NA
CVSSv3

CVE-2009-2352

CVSSv4: NA | CVSSv3: NA | CVSSv2: 4.3 | VMScore: 530 | EPSS: 0.0046 | KEV: Not Included
Published: 07/07/2009 Updated: 21/11/2024

Vulnerability Summary

Google Chrome 1.0.154.48 and previous versions does not block javascript: URIs in Refresh headers in HTTP responses, which allows remote malicious users to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header or (2) specifying the content of a Refresh header, a related issue to CVE-2009-1312. NOTE: it was later reported that 2.0.172.28, 2.0.172.37, and 3.0.193.2 Beta are also affected.

Vulnerable Product Search on Vulmon Subscribe to Product

google chrome

google chrome 0.2.149.29

google chrome 0.2.149.30

google chrome 0.2.152.1

google chrome 0.2.153.1

google chrome 0.3.154.0

google chrome 0.3.154.3

google chrome 0.4.154.18

google chrome 0.4.154.22

google chrome 0.4.154.31

google chrome 0.4.154.33

google chrome 1.0.154.36

google chrome 1.0.154.39

google chrome 1.0.154.42

google chrome 1.0.154.43

google chrome 1.0.154.46

Exploits

source: wwwsecurityfocuscom/bid/35572/info Google Chrome is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input An attacker can exploit this issue to execute arbitrary script code in the context of the user running the application and to steal cookie-based authentication credentials a ...