CVSS: 4.3EPSS: 0%CPEs: 73EXPL: 2CVE-2009-1724 – WebKit - 'parent/top' Cross Domain Scripting
https://notcve.org/view.php?id=CVE-2009-1724
Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari before 4.0.2, as used on iPhone OS before 3.1, iPhone OS before 3.1.1 for iPod touch, and other platforms, allows remote attackers to inject arbitrary web script or HTML via vectors related to parent and top objects. Una vulnerabilidad de tipo cross-site scripting (XSS) en WebKit en Safari de Apple anterior a versión 4.0.2, tal y como es usado en iPhone OS anterior a versión 3.1, iPhone OS anterior a versión 3.1.1 para iPod touch, y otras plataformas, permite a los atacantes remotos inyectar script web o HTML arbitrario por medio de vectores relacionados con los objetos primarios y superiores. • https://www.exploit-db.com/exploits/33047 http://lists.apple.com/archives/security-announce/2009/Jul/msg00000.html http://lists.apple.com/archives/security-announce/2009/Sep/msg00001.html http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00006.html http://osvdb.org/55738 http://secunia.com/advisories/35758 http://secunia.com/advisories/36677 http://secunia.com/advisories/43068 http://support.apple.com/kb/HT3666 http://support.apple.com/kb/HT3860 http://www&# • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.3EPSS: 3%CPEs: 73EXPL: 0CVE-2009-1725
https://notcve.org/view.php?id=CVE-2009-1725
WebKit in Apple Safari before 4.0.2, as used on iPhone OS before 3.1, iPhone OS before 3.1.1 for iPod touch, and other platforms; KHTML in kdelibs in KDE; QtWebKit (aka Qt toolkit); and possibly other products do not properly handle numeric character references, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted HTML document. WebKit en Apple Safari anterior a v4.0.2, no maneja adecuadamente las referencias de caracteres numéricos, lo que permite a atacantes remotos ejecutar código de su elección o provocar una denegación de servicio (corrupción de memoria y caída de aplicación) a través de un documento HTML manipulado. • http://lists.apple.com/archives/security-announce/2009/Jul/msg00000.html http://lists.apple.com/archives/security-announce/2009/Sep/msg00001.html http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00006.html http://osvdb.org/55739 http://secunia.com/advisories/35758 http://secunia.com/advisories/36057 http://secunia.com/advisories/36062 http://secunia.com/advisories/36347 http://secunia.com/advisories/36677 http://secunia.com/advisories/36790 http://secunia.com/advi • CWE-189: Numeric Errors •
CVSS: 4.3EPSS: 22%CPEs: 2EXPL: 3CVE-2009-2419 – Apple Safari 4 - 'reload()' Denial of Service
https://notcve.org/view.php?id=CVE-2009-2419
Use-after-free vulnerability in the servePendingRequests function in WebCore in WebKit in Apple Safari 4.0 and 4.0.1 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted HTML document that references a zero-length .js file and the JavaScript reload function. NOTE: some of these details are obtained from third party information. Vulnerabilidad de uso-después-de-liberación en la función servePendingRequests en WebCore en WebKit en Apple Safari v4.0 y v4.0.1 permite a atacantes remotos provocar una denegación de servicio (cuelgue de aplicación) o posiblemente ejecutar código arbitrario a través de un documento HTML elaborado que hace referencia a un fichero .js de longitud cero y la función JavaScript recarga (reload). NOTA: algunos de estos detalles se obtienen a partir de información de terceros. • https://www.exploit-db.com/exploits/33062 http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00006.html http://marcell-dietl.de/index/adv_safari_4_x_js_reload_dos.php http://secunia.com/advisories/33495 http://secunia.com/advisories/43068 http://trac.webkit.org/changeset/44519 http://www.osvdb.org/55587 http://www.securityfocus.com/bid/35555 http://www.vupen.com/english/advisories/2011/0212 https://exchange.xforce.ibmcloud.com/vulnerabilities/51533 • CWE-399: Resource Management Errors •
CVSS: 2.6EPSS: 0%CPEs: 34EXPL: 1CVE-2009-1710
https://notcve.org/view.php?id=CVE-2009-1710
WebKit in Apple Safari before 4.0 allows remote attackers to spoof the browser's display of (1) the host name, (2) security indicators, and unspecified other UI elements via a custom cursor in conjunction with a modified CSS3 hotspot property. WebKit en Apple Safari anteriores a v4.0 permite a atacantes remotos suplantar en la pantalla del navegador el (1) nombre del equipo, (2) indicadores de seguridad, y otros elementos de la interface del usuario a través de un cursor personalizado junto a la propiedad hotspot de CSS3 modificada. • http://lists.apple.com/archives/security-announce/2009/jun/msg00002.html http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00006.html http://osvdb.org/55014 http://secunia.com/advisories/35379 http://secunia.com/advisories/37746 http://secunia.com/advisories/43068 http://support.apple.com/kb/HT3613 http://www.debian.org/security/2009/dsa-1950 http://www.securityfocus.com/bid/35260 http://www.securityfocus.com/bid/35340 http://www.vupen.com/english/advisories •
CVSS: 4.3EPSS: 0%CPEs: 34EXPL: 1CVE-2009-1715
https://notcve.org/view.php?id=CVE-2009-1715
Cross-site scripting (XSS) vulnerability in Web Inspector in WebKit in Apple Safari before 4.0 allows user-assisted remote attackers to inject arbitrary web script or HTML, and read local files, via vectors related to script execution with incorrect privileges. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en Web Inspector en WebKit en Apple Safari anteriores a v4.0 permite a atacantes remotos ayudados por por el usuario inyectar secuencias de comandos web o HTML, y leer ficheros locales, a través de vectores relacionados con la ejecución de secuencias de comandos con privilegios incorrectos. • http://lists.apple.com/archives/security-announce/2009/jun/msg00002.html http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00006.html http://osvdb.org/54996 http://secunia.com/advisories/35379 http://secunia.com/advisories/43068 http://securitytracker.com/id?1022344 http://support.apple.com/kb/HT3613 http://www.securityfocus.com/bid/35260 http://www.securityfocus.com/bid/35349 http://www.vupen.com/english/advisories/2009/1522 http://www.vupen.com/english/adv • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •