CVE-2016-1786 — Sensitive Information Exposure in Apple Iphone OS

CWE-200 — Sensitive Information Exposure6 documents5 sources

Severity

5.4MEDIUMNVD

EPSS

0.4%

top 36.76%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apple Iphone OS Apple Safari Apple IOS

Timeline

PublishedMar 24

Latest updateMay 14

Description

The Page Loading implementation in WebKit in Apple iOS before 9.3 and Safari before 9.1 mishandles HTTP responses with a 3xx (aka redirection) status code, which allows remote attackers to spoof the displayed URL, bypass the Same Origin Policy, and obtain sensitive cached information via a crafted web site.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages4 packages

▶NVDapple/safari9.0.3

▶Appleapple/safari9.1

▶NVDapple/iphone_os9.2.1

▶Appleapple/ios9.3

🔴Vulnerability Details

GHSA

GHSA-hq5w-jxpr-6446: The Page Loading implementation in WebKit in Apple iOS before 9↗2022-05-14

▶

OSV

CVE-2016-1786: The Page Loading implementation in WebKit in Apple iOS before 9↗2016-03-24

▶

💥Exploits & PoCs

Exploit-DB

IBM AIX 5.3/6.1/7.1/7.2 - 'lquerylv' Local Privilege Escalation↗2016-11-04

▶

📋Vendor Advisories

Apple

CVE-2016-1786: Safari 9.1↗

▶

Apple

CVE-2016-1786: iOS 9.3↗

▶