CVE-2015-3658 : The Page Loading functionality in WebKit in Apple Safari before 6.2.7, 7.x befor

The Page Loading functionality in WebKit in Apple Safari before 6.2.7, 7.x before 7.1.7, and 8.x before 8.0.7, as used in Apple iOS before 8.4 and other products, does not properly consider redirects during decisions about sending an Origin header, which makes it easier for remote attackers to bypass CSRF protection mechanisms via a crafted web site.

Published 2015-07-03 01:59:17

Updated 2016-12-28 02:59:14

Source Apple Inc.

View at NVD, CVE.org

Vulnerability category: Cross-site request forgery (CSRF)

Products affected by CVE-2015-3658

Apple » Mac Os X
Versions up to, including, (<=) 10.10.3
cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*
Matching versions
Apple » Safari
Versions up to, including, (<=) 6.2.6
cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*
Matching versions
Apple » Safari » Version: 7.0
cpe:2.3:a:apple:safari:7.0:*:*:*:*:*:*:*
Matching versions
Apple » Safari » Version: 7.0.2
cpe:2.3:a:apple:safari:7.0.2:*:*:*:*:*:*:*
Matching versions
Apple » Safari » Version: 7.0.1
cpe:2.3:a:apple:safari:7.0.1:*:*:*:*:*:*:*
Matching versions
Apple » Safari » Version: 7.0.3
cpe:2.3:a:apple:safari:7.0.3:*:*:*:*:*:*:*
Matching versions
Apple » Safari » Version: 7.0.4
cpe:2.3:a:apple:safari:7.0.4:*:*:*:*:*:*:*
Matching versions
Apple » Safari » Version: 7.0.5
cpe:2.3:a:apple:safari:7.0.5:*:*:*:*:*:*:*
Matching versions
Apple » Safari » Version: 8.0.2
cpe:2.3:a:apple:safari:8.0.2:*:*:*:*:*:*:*
Matching versions
Apple » Safari » Version: 7.1.2
cpe:2.3:a:apple:safari:7.1.2:*:*:*:*:*:*:*
Matching versions
Apple » Safari » Version: 7.0.6
cpe:2.3:a:apple:safari:7.0.6:*:*:*:*:*:*:*
Matching versions
Apple » Safari » Version: 7.1.0
cpe:2.3:a:apple:safari:7.1.0:*:*:*:*:*:*:*
Matching versions
Apple » Safari » Version: 8.0.1
cpe:2.3:a:apple:safari:8.0.1:*:*:*:*:*:*:*
Matching versions
Apple » Safari » Version: 7.1.1
cpe:2.3:a:apple:safari:7.1.1:*:*:*:*:*:*:*
Matching versions
Apple » Safari » Version: 8.0.3
cpe:2.3:a:apple:safari:8.0.3:*:*:*:*:*:*:*
Matching versions
Apple » Safari » Version: 7.1.3
cpe:2.3:a:apple:safari:7.1.3:*:*:*:*:*:*:*
Matching versions
Apple » Safari » Version: 7.1.4
cpe:2.3:a:apple:safari:7.1.4:*:*:*:*:*:*:*
Matching versions
Apple » Safari » Version: 8.0.4
cpe:2.3:a:apple:safari:8.0.4:*:*:*:*:*:*:*
Matching versions
Apple » Safari » Version: 7.1.5
cpe:2.3:a:apple:safari:7.1.5:*:*:*:*:*:*:*
Matching versions
Apple » Safari » Version: 8.0.5
cpe:2.3:a:apple:safari:8.0.5:*:*:*:*:*:*:*
Matching versions
Apple » Safari » Version: 7.1.6
cpe:2.3:a:apple:safari:7.1.6:*:*:*:*:*:*:*
Matching versions
Apple » Safari » Version: 8.0.6
cpe:2.3:a:apple:safari:8.0.6:*:*:*:*:*:*:*
Matching versions
Apple » Safari » Version: 8.0
cpe:2.3:a:apple:safari:8.0:*:*:*:*:*:*:*
Matching versions
Apple » Iphone Os
Versions up to, including, (<=) 8.3
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2015-3658

EPSS FAQ

0.27%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 49 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2015-3658

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
6.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:P/A:P	8.6	6.4	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial

CWE ids for CVE-2015-3658

CWE-254

Assigned by: nvd@nist.gov (Primary)

References for CVE-2015-3658

http://support.apple.com/kb/HT204941

About the security content of iOS 8.4 - Apple Support
Vendor Advisory

CVEs referencing this url
http://www.ubuntu.com/usn/USN-2937-1

USN-2937-1: WebKitGTK+ vulnerabilities | Ubuntu security notices

CVEs referencing this url
http://lists.opensuse.org/opensuse-updates/2016-03/msg00132.html

openSUSE-SU-2016:0915-1: moderate: Security update for webkitgtk

CVEs referencing this url
http://lists.apple.com/archives/security-announce/2015/Jun/msg00004.html

Apple - Lists.apple.com
Vendor Advisory

CVEs referencing this url
http://lists.apple.com/archives/security-announce/2015/Jun/msg00001.html

Apple - Lists.apple.com
Vendor Advisory

CVEs referencing this url
http://www.securityfocus.com/bid/75492

WebKit Multiple Security Vulnerabilities

CVEs referencing this url
http://www.securitytracker.com/id/1032754

Apple Safari Bugs Let Remote Users Conduct Cross-Site Scripting, Cross-Site Request Forgery, and SQL Injection Attacks - SecurityTracker

CVEs referencing this url
http://support.apple.com/kb/HT204950

About the security content of Safari 8.0.7, Safari 7.1.7, and Safari 6.2.7 - Apple Support
Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2015-3658

Products affected by CVE-2015-3658

Exploit prediction scoring system (EPSS) score for CVE-2015-3658

CVSS scores for CVE-2015-3658

CWE ids for CVE-2015-3658

References for CVE-2015-3658