VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 18, 2019· Updated Aug 4, 2024

CVE-2019-8670

CVE-2019-8670

Description

An inconsistent user interface issue was addressed with improved state management. This issue is fixed in macOS Mojave 10.14.6, Safari 12.1.2. Visiting a malicious website may lead to address bar spoofing.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2019-8670 is an address bar spoofing vulnerability in Safari and macOS that could trick users by displaying a fake URL while loading a malicious website.

Vulnerability

An inconsistent user interface issue in Safari, affecting versions prior to 12.1.2 on macOS Sierra 10.12.6, High Sierra 10.13.6, and Mojave 10.14.5, could allow a malicious website to spoof the address bar. The flaw exists in the browser's state management of the address bar content during navigation.

Exploitation

An attacker can exploit this vulnerability by luring a victim to visit a crafted malicious website. No additional privileges or user interaction beyond visiting the site is required. The inconsistent UI state leads the browser to display a different, legitimate URL in the address bar while the page content originates from the attacker's site.

Impact

Successful exploitation results in address bar spoofing, where the user sees a trusted URL but the underlying page content is from an attacker-controlled source. This can be leveraged for phishing attacks, tricking users into entering credentials or other sensitive information.

Mitigation

Apple addressed the issue in macOS Mojave 10.14.6 and Safari 12.1.2, both released on July 22, 2019 [1][2]. Users should update to the latest available versions. There is no known workaround for older, unsupported versions.

References
  1. About the security content of macOS Mojave 10.14.6, Security Update 2019-004 High Sierra, Security Update 2019-004 Sierra - Apple Support
  2. About the security content of Safari 12.1.2 - Apple Support

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

4

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.