CVE-2009-1697

Exploit

EPSS 0.19%
Published 10.06.2009 18:00:00
Last modified 09.04.2025 00:30:58
Source cve@mitre.org
Teams watchlist Login
Open Login

CRLF injection vulnerability in WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through 2.2.1 allows remote attackers to inject HTTP headers and bypass the Same Origin Policy via a crafted HTML document, related to cross-site scripting (XSS) attacks that depend on communication with arbitrary web sites on the same server through use of XMLHttpRequest without a Host header.

Affected products Warnungen 0 Metrics 2 CWE 1 References 18

Data is provided by the National Vulnerability Database (NVD)

Apple ≫ Safari Editionmac Version <= 4.0_beta

Apple ≫ Safari Version0.8 Editionmac

Apple ≫ Safari Version0.9 Editionmac

Apple ≫ Safari Version1.0 Editionmac

Apple ≫ Safari Version1.0.3 Editionmac

Apple ≫ Safari Version1.1 Editionmac

Apple ≫ Safari Version1.2 Editionmac

Apple ≫ Safari Version1.3 Editionmac

Apple ≫ Safari Version1.3.1 Editionmac

Apple ≫ Safari Version1.3.2 Editionmac

Apple ≫ Safari Version2.0 Editionmac

Apple ≫ Safari Version2.0.2 Editionmac

Apple ≫ Safari Version2.0.4 Editionmac

Apple ≫ Safari Version3.0 Editionmac

Apple ≫ Safari Version3.0.2 Update- Editionmac

Apple ≫ Safari Version3.0.3 Editionmac

Apple ≫ Safari Version3.0.4 Editionmac

Apple ≫ Safari Version3.1 Editionmac

Apple ≫ Safari Version3.1.1 Editionmac

Apple ≫ Safari Version3.1.2 Editionmac

Apple ≫ Safari Version3.2.1 Editionmac

Apple ≫ Safari Version3.2.3 Editionmac

Apple ≫ Safari Editionwindows Version <= 3.2.3

Apple ≫ Safari Version3.0 Editionwindows

Apple ≫ Safari Version3.0.1 Editionwindows

Apple ≫ Safari Version3.0.2 Editionwindows

Apple ≫ Safari Version3.0.3 Editionwindows

Apple ≫ Safari Version3.0.4 Editionwindows

Apple ≫ Safari Version3.1 Editionwindows

Apple ≫ Safari Version3.1.1 Editionwindows

Apple ≫ Safari Version3.1.2 Editionwindows

Apple ≫ Safari Version3.2 Update- Editionwindows

Apple ≫ Safari Version3.2.1 Editionwindows

Apple ≫ Safari Version3.2.2 Editionwindows

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.19%	0.414

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:N/I:P/A:N

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

http://lists.apple.com/archives/security-announce/2009/jun/msg00002.html

Patch

Vendor Advisory

http://secunia.com/advisories/35379

Vendor Advisory

http://support.apple.com/kb/HT3613

Patch

Vendor Advisory

http://www.vupen.com/english/advisories/2009/1522

Patch

Vendor Advisory

http://lists.apple.com/archives/security-announce/2009/Jun/msg00005.html