CVE-2015-3658

Sažetak

The Page Loading functionality in WebKit in Apple Safari before 6.2.7, 7.x before 7.1.7, and 8.x before 8.0.7, as used in Apple iOS before 8.4 and other products, does not properly consider redirects during decisions about sending an Origin header, which makes it easier for remote attackers to bypass CSRF protection mechanisms via a crafted web site.

Reference

http://lists.apple.com/archives/security-announce/2015/Jun/msg00001.html
http://lists.apple.com/archives/security-announce/2015/Jun/msg00004.html
http://lists.opensuse.org/opensuse-updates/2016-03/msg00132.html
http://support.apple.com/kb/HT204941
http://support.apple.com/kb/HT204950
http://www.securityfocus.com/bid/75492
http://www.securitytracker.com/id/1032754
http://www.ubuntu.com/usn/USN-2937-1

CVSS

Base:	6.8
Impact:	6.4
Exploitability:	8.6

Pristup

Vektor	Složenost	Autentikacija
NETWORK	MEDIUM	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	PARTIAL	PARTIAL

CVSS vektor

AV:N/AC:M/Au:N/C:P/I:P/A:P

Zadnje važnije ažuriranje

28-12-2016 - 02:59

Objavljeno

03-07-2015 - 01:59