cbcvebase.
CVE-2009-1699
published 2009-06-10

CVE-2009-1699: The XSL stylesheet implementation in WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through 2.2.1 does not…

PriorityP262high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
29.10%
97.9th percentile
The XSL stylesheet implementation in WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through 2.2.1 does not properly handle XML external entities, which allows remote attackers to read arbitrary files via a crafted DTD, as demonstrated by a file:///etc/passwd URL in an entity declaration, related to an "XXE attack."

Affected

6 ranges
VendorProductVersion rangeFixed in
appleiphone_os1.0.0 – 2.2.1
applesafari< 4.04.0
canonicalubuntu_linux
canonicalubuntu_linux
opensuseopensuse
opensuseopensuse

Detection & IOCsextracted from sources · hover to see the quote

urlfile:///etc/passwd
  • Detect XXE attack via crafted DTD in XSL stylesheets referencing local file:// URIs — look for XML documents with DOCTYPE declarations containing SYSTEM entities pointing to file:// scheme URIs, processed by WebKit's XSL engine.
  • Detect XML responses served with XML MIME type that include an xml-stylesheet processing instruction referencing an external XSL file, combined with a DTD containing external entity declarations (SYSTEM keyword) — this is the two-stage delivery mechanism for the attack.
  • Detect XSL stylesheets containing DOCTYPE declarations with external SYSTEM entity references (e.g., <!ENTITY ent SYSTEM "...">), especially those referencing file:// or other local resource URIs, as these are the payload carrier for the XXE file theft.
  • ·The vulnerability is specific to WebKit's XSL stylesheet XML parser in Apple Safari before version 4.0, and iPhone OS 1.0–2.2.1 / iPod touch OS 1.1–2.2.1; patched versions are not affected.
  • ·The XXE attack is triggered specifically through the XSL XML parsing path, not general XML parsing — detection rules should target XSL/XSLT documents with DTD external entities, not all XML.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.07.1HIGHAV:N/AC:M/Au:N/C:C/I:N/A:N
vendor_ubuntu9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.