CVE-2015-3752

The Content Security Policy implementation in WebKit in Apple Safari before 6.2.8, 7.x before 7.1.8, and 8.x before 8.0.8, as used in iOS before 8.4.1 and other products, does not properly restrict cookie transmission for report requests, which allows remote attackers to obtain sensitive information via vectors involving (1) a cross-origin request or (2) a private-browsing request.

Published: Aug 16, 2015
Updated: Nov 9, 2025
CVE: CVE-2015-3752
Severity: Medium
Exploit:

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:P/I:N/A:N

CWEs:

CWE-200

Affected Software
References

Software	From	Fixed in
apple / safari	6.0	6.2.8
apple / safari	7.0	7.1.8
apple / safari	8.0	8.0.8
apple / iphone_os	-	8.4.1
canonical / ubuntu_linux	15.10	15.10.x
canonical / ubuntu_linux	14.04	14.04.x

http://lists.apple.com/archives/security-announce/2015/Aug/msg00000.html
http://lists.apple.com/archives/security-announce/2015/Aug/msg00002.html
http://lists.opensuse.org/opensuse-updates/2016-03/msg00132.html
http://www.securityfocus.com/bid/76341
http://www.securitytracker.com/id/1033274
http://www.ubuntu.com/usn/USN-2937-1
https://support.apple.com/kb/HT205030
https://support.apple.com/kb/HT205033

Vulnerability Database

CVE-2015-3752

Deep Security Visibility Without the Complexity