CVE-2015-3750
Description
WebKit in Apple Safari before 6.2.8, 7.x before 7.1.8, and 8.x before 8.0.8, as used in iOS before 8.4.1 and other products, does not enforce the HTTP Strict Transport Security (HSTS) protection mechanism for Content Security Policy (CSP) report requests, which allows man-in-the-middle attackers to obtain sensitive information by sniffing the network or spoof a report by modifying the client-server data stream.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
HSTS enforcement for CSP report requests is missing in WebKit, letting a MITM attacker intercept or spoof reports.
Vulnerability
WebKit in Apple Safari before 6.2.8, 7.x before 7.1.8, and 8.x before 0.8, and in iOS before 8.4.1, fails to enforce HTTP Strict Transport Security (HSTS) for Content Security Policy (CSP) report requests [1],[2]. When a site sends CSP violation reports over HTTP, the lack of HSTS integration allows the reports to be transmitted in the clear instead of over HTTPS, even if the original page was loaded over HTTPS with an HSTS policy in place.
Exploitation
A man-in-the-middle attacker positioned on the network between the user and the server can sniff the CSP report request, capturing potentially sensitive data (such as partial page content or URIs) that the site includes in the report. The attacker can also spoof a report by modifying the client-to-server data stream, injecting a fake CSP violation report to the site's report endpoint.
Impact
Information disclosure (confidentiality) and integrity loss. The attacker obtains CSP report contents that may contain sensitive data from the protected page, and can inject false violation reports, which could lead to incorrect security monitoring, false alarms, or other downstream actions by the server based on report data.
Mitigation
Apple addressed the issue in Safari 6.2.8, 7.1.8, and 8.0.8, and in iOS 8.4.1 [1],[2]. Users should update their browser or operating system to the patched versions. No workaround is described for unpatched systems.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*range: >=6.0,<6.2.8
- (no CPE)range: <6.2.8, >=7.0 <7.1.8, >=8.0 <8.0.8
- Range: <8.4.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- lists.apple.com/archives/security-announce/2015/Aug/msg00000.htmlnvdMailing ListVendor Advisory
- lists.apple.com/archives/security-announce/2015/Aug/msg00002.htmlnvdMailing ListVendor Advisory
- lists.opensuse.org/opensuse-updates/2016-03/msg00054.htmlnvdMailing ListThird Party Advisory
- www.securityfocus.com/bid/76341nvdThird Party AdvisoryVDB Entry
- www.securitytracker.com/id/1033274nvdThird Party AdvisoryVDB Entry
- support.apple.com/kb/HT205030nvdVendor Advisory
- support.apple.com/kb/HT205033nvdVendor Advisory
News mentions
0No linked articles in our index yet.