CVE-2015-3750
published 2015-08-16CVE-2015-3750: WebKit in Apple Safari before 6.2.8, 7.x before 7.1.8, and 8.x before 8.0.8, as used in iOS before 8.4.1 and other products, does not enforce the HTTP Strict…
PriorityP429medium6.4CVSS 2.0
AVNACLAuNCPIPAN
EPSS
0.77%
73.9th percentile
WebKit in Apple Safari before 6.2.8, 7.x before 7.1.8, and 8.x before 8.0.8, as used in iOS before 8.4.1 and other products, does not enforce the HTTP Strict Transport Security (HSTS) protection mechanism for Content Security Policy (CSP) report requests, which allows man-in-the-middle attackers to obtain sensitive information by sniffing the network or spoof a report by modifying the client-server data stream.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | apple_tv | — | — |
| apple | ios | — | — |
| apple | iphone_os | < 8.4.1 | 8.4.1 |
| apple | iphone_os | <= 8.4 | — |
| apple | safari | >= 6.0 < 6.2.8 | 6.2.8 |
| apple | safari | >= 7.0 < 7.1.8 | 7.1.8 |
| apple | safari | >= 8.0 < 8.0.8 | 8.0.8 |
| apple | safari_8.0.8_safari_7.1.8_and_safari | — | — |
CVSS provenance
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
osv6.4MEDIUM
Apple
CVE-2015-3750: Safari 8.0.8, Safari 7.1.8, and Safari 6.2.8
vendor_apple·CVSS 6.4
CVE-2015-3750 [MEDIUM] CVE-2015-3750: Safari 8.0.8, Safari 7.1.8, and Safari 6.2.8
Apple Security Update: About the security content of Safari 8.0.8, Safari 7.1.8, and Safari 6.2.8
Product: Safari 8.0.8, Safari 7.1.8, and Safari
Version: 6.2.8
CVE: CVE-2015-3750
Component: CVE-ID
Apple
CVE-2015-3750: iOS 8.4.1
vendor_apple·CVSS 6.4
CVE-2015-3750 [MEDIUM] CVE-2015-3750: iOS 8.4.1
Apple Security Update: About the security content of iOS 8.4.1
Product: iOS
Version: 8.4.1
CVE: CVE-2015-3750
Component: CVE-ID
Apple
CVE-2015-3750: Apple TV 7.2.1
vendor_apple·CVSS 6.4
CVE-2015-3750 [MEDIUM] CVE-2015-3750: Apple TV 7.2.1
Apple Security Update: About the security content of Apple TV 7.2.1
Product: Apple TV
Version: 7.2.1
CVE: CVE-2015-3750
Component: CVE-ID
GHSA
GHSA-544q-w4rg-fjc5: WebKit in Apple Safari before 6
ghsa_unreviewed·2022-05-14
CVE-2015-3750 [MEDIUM] GHSA-544q-w4rg-fjc5: WebKit in Apple Safari before 6
WebKit in Apple Safari before 6.2.8, 7.x before 7.1.8, and 8.x before 8.0.8, as used in iOS before 8.4.1 and other products, does not enforce the HTTP Strict Transport Security (HSTS) protection mechanism for Content Security Policy (CSP) report requests, which allows man-in-the-middle attackers to obtain sensitive information by sniffing the network or spoof a report by modifying the client-server data stream.
OSV
CVE-2015-3750: WebKit in Apple Safari before 6
osv·2015-08-16·CVSS 6.4
CVE-2015-3750 [MEDIUM] CVE-2015-3750: WebKit in Apple Safari before 6
WebKit in Apple Safari before 6.2.8, 7.x before 7.1.8, and 8.x before 8.0.8, as used in iOS before 8.4.1 and other products, does not enforce the HTTP Strict Transport Security (HSTS) protection mechanism for Content Security Policy (CSP) report requests, which allows man-in-the-middle attackers to obtain sensitive information by sniffing the network or spoof a report by modifying the client-server data stream.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://lists.apple.com/archives/security-announce/2015/Aug/msg00000.htmlhttp://lists.apple.com/archives/security-announce/2015/Aug/msg00002.htmlhttp://lists.opensuse.org/opensuse-updates/2016-03/msg00054.htmlhttp://www.securityfocus.com/bid/76341http://www.securitytracker.com/id/1033274https://support.apple.com/kb/HT205030https://support.apple.com/kb/HT205033http://lists.apple.com/archives/security-announce/2015/Aug/msg00000.htmlhttp://lists.apple.com/archives/security-announce/2015/Aug/msg00002.htmlhttp://lists.opensuse.org/opensuse-updates/2016-03/msg00054.htmlhttp://www.securityfocus.com/bid/76341http://www.securitytracker.com/id/1033274https://support.apple.com/kb/HT205030https://support.apple.com/kb/HT205033
2015-08-16
Published