CVE-2009-3015

Name	CVE-2009-3015
Description	QtWeb 3.0 Builds 001 and 003 does not properly block javascript: and data: URIs in Refresh and Location headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header that contains a javascript: URI, (2) entering a javascript: URI when specifying the content of a Refresh header, (3) injecting a Refresh header that contains JavaScript sequences in a data:text/html URI, (4) entering a data:text/html URI with JavaScript sequences when specifying the content of a Refresh header, (5) injecting a Location header that contains JavaScript sequences in a data:text/html URI, or (6) entering a data:text/html URI with JavaScript sequences when specifying the content of a Location header.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severity	medium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
kde4libs (PTS)	jessie (security), jessie	4:4.14.2-5+deb8u2	vulnerable
	stretch	4:4.14.26-2	vulnerable
	buster, sid	4:4.14.38-3	vulnerable
qt4-x11 (PTS)	jessie	4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1	vulnerable
	stretch	4:4.8.7+dfsg-11	vulnerable
	buster, sid	4:4.8.7+dfsg-17	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency
kde4libs	source	(unstable)	(unfixed)	unimportant
kdelibs	source	(unstable)	(unfixed)	unimportant
qt4-x11	source	(unstable)	(unfixed)	unimportant

This is a web site issue (open redirector), not a browser problem.