CVE-2015-3752 — Sensitive Information Exposure in Apple Iphone OS

CWE-200 — Sensitive Information Exposure8 documents6 sources

Severity

5.0MEDIUMNVD

EPSS

1.5%

top 18.70%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apple Iphone OS Apple Safari Webkitgtk +4 more

Timeline

PublishedAug 16

Latest updateMay 14

Description

The Content Security Policy implementation in WebKit in Apple Safari before 6.2.8, 7.x before 7.1.8, and 8.x before 8.0.8, as used in iOS before 8.4.1 and other products, does not properly restrict cookie transmission for report requests, which allows remote attackers to obtain sensitive information via vectors involving (1) a cross-origin request or (2) a private-browsing request.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages6 packages

▶NVDapple/safari6.0 — 6.2.8+2

▶Appleapple/safari_8.0.8_safari_7.1.8_and_safari6.2.8

▶NVDapple/iphone_os< 8.4.1

▶Ubuntuwebkitgtk/webkitgtk< 2.4.10-0ubuntu0.14.04.1+1

▶Appleapple/ios8.4.1

Also affects: Ubuntu Linux 14.04, 15.10

🔴Vulnerability Details

GHSA

GHSA-fgcj-8hc4-j3gh: The Content Security Policy implementation in WebKit in Apple Safari before 6↗2022-05-14

▶

OSV

CVE-2015-3752: The Content Security Policy implementation in WebKit in Apple Safari before 6↗2015-08-16

▶

📋Vendor Advisories

Ubuntu

WebKitGTK+ vulnerabilities↗2016-03-21

▶

Apple

CVE-2015-3752: iOS 8.4.1↗

▶

Apple

CVE-2015-3752: Safari 8.0.8, Safari 7.1.8, and Safari 6.2.8↗

▶

Apple

CVE-2015-3752: Apple TV 7.2.1↗

▶

💬Community

Bugzilla

CVE-2015-2753 CVE-2015-2754 CVE-2015-2776 freexl: multiple flaws when parsing malformed input↗2015-03-30

▶