CVE-2015-1156
published 2015-05-08CVE-2015-1156: The page-loading implementation in WebKit, as used in Apple Safari before 6.2.6, 7.x before 7.1.6, and 8.x before 8.0.6, does not properly handle the rel…
PriorityP418medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EPSS
0.63%
70.7th percentile
The page-loading implementation in WebKit, as used in Apple Safari before 6.2.6, 7.x before 7.1.6, and 8.x before 8.0.6, does not properly handle the rel attribute in an A element, which allows remote attackers to bypass the Same Origin Policy for a link's target, and spoof the user interface, via a crafted web site.
Affected
23 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | ios | — | — |
| apple | iphone_os | <= 8.3 | — |
| apple | safari | <= 6.2.5 | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari_8.0.6_safari_7.1.6_and_safari | — | — |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv4.3MEDIUM
GHSA
GHSA-cvr8-mgjg-pg2x: The page-loading implementation in WebKit, as used in Apple Safari before 6
ghsa_unreviewed·2022-05-17
CVE-2015-1156 [MEDIUM] GHSA-cvr8-mgjg-pg2x: The page-loading implementation in WebKit, as used in Apple Safari before 6
The page-loading implementation in WebKit, as used in Apple Safari before 6.2.6, 7.x before 7.1.6, and 8.x before 8.0.6, does not properly handle the rel attribute in an A element, which allows remote attackers to bypass the Same Origin Policy for a link's target, and spoof the user interface, via a crafted web site.
OSV
CVE-2015-1156: The page-loading implementation in WebKit, as used in Apple Safari before 6
osv·2015-05-08·CVSS 4.3
CVE-2015-1156 [MEDIUM] CVE-2015-1156: The page-loading implementation in WebKit, as used in Apple Safari before 6
The page-loading implementation in WebKit, as used in Apple Safari before 6.2.6, 7.x before 7.1.6, and 8.x before 8.0.6, does not properly handle the rel attribute in an A element, which allows remote attackers to bypass the Same Origin Policy for a link's target, and spoof the user interface, via a crafted web site.
Apple
CVE-2015-1156: iOS 8.4
vendor_apple·CVSS 4.3
CVE-2015-1156 [MEDIUM] CVE-2015-1156: iOS 8.4
Apple Security Update: About the security content of iOS 8.4
Product: iOS
Version: 8.4
CVE: CVE-2015-1156
Component: CVE-ID
Apple
CVE-2015-1156: Safari 8.0.6, Safari 7.1.6, and Safari 6.2.6
vendor_apple·CVSS 4.3
CVE-2015-1156 [MEDIUM] CVE-2015-1156: Safari 8.0.6, Safari 7.1.6, and Safari 6.2.6
Apple Security Update: About the security content of Safari 8.0.6, Safari 7.1.6, and Safari 6.2.6
Product: Safari 8.0.6, Safari 7.1.6, and Safari
Version: 6.2.6
CVE: CVE-2015-1156
Component: CVE-ID
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://lists.apple.com/archives/security-announce/2015/Jun/msg00001.htmlhttp://lists.apple.com/archives/security-announce/2015/May/msg00000.htmlhttp://support.apple.com/kb/HT204941http://www.securityfocus.com/bid/74524http://www.securitytracker.com/id/1032270https://support.apple.com/HT204826http://lists.apple.com/archives/security-announce/2015/Jun/msg00001.htmlhttp://lists.apple.com/archives/security-announce/2015/May/msg00000.htmlhttp://support.apple.com/kb/HT204941http://www.securityfocus.com/bid/74524http://www.securitytracker.com/id/1032270https://support.apple.com/HT204826
2015-05-08
Published