CVE-2009-2841Apple Safari vulnerability

5 documents5 sources
Severity
5.0MEDIUMNVD
EPSS
3.9%
top 11.74%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Apple Safari
Timeline
PublishedNov 13
Latest updateMay 2

Description

The HTMLMediaElement::loadResource function in html/HTMLMediaElement.cpp in WebCore in WebKit before r49480, as used in Apple Safari before 4.0.4 on Mac OS X, does not perform the expected callbacks for HTML 5 media elements that have external URLs for media resources, which allows remote attackers to trigger sub-resource requests to arbitrary web sites via a crafted HTML document, as demonstrated by an HTML e-mail message that uses a media element for X-Confirm-Reading-To functionality, aka rda

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages1 packages

NVDapple/safari4.0.3+59

Patches

Patch: lists.apple.comPatch: support.apple.comPatch: lists.apple.com

🔴Vulnerability Details

2
GHSA
GHSA-rrp5-fpqr-wrqg: The HTMLMediaElement::loadResource function in html/HTMLMediaElement2022-05-02
OSV
CVE-2009-2841: The HTMLMediaElement::loadResource function in html/HTMLMediaElement2009-11-13

📋Vendor Advisories

1
Red Hat
qt: Unallowed sub-resources loading in the media element handling code2009-11-11

💬Community

1
Bugzilla
CVE-2009-2841 WebKit, qt: Unallowed sub-resources loading in the media element handling code2009-09-25