NA
CVSSv3

CVE-2009-3011

CVSSv4: NA | CVSSv3: NA | CVSSv2: 4.3 | VMScore: 530 | EPSS: 0.0022 | KEV: Not Included
Published: 31/08/2009 Updated: 21/11/2024

Vulnerability Summary

Google Chrome 1.0.154.48 and previous versions, 2.0.172.28, 2.0.172.37, and 3.0.193.2 Beta does not properly block data: URIs in Refresh headers in HTTP responses, which allows remote malicious users to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header that contains JavaScript sequences in a data:text/html URI or (2) entering a data:text/html URI with JavaScript sequences when specifying the content of a Refresh header. NOTE: the JavaScript executes outside of the context of the HTTP site.

Vulnerable Product Search on Vulmon Subscribe to Product

google chrome

google chrome 0.2.149.27

google chrome 0.2.149.29

google chrome 0.2.149.30

google chrome 0.2.152.1

google chrome 0.2.153.1

google chrome 0.3.154.0

google chrome 0.3.154.3

google chrome 0.4.154.18

google chrome 0.4.154.22

google chrome 0.4.154.31

google chrome 0.4.154.33

google chrome 1.0.154.36

google chrome 1.0.154.39

google chrome 1.0.154.42

google chrome 1.0.154.43

google chrome 1.0.154.46

google chrome 2.0.172.28

google chrome 2.0.172.37

google chrome 3.0.193.2

Vendor Advisories

Debian Bug report logs - #599830 Multiple security issues Package: webkit; Maintainer for webkit is (unknown); Reported by: Moritz Muehlenhoff <jmm@debianorg> Date: Mon, 11 Oct 2010 17:51:09 UTC Severity: grave Tags: security Fixed in version 125-1 Done: Gustavo Noronha Silva <kov@debianorg> Bug is archived N ...