CVE-2015-7007
Description
Script Editor in Apple OS X before 10.11.1 allows remote attackers to bypass an intended user-confirmation requirement for AppleScript execution via unspecified vectors.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Script Editor in OS X before 10.11.1 lets remote attackers bypass user confirmation for AppleScript execution via the applescript:// URL scheme.
Vulnerability
The vulnerability resides in the Script Editor component of Apple OS X, specifically in versions before 10.11.1 (El Capitan), 10.10.5 (Yosemite), and 10.9.5 (Mavericks) [1]. The issue involves the applescript:// URL scheme, which, when opened in Safari, launches the AppleScript Editor with the provided script content [2]. No additional user confirmation is required beyond the initial load; pressing Command-R in the Editor executes the script [2]. The attacker only needs to craft a malicious website and trick the user into interacting with it.
Exploitation
An attacker can host a malicious website that, when visited by a Safari user on an affected OS X version, presents a crafted applescript:// URL. The attacker hooks the Command-key keypress event in the browser and, by getting the user to press Command-R (a common refresh shortcut), the AppleScript Editor executes the attacker's script without any further confirmation [2]. User interaction is thus limited to pressing a key combination, which the attacker can socially engineer as part of normal browsing, e.g., “please press Command-R to view the page correctly.”
Impact
Successful exploitation allows arbitrary AppleScript execution on the victim's machine. This can lead to full compromise of the user's system, including data access, file manipulation, installation of malware, or further privilege escalation. The attacker does not require authentication beyond the user's current session [2]. The impact is high, as AppleScript can control many macOS functions.
Mitigation
Apple released OS X El Capitan 10.11.1, Security Update 2015-004 Yosemite, and Security Update 2015-007 Mavericks on October 21, 2015, which address this vulnerability [1]. Users should update to the latest available version for their OS X release. As a workaround, users can avoid pressing Command-R in response to unexpected prompts in Safari or disable the applescript:// URL scheme handling if possible, though no detailed workaround was provided by Apple. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of this writing.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <10.11.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- lists.apple.com/archives/security-announce/2015/Oct/msg00005.htmlnvdVendor Advisory
- support.apple.com/HT205375nvdVendor Advisory
- packetstormsecurity.com/files/134072/Safari-User-Assisted-Applescript-Exec-Attack.htmlnvd
- www.rapid7.com/db/modules/exploit/osx/browser/safari_user_assisted_applescript_execnvd
- www.exploit-db.com/exploits/38535/nvd
News mentions
0No linked articles in our index yet.