CVE-2009-2352

Google Chrome 1.0.154.48 and earlier does not block javascript: URIs in Refresh headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header or (2) specifying the content of a Refresh header, a related issue to CVE-2009-1312. NOTE: it was later reported that 2.0.172.28, 2.0.172.37, and 3.0.193.2 Beta are also affected.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:a:google:chrome:0.2.149.29:*:*:*:*:*:*:*
cpe:2.3:a:google:chrome:0.2.149.30:*:*:*:*:*:*:*
cpe:2.3:a:google:chrome:0.2.152.1:*:*:*:*:*:*:*
cpe:2.3:a:google:chrome:0.2.153.1:*:*:*:*:*:*:*
cpe:2.3:a:google:chrome:0.3.154.0:*:*:*:*:*:*:*
cpe:2.3:a:google:chrome:0.3.154.3:*:*:*:*:*:*:*
cpe:2.3:a:google:chrome:0.4.154.18:*:*:*:*:*:*:*
cpe:2.3:a:google:chrome:0.4.154.22:*:*:*:*:*:*:*
cpe:2.3:a:google:chrome:0.4.154.31:*:*:*:*:*:*:*
cpe:2.3:a:google:chrome:0.4.154.33:*:*:*:*:*:*:*
cpe:2.3:a:google:chrome:1.0.154.36:*:*:*:*:*:*:*
cpe:2.3:a:google:chrome:1.0.154.39:*:*:*:*:*:*:*
cpe:2.3:a:google:chrome:1.0.154.42:*:*:*:*:*:*:*
cpe:2.3:a:google:chrome:1.0.154.43:*:*:*:*:*:*:*
cpe:2.3:a:google:chrome:1.0.154.46:*:*:*:*:*:*:*

History

21 Nov 2024, 01:04

Type Values Removed Values Added
References () http://websecurity.com.ua/3275/ - () http://websecurity.com.ua/3275/ -
References () http://websecurity.com.ua/3386/ - () http://websecurity.com.ua/3386/ -
References () http://www.securityfocus.com/archive/1/504718/100/0/threaded - () http://www.securityfocus.com/archive/1/504718/100/0/threaded -
References () http://www.securityfocus.com/archive/1/504723/100/0/threaded - () http://www.securityfocus.com/archive/1/504723/100/0/threaded -
References () http://www.securityfocus.com/bid/35572 - Exploit () http://www.securityfocus.com/bid/35572 - Exploit

Information

Published : 2009-07-07 23:30

Updated : 2024-11-21 01:04


NVD link : CVE-2009-2352

Mitre link : CVE-2009-2352

CVE.ORG link : CVE-2009-2352


JSON object : View

Products Affected

google

  • chrome
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')