CVE-2016-4583
LOWWebKit - Same Origin Policy Bypass via SVG Timing Attack
Title source: llmDescription
WebKit in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS before 9.2.2 allows remote attackers to bypass the Same Origin Policy and obtain image date from an unintended web site via a timing attack involving an SVG document.
References (10)
Core 10
Core References
Mailing List, Vendor Advisory vendor-advisory
x_refsource_apple
http://lists.apple.com/archives/security-announce/2016/Jul/msg00003.html
Mailing List, Vendor Advisory vendor-advisory
x_refsource_apple
http://lists.apple.com/archives/security-announce/2016/Jul/msg00001.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/91830
Vendor Advisory x_refsource_confirm
https://support.apple.com/HT206900
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1036343
Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/138502/WebKitGTK-SOP-Bypass-Information-Disclosure.html
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/539295/100/0/threaded
Vendor Advisory x_refsource_confirm
https://support.apple.com/HT206905
Vendor Advisory x_refsource_confirm
https://support.apple.com/HT206902
Mailing List, Vendor Advisory vendor-advisory
x_refsource_apple
http://lists.apple.com/archives/security-announce/2016/Jul/msg00004.html
Scores
CVSS v3
3.1
EPSS
0.0183
EPSS Percentile
76.1%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Details
CWE
CWE-362
Status
published
Products (2)
apple/webkit
webkitgtk/webkitgtk\+
< 2.12.2
Published
Jul 22, 2016
Tracked Since
Feb 18, 2026