5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
8.1 High
AI Score
Confidence
High
0.005 Low
EPSS
Percentile
76.1%
The WebKit component in Safari in Apple iPhone OS before 3.1, and iPhone OS before 3.1.1 for iPod touch, does not remove usernames and passwords from URLs sent in Referer headers, which allows remote attackers to obtain sensitive information by reading Referer logs on a web server.
CPE | Name | Operator | Version |
---|---|---|---|
apple:iphone_os | apple iphone os | lt | 3.1 |
apple:iphone_os | apple iphone os | lt | 3.1.1 |
lists.apple.com/archives/security-announce/2009/Sep/msg00001.html
lists.opensuse.org/opensuse-security-announce/2011-01/msg00006.html
secunia.com/advisories/36677
secunia.com/advisories/41856
secunia.com/advisories/43068
support.apple.com/kb/HT3860
www.mandriva.com/security/advisories?name=MDVSA-2011:039
www.securityfocus.com/bid/36339
www.ubuntu.com/usn/USN-1006-1
www.vupen.com/english/advisories/2010/2722
www.vupen.com/english/advisories/2011/0212
www.vupen.com/english/advisories/2011/0552
exchange.xforce.ibmcloud.com/vulnerabilities/53187