CVE-2015-3751
Description
WebKit in Apple Safari before 6.2.8, 7.x before 7.1.8, and 8.x before 8.0.8, as used in iOS before 8.4.1 and other products, allows remote attackers to bypass a Content Security Policy protection mechanism by using a video control in conjunction with an IMG element within an OBJECT element.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A Content Security Policy bypass in Safari WebKit allows a remote attacker to violate policy via an OBJECT element containing an IMG with a video control.
Vulnerability
WebKit in Apple Safari before 6.2.8, 7.x before 7.1.8, and 8.x before 8.0.8, as used in iOS before 8.4.1 and other products, contains a security issue that allows remote attackers to bypass Content Security Policy (CSP) protection. The bypass is achieved by using a video control in conjunction with an IMG element placed inside an OBJECT element [1][2].
Exploitation
An attacker must be able to serve a maliciously crafted web page to the victim. No authentication or special network position beyond standard web delivery is required. The exploit sequence involves embedding an OBJECT element that contains an IMG element and a video control, which causes WebKit to incorrectly evaluate the CSP directive and allow content that should be blocked [1][2].
Impact
Successful exploitation enables a remote attacker to bypass the Content Security Policy of a vulnerable browser. This can lead to UI spoofing or other information disclosure by allowing unintended script execution or resource loading that the policy was designed to restrict. The attacker gains the ability to serve content that violates the site's CSP, potentially misleading the user or exfiltrating data [1][2].
Mitigation
Apple addressed the issue in Safari 6.2.8, 7.1.8, and 8.0.8 for OS X, and in iOS 8.4.1, all released on August 13, 2015. Users should update their software to these fixed versions. No workaround is described in the references; applying the security update is the recommended mitigation [1][2].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*range: >=6.0,<6.2.8
- (no CPE)range: <8.0.8
- Range: <8.4.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- lists.apple.com/archives/security-announce/2015/Aug/msg00000.htmlnvdMailing ListVendor Advisory
- lists.apple.com/archives/security-announce/2015/Aug/msg00002.htmlnvdMailing ListVendor Advisory
- lists.opensuse.org/opensuse-updates/2016-03/msg00054.htmlnvdMailing ListThird Party Advisory
- www.securityfocus.com/bid/76341nvdThird Party AdvisoryVDB Entry
- www.securitytracker.com/id/1033274nvdThird Party AdvisoryVDB Entry
- support.apple.com/kb/HT205030nvdVendor Advisory
- support.apple.com/kb/HT205033nvdVendor Advisory
News mentions
0No linked articles in our index yet.