Vulnerability Name: | CVE-2009-2352 (CCN-51550) | ||||||||
Assigned: | 2009-07-02 | ||||||||
Published: | 2009-07-02 | ||||||||
Updated: | 2018-10-10 | ||||||||
Summary: | Google Chrome 1.0.154.48 and earlier does not block javascript: URIs in Refresh headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header or (2) specifying the content of a Refresh header, a related issue to CVE-2009-1312. Note: it was later reported that 2.0.172.28, 2.0.172.37, and 3.0.193.2 Beta are also affected. | ||||||||
CVSS v3 Severity: | 5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
| ||||||||
CVSS v2 Severity: | 4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.1 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:U/RC:UR)
4.1 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:U/RC:UR)
| ||||||||
Vulnerability Type: | CWE-79 | ||||||||
Vulnerability Consequences: | Gain Access | ||||||||
References: | Source: CCN Type: BugTraq Mailing List, Thu Jul 02 2009 - 17:21:57 CDT Cross-Site Scripting vulnerabilities in Mozilla, Internet Explorer, Opera and Chrome Source: MITRE Type: CNA CVE-2009-2352 Source: MISC Type: UNKNOWN http://websecurity.com.ua/3275/ Source: MISC Type: UNKNOWN http://websecurity.com.ua/3386/ Source: CCN Type: Google Chrome Web site Google Chrome Source: BUGTRAQ Type: UNKNOWN 20090702 Cross-Site Scripting vulnerabilities in Mozilla, Internet Explorer, Opera and Chrome Source: BUGTRAQ Type: UNKNOWN 20090703 Re: Cross-Site Scripting vulnerabilities in Mozilla, Internet Explorer, Opera and Chrome Source: BID Type: Exploit 35572 Source: CCN Type: BID-35572 Google Chrome 'javascript:' URI in 'Refresh' Header Cross-Site Scripting Vulnerability Source: XF Type: UNKNOWN googlechrome-refresh-header-xss(51550) | ||||||||
Vulnerable Configuration: | Configuration 1: Configuration CCN 1: Denotes that component is vulnerable | ||||||||
BACK |