#VU6576 Open redirect in Apple iOS - CVE-2017-2497
Published: May 16, 2017
Vulnerability identifier: #VU6576
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2017-2497
CWE-ID: CWE-601
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Apple iOS
Apple iOS
Software vendor:
Apple Inc.
Apple Inc.
Description
The vulnerability allows a remote attacker to perform phishing attacks.
The weakness exists due to improper validation of user-supplied data used to redirect visitors to external pages. A remote attacker can create a specially crafted ebook, trick the victim into opening it and redirect a user to a malicious Web site that would appear to be trusted and obtain potentially sensitive information.
Successful exploitation of the vulnerability will allow to steal valid user's credentials and use the information to conduct further attacks.
The weakness exists due to improper validation of user-supplied data used to redirect visitors to external pages. A remote attacker can create a specially crafted ebook, trick the victim into opening it and redirect a user to a malicious Web site that would appear to be trusted and obtain potentially sensitive information.
Successful exploitation of the vulnerability will allow to steal valid user's credentials and use the information to conduct further attacks.
Remediation
Update to version 10.3.2.