CVE-2015-3755
Description
WebKit in Apple Safari before 6.2.8, 7.x before 7.1.8, and 8.x before 8.0.8, as used in iOS before 8.4.1 and other products, allows remote attackers to spoof the user interface via a malformed URL.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
WebKit in Safari on iOS and OS X fails to validate malformed URLs, allowing remote attackers to spoof the browser's user interface.
Vulnerability
WebKit in Apple Safari versions before 6.2.8, 7.x before 7.1.8, and 8.x before 8.0.8, as used in iOS before 8.4.1 and other products, does not properly validate malformed URLs. This allows a remote attacker to spoof the browser's user interface. The issue is present in Safari's URL parsing and display logic, affecting all supported platforms including OS X Mountain Lion, Mavericks, Yosemite, and iOS [1][2].
Exploitation
An attacker can host a malicious website that crafts a specially malformed URL. When the user visits this site, Safari's WebKit renders a fake URL in the address bar or prompts the user with a dialog that appears to originate from a trusted site. No additional authentication or user interaction beyond visiting the site is required. The attacker does not need any special network position; the attack is performed remotely via standard web traffic [1][2].
Impact
Successful exploitation allows the attacker to spoof the Safari user interface, leading to potential phishing attacks. The user may be tricked into entering sensitive information or performing actions believing they are interacting with a legitimate website. The impact is limited to UI spoofing; there is no code execution or direct data leakage, but the deception can be used to harvest credentials or other data [1][2].
Mitigation
Apple released fixes in Safari 6.2.8, 7.1.8, and 8.0.8 for OS X, and iOS 8.4.1. Users should update to these versions or later. The patches are available via Apple's software update mechanism [1][2]. No workaround is documented; applying the official updates is the recommended mitigation.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*range: >=6.0,<6.2.8
- (no CPE)range: <6.2.8 or <7.1.8 or <8.0.8
- Range: <8.4.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- lists.apple.com/archives/security-announce/2015/Aug/msg00000.htmlnvdMailing ListVendor Advisory
- lists.apple.com/archives/security-announce/2015/Aug/msg00002.htmlnvdMailing ListVendor Advisory
- lists.opensuse.org/opensuse-updates/2016-03/msg00054.htmlnvdMailing ListThird Party Advisory
- www.securityfocus.com/bid/76344nvdThird Party AdvisoryVDB Entry
- www.securitytracker.com/id/1033274nvdThird Party AdvisoryVDB Entry
- support.apple.com/kb/HT205030nvdVendor Advisory
- support.apple.com/kb/HT205033nvdVendor Advisory
News mentions
0No linked articles in our index yet.