CVE-2015-3750
Severity CVSS v4.0:
Pending analysis
Type:
CWE-254
Security Features
Publication date:
16/08/2015
Last modified:
12/04/2025
Description
WebKit in Apple Safari before 6.2.8, 7.x before 7.1.8, and 8.x before 8.0.8, as used in iOS before 8.4.1 and other products, does not enforce the HTTP Strict Transport Security (HSTS) protection mechanism for Content Security Policy (CSP) report requests, which allows man-in-the-middle attackers to obtain sensitive information by sniffing the network or spoof a report by modifying the client-server data stream.
Impact
Base Score 2.0
6.40
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:* | 8.4 (including) | |
| cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:* | 6.0 (including) | 6.2.8 (excluding) |
| cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:* | 7.0 (including) | 7.1.8 (excluding) |
| cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:* | 8.0 (including) | 8.0.8 (excluding) |
| cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:* | 8.4.1 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://lists.apple.com/archives/security-announce/2015/Aug/msg00000.html
- http://lists.apple.com/archives/security-announce/2015/Aug/msg00002.html
- http://lists.opensuse.org/opensuse-updates/2016-03/msg00054.html
- http://www.securityfocus.com/bid/76341
- http://www.securitytracker.com/id/1033274
- https://support.apple.com/kb/HT205030
- https://support.apple.com/kb/HT205033
- http://lists.apple.com/archives/security-announce/2015/Aug/msg00000.html
- http://lists.apple.com/archives/security-announce/2015/Aug/msg00002.html
- http://lists.opensuse.org/opensuse-updates/2016-03/msg00054.html
- http://www.securityfocus.com/bid/76341
- http://www.securitytracker.com/id/1033274
- https://support.apple.com/kb/HT205030
- https://support.apple.com/kb/HT205033