Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-14812

Summary
Assigner-BCNY
Assigner Org ID-59469e6c-7ea7-446f-8e43-06aa32c115e8
Published At-19 Dec, 2025 | 16:38
Updated At-19 Dec, 2025 | 16:39
Rejected At-
Credits

Address bar spoofing risk in Arc Search on iOS

ArcSearch for iOS versions prior to 1.45.2 could display a different domain in the address bar than the content being shown after an iframe-triggered URI-scheme navigation, increasing spoofing risk.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:BCNY
Assigner Org ID:59469e6c-7ea7-446f-8e43-06aa32c115e8
Published At:19 Dec, 2025 | 16:38
Updated At:19 Dec, 2025 | 16:39
Rejected At:
▼CVE Numbering Authority (CNA)
Address bar spoofing risk in Arc Search on iOS

ArcSearch for iOS versions prior to 1.45.2 could display a different domain in the address bar than the content being shown after an iframe-triggered URI-scheme navigation, increasing spoofing risk.

Affected Products
Vendor
The Browser Company of New York
Product
ArcSearch
Modules
  • Address bar / Omnibox (address bar UI)
Platforms
  • iOS
Default Status
unaffected
Versions
Affected
  • From 0 before 1.45.2 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-1021CWE-1021 Improper Restriction of Rendered UI Layers or Frames
Type: CWE
CWE ID: CWE-1021
Description: CWE-1021 Improper Restriction of Rendered UI Layers or Frames
Metrics
VersionBase scoreBase severityVector
3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-154CAPEC-154 Resource Location Spoofing
CAPEC ID: CAPEC-154
Description: CAPEC-154 Resource Location Spoofing
Solutions

Upgrade ArcSearch on iOS to version 1.45.2 or newer.

Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://arc.net/security/bulletins#cve-2025-14812-address-bar-spoofing-risk-iframe-triggered-uri-navigation-on-arc-search-ios
N/A
Hyperlink: https://arc.net/security/bulletins#cve-2025-14812-address-bar-spoofing-risk-iframe-triggered-uri-navigation-on-arc-search-ios
Resource: N/A
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:59469e6c-7ea7-446f-8e43-06aa32c115e8
Published At:19 Dec, 2025 | 17:15
Updated At:19 Dec, 2025 | 18:00

ArcSearch for iOS versions prior to 1.45.2 could display a different domain in the address bar than the content being shown after an iframe-triggered URI-scheme navigation, increasing spoofing risk.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Type: Secondary
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-1021Secondary59469e6c-7ea7-446f-8e43-06aa32c115e8
CWE ID: CWE-1021
Type: Secondary
Source: 59469e6c-7ea7-446f-8e43-06aa32c115e8
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://arc.net/security/bulletins#cve-2025-14812-address-bar-spoofing-risk-iframe-triggered-uri-navigation-on-arc-search-ios59469e6c-7ea7-446f-8e43-06aa32c115e8
N/A
Hyperlink: https://arc.net/security/bulletins#cve-2025-14812-address-bar-spoofing-risk-iframe-triggered-uri-navigation-on-arc-search-ios
Source: 59469e6c-7ea7-446f-8e43-06aa32c115e8
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

4Records found
CVE-2025-14809
Matching Score-6
Assigner-59469e6c-7ea7-446f-8e43-06aa32c115e8
ShareView Details
Matching Score-6
Assigner-59469e6c-7ea7-446f-8e43-06aa32c115e8
CVSS Score-7.4||HIGH
EPSS-0.05% / 15.89%
||
7 Day CHG~0.00%
Published-19 Dec, 2025 | 16:39
Updated-19 Dec, 2025 | 18:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Address bar spoofing risk in ArcSearch on Android

ArcSearch for Android versions prior to 1.12.6 could display a different domain in the address bar than the content being shown, enabling address bar spoofing after user interaction via crafted web content.

Action-Not Available
Vendor-The Browser Company of New York
Product-ArcSearch
CWE ID-CWE-1021
Improper Restriction of Rendered UI Layers or Frames
CVE-2025-13132
Matching Score-6
Assigner-59469e6c-7ea7-446f-8e43-06aa32c115e8
ShareView Details
Matching Score-6
Assigner-59469e6c-7ea7-446f-8e43-06aa32c115e8
CVSS Score-7.4||HIGH
EPSS-0.03% / 8.77%
||
7 Day CHG~0.00%
Published-21 Nov, 2025 | 17:55
Updated-25 Nov, 2025 | 22:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Dia: Increased Spoof Risk; Missing full screen toast

This vulnerability allowed a site to enter fullscreen, after a user click, without a full-screen notification (toast) appearing. Without this notification, users could potentially be misled about what site they were on if a malicious site renders a fake UI (like a fake address bar.)

Action-Not Available
Vendor-The Browser Company of New York
Product-Dia
CWE ID-CWE-1021
Improper Restriction of Rendered UI Layers or Frames
CVE-2025-15032
Matching Score-6
Assigner-59469e6c-7ea7-446f-8e43-06aa32c115e8
ShareView Details
Matching Score-6
Assigner-59469e6c-7ea7-446f-8e43-06aa32c115e8
CVSS Score-7.4||HIGH
EPSS-0.01% / 1.84%
||
7 Day CHG~0.00%
Published-16 Jan, 2026 | 18:11
Updated-26 Jan, 2026 | 15:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CVE-2025-15032: Increased Spoofing risk; custom new window missing about:blank

Missing about:blank indicator in custom-sized new windows in Dia before 1.9.0 on macOS could allow an attacker to spoof a trusted domain in the window title and mislead users about the current site.

Action-Not Available
Vendor-The Browser Company of New York
Product-Dia
CWE ID-CWE-1021
Improper Restriction of Rendered UI Layers or Frames
CVE-2022-36319
Matching Score-4
Assigner-Mozilla Corporation
ShareView Details
Matching Score-4
Assigner-Mozilla Corporation
CVSS Score-7.5||HIGH
EPSS-0.15% / 35.05%
||
7 Day CHG-0.01%
Published-22 Dec, 2022 | 00:00
Updated-15 Apr, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

When combining CSS properties for overflow and transform, the mouse cursor could interact with different coordinates than displayed. This vulnerability affects Firefox ESR < 102.1, Firefox ESR < 91.12, Firefox < 103, Thunderbird < 102.1, and Thunderbird < 91.12.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefox_esrthunderbirdfirefoxThunderbirdFirefox ESRFirefox
CWE ID-CWE-1021
Improper Restriction of Rendered UI Layers or Frames
Details not found