CVE-2016-4591
HIGHWebKit - Remote Filesystem Access via Location Variable Mishandling
Title source: llmDescription
WebKit in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS before 9.2.2 mishandles the location variable, which allows remote attackers to access the local filesystem via unspecified vectors.
References (10)
Core 10
Core References
Mailing List, Vendor Advisory vendor-advisory
x_refsource_apple
http://lists.apple.com/archives/security-announce/2016/Jul/msg00003.html
Mailing List, Vendor Advisory vendor-advisory
x_refsource_apple
http://lists.apple.com/archives/security-announce/2016/Jul/msg00001.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/91830
Vendor Advisory x_refsource_confirm
https://support.apple.com/HT206900
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1036343
Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/138502/WebKitGTK-SOP-Bypass-Information-Disclosure.html
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/539295/100/0/threaded
Vendor Advisory x_refsource_confirm
https://support.apple.com/HT206905
Vendor Advisory x_refsource_confirm
https://support.apple.com/HT206902
Mailing List, Vendor Advisory vendor-advisory
x_refsource_apple
http://lists.apple.com/archives/security-announce/2016/Jul/msg00004.html
Scores
CVSS v3
7.5
EPSS
0.0422
EPSS Percentile
89.8%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-284
Status
published
Products (1)
apple/webkit
Published
Jul 22, 2016
Tracked Since
Feb 18, 2026