    • cpe:2.3:o:apple:mac_os_x_server:*:*:*:*:*:*:*:*range: <=10.6.8
    • cpe:2.3:o:apple:mac_os_x_server:10.0:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.0.0:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.0.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.0.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.0.3:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.0.4:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.1.0:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.1.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.1.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.1.3:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.1.4:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.1.5:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.2.0:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.2.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.2.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.2.3:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.2.4:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.2.5:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.2.6:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.2.7:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.2.8:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.3:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.3.0:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.3.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.3.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.3.3:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.3.4:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.3.5:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.3.6:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.3.7:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.3.8:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.3.9:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.4:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.4.0:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.4.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.4.10:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.4.11:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.4.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.4.3:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.4.4:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.4.5:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.4.6:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.4.7:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.4.8:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.4.9:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.5:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.5.0:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.5.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.5.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.5.3:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.5.4:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.5.5:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.5.6:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.5.7:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.5.8:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.6.0:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.6.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.6.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.6.3:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.6.4:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.6.5:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.6.6:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.6.7:*:*:*:*:*:*:*
  • Apple Inc./QuickTime Playerllm-create
    Range: <=10.6.8

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

6

News mentions

0

No linked articles in our index yet.