HTTP Referrer Leakage in Safari and iTunes Products by Apple
CVE-2019-8827

4.3MEDIUM

Key Information:

Vendor
Apple
Status
iOS And iPad OS
TV OS
Safari
Itunes For Windows
Vendor
CVE Published:
27 October 2020

Summary

The vulnerability involves an improper handling of the HTTP referrer header that may expose users' browsing history to malicious sites. When a user visits a crafted website, sensitive information about previously visited sites can potentially be leaked, which raises significant privacy concerns. Apple addressed the issue by implementing measures to ensure that all third-party referrers are downgraded to their origin, effectively mitigating the risk in various products including Safari and iTunes.

Affected Version(s)

iCloud for Windows < 7.15

iCloud for Windows < 10.9

iOS and iPadOS < 13.2

References

https://support.apple.com/en-us/HT210721
x_refsource_MISC
https://support.apple.com/en-us/HT210723
x_refsource_MISC
https://support.apple.com/en-us/HT210725
x_refsource_MISC

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.