CVE-2015-1156 — Apple Iphone OS vulnerability

CWE-2645 documents4 sources

Severity

4.3MEDIUMNVD

EPSS

0.6%

top 29.75%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apple Iphone OS Apple Safari Apple IOS +1 more

Timeline

PublishedMay 8

Latest updateMay 17

Description

The page-loading implementation in WebKit, as used in Apple Safari before 6.2.6, 7.x before 7.1.6, and 8.x before 8.0.6, does not properly handle the rel attribute in an A element, which allows remote attackers to bypass the Same Origin Policy for a link's target, and spoof the user interface, via a crafted web site.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages4 packages

▶NVDapple/safari6.2.5+19

▶Appleapple/safari_8.0.6_safari_7.1.6_and_safari6.2.6

▶NVDapple/iphone_os8.3

▶Appleapple/ios8.4

🔴Vulnerability Details

GHSA

GHSA-cvr8-mgjg-pg2x: The page-loading implementation in WebKit, as used in Apple Safari before 6↗2022-05-17

▶

OSV

CVE-2015-1156: The page-loading implementation in WebKit, as used in Apple Safari before 6↗2015-05-08

▶

📋Vendor Advisories

Apple

CVE-2015-1156: iOS 8.4↗

▶

Apple

CVE-2015-1156: Safari 8.0.6, Safari 7.1.6, and Safari 6.2.6↗

▶