The Page Loading functionality in WebKit in Apple Safari before 6.2.7, 7.x before 7.1.7, and 8.x before 8.0.7, as used in Apple iOS before 8.4 and other products, does not properly consider redirects during decisions about sending an Origin header, which makes it easier for remote attackers to bypass CSRF protection mechanisms via a crafted web site.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P
Vendors Products
Apple
  • Mac Os X
  • Iphone Os
  • Safari

Configuration 1 [-]

OR cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*
cpe:2.3:a:apple:safari:7.0:*:*:*:*:*:*:*
cpe:2.3:a:apple:safari:7.0.1:*:*:*:*:*:*:*
cpe:2.3:a:apple:safari:7.0.2:*:*:*:*:*:*:*
cpe:2.3:a:apple:safari:7.0.3:*:*:*:*:*:*:*
cpe:2.3:a:apple:safari:7.0.4:*:*:*:*:*:*:*
cpe:2.3:a:apple:safari:7.0.5:*:*:*:*:*:*:*
cpe:2.3:a:apple:safari:7.0.6:*:*:*:*:*:*:*
cpe:2.3:a:apple:safari:7.1.0:*:*:*:*:*:*:*
cpe:2.3:a:apple:safari:7.1.1:*:*:*:*:*:*:*
cpe:2.3:a:apple:safari:7.1.2:*:*:*:*:*:*:*
cpe:2.3:a:apple:safari:7.1.3:*:*:*:*:*:*:*
cpe:2.3:a:apple:safari:7.1.4:*:*:*:*:*:*:*
cpe:2.3:a:apple:safari:7.1.5:*:*:*:*:*:*:*
cpe:2.3:a:apple:safari:7.1.6:*:*:*:*:*:*:*
cpe:2.3:a:apple:safari:8.0:*:*:*:*:*:*:*
cpe:2.3:a:apple:safari:8.0.1:*:*:*:*:*:*:*
cpe:2.3:a:apple:safari:8.0.2:*:*:*:*:*:*:*
cpe:2.3:a:apple:safari:8.0.3:*:*:*:*:*:*:*
cpe:2.3:a:apple:safari:8.0.4:*:*:*:*:*:*:*
cpe:2.3:a:apple:safari:8.0.5:*:*:*:*:*:*:*
cpe:2.3:a:apple:safari:8.0.6:*:*:*:*:*:*:*

Configuration 2 [-]

OR cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*
References
Link Resource
http://lists.apple.com/archives/security-announce/2015/Jun/msg00001.html Vendor Advisory
http://lists.apple.com/archives/security-announce/2015/Jun/msg00004.html Vendor Advisory
http://lists.opensuse.org/opensuse-updates/2016-03/msg00132.html
http://support.apple.com/kb/HT204941 Vendor Advisory
http://support.apple.com/kb/HT204950 Vendor Advisory
http://www.securityfocus.com/bid/75492
http://www.securitytracker.com/id/1032754
http://www.ubuntu.com/usn/USN-2937-1
History

No history.

cve-icon MITRE Information

Status: PUBLISHED

Assigner: apple

Published: 2015-07-03T01:00:00

Updated: 2016-12-23T18:57:01

Reserved: 2015-05-07T00:00:00

Link: CVE-2015-3658

JSON object: View

cve-icon NVD Information

Status : Modified

Published: 2015-07-03T01:59:17.370

Modified: 2016-12-28T02:59:14.183

Link: CVE-2015-3658

JSON object: View

cve-icon Redhat Information

No data.

CWE