CVE-2009-1724

NameCVE-2009-1724
DescriptionCross-site scripting (XSS) vulnerability in WebKit in Apple Safari before 4.0.2, as used on iPhone OS before 3.1, iPhone OS before 3.1.1 for iPod touch, and other platforms, allows remote attackers to inject arbitrary web script or HTML via vectors related to parent and top objects.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)
Debian Bugs538402

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
kde4libs (PTS)jessie (security), jessie4:4.14.2-5+deb8u2vulnerable
stretch4:4.14.26-2vulnerable
buster, sid4:4.14.38-1vulnerable
qt4-x11 (PTS)jessie4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1fixed
stretch4:4.8.7+dfsg-11fixed
buster, sid4:4.8.7+dfsg-17fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
kde4libssource(unstable)(unfixed)unimportant
kdelibssource(unstable)(unfixed)unimportant
qt4-x11source(unstable)(not affected)
qt4-x11sourceetch(not affected)
webkitsource(unstable)1.1.13-1low538402

Notes

- qt4-x11 <not-affected> (bug #538403)
[etch] - qt4-x11 <not-affected> (webkit support introduced in version 4.4)
[lenny] - webkit <no-dsa> (Unmaintained in Lenny, only affects fringe apps)
http://www.thespanner.co.uk/2009/06/19/minor-safari-cross-domain-bug/

Search for package or bug name: Reporting problems