CVE-2015-3752

Apple Safari < 6.2.8 - Exposure of Sensitive Information via Content Security Policy Cookie Transmission

Title source: llm
STIX 2.1

Description

The Content Security Policy implementation in WebKit in Apple Safari before 6.2.8, 7.x before 7.1.8, and 8.x before 8.0.8, as used in iOS before 8.4.1 and other products, does not properly restrict cookie transmission for report requests, which allows remote attackers to obtain sensitive information via vectors involving (1) a cross-origin request or (2) a private-browsing request.

References (8)

Core 8
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1033274
Vendor Advisory x_refsource_confirm
https://support.apple.com/kb/HT205030
Mailing List, Vendor Advisory vendor-advisory x_refsource_apple
http://lists.apple.com/archives/security-announce/2015/Aug/msg00002.html
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2016-03/msg00132.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/76341
Mailing List, Vendor Advisory vendor-advisory x_refsource_apple
http://lists.apple.com/archives/security-announce/2015/Aug/msg00000.html
Vendor Advisory x_refsource_confirm
https://support.apple.com/kb/HT205033
Third Party Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2937-1

Scores

EPSS 0.0275
EPSS Percentile 84.5%

Details

CWE
CWE-200
Status published
Products (4)
apple/iphone_os < 8.4.1
apple/safari 6.0 - 6.2.8
canonical/ubuntu_linux 14.04
canonical/ubuntu_linux 15.10
Published Aug 16, 2015
Tracked Since Feb 18, 2026