CVE-2009-2816 — Cross-Site Request Forgery in Apple Iphone OS

CWE-352 — Cross-Site Request Forgery5 documents5 sources

Severity

6.8MEDIUMNVD

EPSS

2.2%

top 15.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apple Iphone OS Apple Safari Google Chrome +2 more

Timeline

PublishedNov 13

Latest updateMay 2

Description

The implementation of Cross-Origin Resource Sharing (CORS) in WebKit, as used in Apple Safari before 4.0.4 and Google Chrome before 3.0.195.33, includes certain custom HTTP headers in the OPTIONS request during cross-origin operations with preflight, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via a crafted web page.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages4 packages

▶NVDapple/safari< 4.0.4

▶NVDgoogle/chrome< 3.0.195.33

▶NVDapple/iphone_os< 4.0

▶NVDopensuse/opensuse11.2, 11.3+1

Also affects: Fedora 11, 12

Patches

Patch: lists.apple.com ↗Patch: support.apple.com ↗Patch: lists.apple.com ↗

🔴Vulnerability Details

GHSA

GHSA-2wxv-94xf-vqv2: The implementation of Cross-Origin Resource Sharing (CORS) in WebKit, as used in Apple Safari before 4↗2022-05-02

▶

OSV

CVE-2009-2816: The implementation of Cross-Origin Resource Sharing (CORS) in WebKit, as used in Apple Safari before 4↗2009-11-13

▶

📋Vendor Advisories

Red Hat

qt: MITM in the WebKit's Cross-Origin Resource Sharing (CORS) implementation↗2009-11-11

▶

💬Community

Bugzilla

CVE-2009-2816 WebKit, qt: MITM in the WebKit's Cross-Origin Resource Sharing (CORS) implementation↗2009-09-25

▶