CRLF injection vulnerability in WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through 2.2.1 allows remote attackers to inject HTTP headers and bypass the Same Origin Policy via a crafted HTML document, related to cross-site scripting (XSS) attacks that depend on communication with arbitrary web sites on the same server through use of XMLHttpRequest without a Host header.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
History
21 Nov 2024, 01:03
Type | Values Removed | Values Added |
---|---|---|
References | () http://lists.apple.com/archives/security-announce/2009/Jun/msg00005.html - | |
References | () http://lists.apple.com/archives/security-announce/2009/jun/msg00002.html - Patch, Vendor Advisory | |
References | () http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00006.html - | |
References | () http://osvdb.org/54992 - | |
References | () http://secunia.com/advisories/35379 - Vendor Advisory | |
References | () http://secunia.com/advisories/37746 - | |
References | () http://secunia.com/advisories/43068 - | |
References | () http://securitytracker.com/id?1022344 - Patch | |
References | () http://support.apple.com/kb/HT3613 - Patch, Vendor Advisory | |
References | () http://support.apple.com/kb/HT3639 - | |
References | () http://www.debian.org/security/2009/dsa-1950 - | |
References | () http://www.securityfocus.com/bid/35260 - Exploit | |
References | () http://www.vupen.com/english/advisories/2009/1522 - Patch, Vendor Advisory | |
References | () http://www.vupen.com/english/advisories/2009/1621 - | |
References | () http://www.vupen.com/english/advisories/2011/0212 - |
Information
Published : 2009-06-10 18:00
Updated : 2024-11-21 01:03
NVD link : CVE-2009-1697
Mitre link : CVE-2009-1697
CVE.ORG link : CVE-2009-1697
JSON object : View
Products Affected
apple
- safari
CWE
CWE-20
Improper Input Validation