CVE-2015-3750

medium

Description

WebKit in Apple Safari before 6.2.8, 7.x before 7.1.8, and 8.x before 8.0.8, as used in iOS before 8.4.1 and other products, does not enforce the HTTP Strict Transport Security (HSTS) protection mechanism for Content Security Policy (CSP) report requests, which allows man-in-the-middle attackers to obtain sensitive information by sniffing the network or spoof a report by modifying the client-server data stream.

References

http://lists.apple.com/archives/security-announce/2015/Aug/msg00000.html

http://lists.apple.com/archives/security-announce/2015/Aug/msg00002.html

http://lists.opensuse.org/opensuse-updates/2016-03/msg00054.html

http://www.securityfocus.com/bid/76341

http://www.securitytracker.com/id/1033274

https://support.apple.com/kb/HT205030

https://support.apple.com/kb/HT205033

Details

Source: MITRE

Published: 2015-08-16

Updated: 2019-02-07

Type: CWE-254

Risk Information

CVSS v2

Base Score: 6.4

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N

Impact Score: 4.9

Exploitability Score: 10

Severity: MEDIUM