CVE-2015-5828

MEDIUM

Description

The API in the WebKit Plug-ins component in Apple Safari before 9 does not provide notification of an HTTP Redirection (aka 3xx) status code to a plugin, which allows remote attackers to bypass intended request restrictions via a crafted web site.

References

http://lists.apple.com/archives/security-announce/2015/Sep/msg00007.html

http://lists.opensuse.org/opensuse-updates/2016-03/msg00054.html

http://www.securityfocus.com/bid/79707

http://www.securitytracker.com/id/1033688

https://support.apple.com/HT205265

Details

Source: MITRE

Published: 2015-10-09

Updated: 2018-10-30

Type: CWE-20

Risk Information

CVSS v2.0

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:* versions up to 8.0.8 (inclusive)

Tenable Plugins

View all (4 total)

IDNameProductFamilySeverity
89950openSUSE Security Update : webkit2gtk3 (openSUSE-2016-340)NessusSuSE Local Security Checks
medium
8976Safari < 9.0 Multiple VulnerabilitiesNessus Network MonitorWeb Clients
medium
86270Mac OS X < 10.11 Multiple Vulnerabilities (GHOST)NessusMacOS X Local Security Checks
critical
86252Mac OS X : Apple Safari < 9.0 Multiple VulnerabilitiesNessusMacOS X Local Security Checks
critical