The page-loading implementation in WebKit, as used in Apple Safari before 6.2.6, 7.x before 7.1.6, and 8.x before 8.0.6, does not properly handle the rel attribute in an A element, which allows remote attackers to bypass the Same Origin Policy for a link's target, and spoof the user interface, via a crafted web site.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Information
Published : 2015-05-07 17:59
Updated : 2016-11-28 11:17
NVD link : CVE-2015-1156
Mitre link : CVE-2015-1156
JSON object : View
CWE
CWE-264
Permissions, Privileges, and Access Controls
Products Affected
apple
- iphone_os
- safari