CVE-2015-3750 : WebKit in Apple Safari before 6.2.8, 7.x before 7.1.8, and 8.x before 8.0.8, as

WebKit in Apple Safari before 6.2.8, 7.x before 7.1.8, and 8.x before 8.0.8, as used in iOS before 8.4.1 and other products, does not enforce the HTTP Strict Transport Security (HSTS) protection mechanism for Content Security Policy (CSP) report requests, which allows man-in-the-middle attackers to obtain sensitive information by sniffing the network or spoof a report by modifying the client-server data stream.

Published 2015-08-16 23:59:24

Updated 2025-04-12 10:46:41

Source Apple Inc.

View at NVD, CVE.org

Products affected by CVE-2015-3750

Apple » Safari
Versions from including (>=) 7.0 and before (<) 7.1.8
cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*
Matching versions
Apple » Safari
Versions from including (>=) 6.0 and before (<) 6.2.8
cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*
Matching versions
Apple » Safari
Versions from including (>=) 8.0 and before (<) 8.0.8
cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*
Matching versions
Apple » Iphone Os
Versions up to, including, (<=) 8.4
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
Matching versions
Apple » Iphone Os
Versions before (<) 8.4.1
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2015-3750

EPSS FAQ

0.47%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 62 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2015-3750

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
6.4	MEDIUM	AV:N/AC:L/Au:N/C:P/I:P/A:N	10.0	4.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: None

CWE ids for CVE-2015-3750

CWE-254

Assigned by: nvd@nist.gov (Primary)

References for CVE-2015-3750

http://lists.apple.com/archives/security-announce/2015/Aug/msg00000.html

Apple - Lists.apple.com
Mailing List;Vendor Advisory

CVEs referencing this url
http://www.securitytracker.com/id/1033274

Apple Safari Flaws Let Remote Users Bypass Security Controls, Obtain Potentially Sensitive Information, Spoof Interfaces and URLS, and Execute Arbitrary Code - SecurityTracker
Third Party Advisory;VDB Entry

CVEs referencing this url
http://www.securityfocus.com/bid/76341

WebKit Same Origin Policy Multiple Security Bypass Vulnerabilities
Third Party Advisory;VDB Entry

CVEs referencing this url
http://lists.apple.com/archives/security-announce/2015/Aug/msg00002.html

Apple - Lists.apple.com
Mailing List;Vendor Advisory

CVEs referencing this url
https://support.apple.com/kb/HT205030

About the security content of iOS 8.4.1 - Apple Support
Vendor Advisory

CVEs referencing this url
http://lists.opensuse.org/opensuse-updates/2016-03/msg00054.html

openSUSE-SU-2016:0761-1: moderate: Security update for webkit2gtk3
Mailing List;Third Party Advisory

CVEs referencing this url
https://support.apple.com/kb/HT205033

About the security content of Safari 8.0.8, Safari 7.1.8, and Safari 6.2.8 - Apple Support
Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2015-3750

Products affected by CVE-2015-3750

Exploit prediction scoring system (EPSS) score for CVE-2015-3750

CVSS scores for CVE-2015-3750

CWE ids for CVE-2015-3750

References for CVE-2015-3750