CVE-2009-3015

Name	CVE-2009-3015
Description	QtWeb 3.0 Builds 001 and 003 does not properly block javascript: and data: URIs in Refresh and Location headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header that contains a javascript: URI, (2) entering a javascript: URI when specifying the content of a Refresh header, (3) injecting a Refresh header that contains JavaScript sequences in a data:text/html URI, (4) entering a data:text/html URI with JavaScript sequences when specifying the content of a Refresh header, (5) injecting a Location header that contains JavaScript sequences in a data:text/html URI, or (6) entering a data:text/html URI with JavaScript sequences when specifying the content of a Location header.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
kde4libs (PTS)	stretch	4:4.14.26-2	vulnerable
	buster	4:4.14.38-3	vulnerable
qt4-x11 (PTS)	stretch	4:4.8.7+dfsg-11	vulnerable
	stretch (security)	4:4.8.7+dfsg-11+deb9u3	vulnerable
	buster	4:4.8.7+dfsg-18+deb10u1	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency
kde4libs	source	(unstable)	(unfixed)	unimportant
kdelibs	source	(unstable)	(unfixed)	unimportant
qt4-x11	source	(unstable)	(unfixed)	unimportant

This is a web site issue (open redirector), not a browser problem.