CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
EPSS
Percentile
72.6%
The Content Security Policy implementation in WebKit in Apple Safari before
6.2.8, 7.x before 7.1.8, and 8.x before 8.0.8, as used in iOS before 8.4.1
and other products, does not properly restrict cookie transmission for
report requests, which allows remote attackers to obtain sensitive
information via vectors involving (1) a cross-origin request or (2) a
private-browsing request.
Author | Note |
---|---|
jdstrand | webkit receives limited support. For details, see https://wiki.ubuntu.com/SecurityTeam/FAQ#webkit webkit in Ubuntu uses the JavaScriptCore (JSC) engine, not V8 |
lists.apple.com/archives/security-announce/2015/Aug/msg00000.html
lists.apple.com/archives/security-announce/2015/Aug/msg00002.html
launchpad.net/bugs/cve/CVE-2015-3752
nvd.nist.gov/vuln/detail/CVE-2015-3752
security-tracker.debian.org/tracker/CVE-2015-3752
support.apple.com/kb/HT205030
support.apple.com/kb/HT205033
ubuntu.com/security/notices/USN-2937-1
www.cve.org/CVERecord?id=CVE-2015-3752