Open redirect in Apple iOS - CVE-2017-2497
Published: May 16, 2017
Vulnerability identifier: #VU6576
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2017-2497
CWE-ID: CWE-601
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Apple Inc.
Affected software:
Apple iOS
Apple iOS
Detailed vulnerability description
The vulnerability allows a remote attacker to perform phishing attacks.
The weakness exists due to improper validation of user-supplied data used to redirect visitors to external pages. A remote attacker can create a specially crafted ebook, trick the victim into opening it and redirect a user to a malicious Web site that would appear to be trusted and obtain potentially sensitive information.
Successful exploitation of the vulnerability will allow to steal valid user's credentials and use the information to conduct further attacks.
The weakness exists due to improper validation of user-supplied data used to redirect visitors to external pages. A remote attacker can create a specially crafted ebook, trick the victim into opening it and redirect a user to a malicious Web site that would appear to be trusted and obtain potentially sensitive information.
Successful exploitation of the vulnerability will allow to steal valid user's credentials and use the information to conduct further attacks.
How to mitigate CVE-2017-2497
Update to version 10.3.2.