CVE-2016-1779
medium
CVSS v3
6.5
CVSS v2
4.3
VIR risk
6.5
Description
WebKit in Apple iOS before 9.3 and Safari before 9.1 allows remote attackers to bypass the Same Origin Policy and obtain physical-location data via a crafted geolocation request.
Predictions
Exploit likelihood
75%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: product-security@apple.com — https://support.apple.com/HT206171
Vendor advisory: product-security@apple.com — https://support.apple.com/HT206166
Vendor advisory: product-security@apple.com — http://lists.apple.com/archives/security-announce/2016/Mar/msg00005.html
Vendor advisory: product-security@apple.com — http://lists.apple.com/archives/security-announce/2016/Mar/msg00000.html
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| macos | affected | |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| apple | safari | {"endIncluding":"9.0.3"} | |
References
- http://lists.apple.com/archives/security-announce/2016/Mar/msg00000.html
- http://lists.apple.com/archives/security-announce/2016/Mar/msg00005.html
- http://www.securityfocus.com/archive/1/537948/100/0/threaded
- http://www.securitytracker.com/id/1035353
- https://support.apple.com/HT206166
- https://support.apple.com/HT206171
- http://lists.apple.com/archives/security-announce/2016/Mar/msg00000.html
- http://lists.apple.com/archives/security-announce/2016/Mar/msg00005.html
- http://www.securityfocus.com/archive/1/537948/100/0/threaded
- http://www.securitytracker.com/id/1035353
- https://support.apple.com/HT206166
- https://support.apple.com/HT206171
CWEs
CWE-200
Verify integrity in audit chain (admin only). AS-IS.