Cyber Resilience

CVE-2021-1879

MediumCISA KEVActive ExploitationEUVD Exploited

Published: 02 April 2021

Published
02 April 2021
Modified
23 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.0081 74.7th percentile
Risk Priority 33 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-1879 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Apple Iphone Os. Its CVSS base score is 6.1 (Medium).

Operationally, ranked in the top 25.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-4 (Information Flow Enforcement).

Deeper analysis

The vulnerability CVE-2021-1879 is a cross-site scripting flaw (CWE-79) caused by insufficient management of object lifetimes during web content processing. It affects Apple iOS prior to versions 12.5.2 and 14.4.2, iPadOS prior to 14.4.2, and watchOS prior to 7.3.3, with a CVSS score of 6.1 reflecting network attack vector, low complexity, required user interaction, and scoped confidentiality and integrity impacts.

An attacker can exploit the issue by serving maliciously crafted web content that triggers universal cross-site scripting, allowing limited reading or modification of data across security boundaries on the affected device. The attack requires no authentication and can be delivered remotely, though user interaction such as visiting a web page is needed.

Apple security advisories for iOS 12.5.2, iOS 14.4.2, iPadOS 14.4.2, and watchOS 7.3.3 state that the issue is resolved by the improved object lifetime handling in those updates. The vendor notes awareness of reports indicating the vulnerability has been actively exploited in the wild.

EU & UK References

Vulnerability details

This issue was addressed by improved management of object lifetimes. This issue is fixed in iOS 12.5.2, iOS 14.4.2 and iPadOS 14.4.2, watchOS 7.3.3. Processing maliciously crafted web content may lead to universal cross site scripting. Apple is aware of…

more

a report that this issue may have been actively exploited..

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apple
ipados
≤ 14.4.2
apple
iphone os
≤ 12.5.2 · 13.0 — 14.4.2
apple
watchos
≤ 7.3.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the vendor patches (iOS 12.5.2/14.4.2, iPadOS 14.4.2, watchOS 7.3.3) that corrected the object-lifetime flaw.

SC-18 Mobile Code partial match
prevent

Restricts execution of untrusted mobile code (WebKit/JavaScript) that is the delivery vector for the universal XSS payload.

prevent

Enforces information-flow boundaries between web-origin contexts, blocking the cross-site data access the flaw permits.

References