CVE-2014-1345
Description
WebKit in Apple iOS before 7.1.2 and Apple Safari before 6.1.5 and 7.x before 7.0.5 does not properly encode domain names in URLs, which allows remote attackers to spoof the address bar via a crafted web site.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
WebKit in iOS before 7.1.2 and Safari before 6.1.5/7.0.5 fails to properly encode domain names, enabling address bar spoofing via crafted websites.
Vulnerability
WebKit in Apple iOS before 7.1.2 and Safari before 6.1.5 and 7.x before 7.0.5 does not properly encode internationalized domain names (IDNs) or other domain strings in URLs [1]. This allows a crafted website to present a misleading domain in the address bar while the actual connection is to a different host. The issue lies in the URL parsing and display logic of WebKit, affecting the default browser on these platforms.
Exploitation
An attacker can serve a specially crafted webpage that includes a URL with a domain that, due to improper encoding, appears as a legitimate or trusted domain in the browser's address bar [1]. No user interaction beyond visiting the malicious site is required, and the attacker does not need any prior authentication or network position beyond hosting a web page. The browser's automatic URL display without proper validation enables the spoofing.
Impact
Successful exploitation allows an attacker to spoof the address bar, making a malicious website appear as a trusted one. This can be used to trick users into providing sensitive information (e.g., login credentials) or downloading malware, undermining the integrity of the user's trust in the displayed URL. The attack leads to information disclosure and potential further compromise, but does not directly grant code execution or elevated privileges.
Mitigation
Apple released fixes in iOS 7.1.2 and Safari 6.1.5 / 7.0.5 [1]. Users should update to these versions or later to remediate the vulnerability. No workaround is documented, and the issue is not listed on the CISA KEV [1].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
27cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*+ 16 more
- cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*range: <=6.1.4
- cpe:2.3:a:apple:safari:6.0:*:*:*:*:*:*:*
- cpe:2.3:a:apple:safari:6.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:apple:safari:6.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:apple:safari:6.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:apple:safari:6.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:apple:safari:6.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:apple:safari:6.1:*:*:*:*:*:*:*
- cpe:2.3:a:apple:safari:6.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:apple:safari:6.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:apple:safari:6.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:apple:safari:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:apple:safari:7.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:apple:safari:7.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:apple:safari:7.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:apple:safari:7.0.4:*:*:*:*:*:*:*
- (no CPE)range: <6.1.5 (Safari 6.x) and <7.0.5 (Safari 7.x)
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*+ 8 more
- cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*range: <=7.1.1
- cpe:2.3:o:apple:iphone_os:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:7.0.1:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:7.0.2:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:7.0.3:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:7.0.4:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:7.0.5:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:7.0.6:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:7.1:*:*:*:*:*:*:*
- Range: <7.1.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5News mentions
0No linked articles in our index yet.