Webkit Security Vulnerabilities and Issues — Webkit CVE List

Lucene search

AppleWebkit

30 matches found

CVE•added 2010/02/18 6:0 p.m.•71 views

CVE-2010-0651

WebKit before r52784, as used in Google Chrome before 4.0.249.78 and Apple Safari before 4.0.5, permits cross-origin loading of CSS stylesheets even when the stylesheet download has an incorrect MIME type and the stylesheet document is malformed, which allows remote attackers to obtain sensitive in...

4.3CVSS7.3AI score0.02258EPSS

CVE•added 2010/06/11 6:0 p.m.•69 views

CVE-2010-1395

Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, allows remote attackers to inject arbitrary web script or HTML via vectors involving DOM constructor objects, related to a "scope management issu...

4.3CVSS7AI score0.01195EPSS

CVE•added 2012/11/15 11:58 a.m.•67 views

CVE-2012-5851

html/parser/XSSAuditor.cpp in WebCore in WebKit, as used in Google Chrome through 22 and Safari 5.1.7, does not consider all possible output contexts of reflected data, which makes it easier for remote attackers to bypass a cross-site scripting (XSS) protection mechanism via a crafted string, aka r...

4.3CVSS5.2AI score0.00344EPSS

CVE•added 2010/06/11 7:30 p.m.•65 views

CVE-2010-0544

4.3CVSS5.2AI score0.00763EPSS

CVE•added 2010/06/11 6:0 p.m.•60 views

CVE-2010-1393

The Cascading Style Sheets (CSS) implementation in WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, allows remote attackers to discover sensitive URLs via an HREF attribute associated with a redirecting URL.

4.3CVSS8.3AI score0.01392EPSS

CVE•added 2010/06/11 7:30 p.m.•60 views

CVE-2010-2264

The Cascading Style Sheets (CSS) implementation in WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, does not properly handle the :visited pseudo-class, which allows remote attackers to obtain sensitive information about visited web pages ...

4.3CVSS7.4AI score0.00732EPSS

CVE•added 2010/02/18 6:0 p.m.•59 views

CVE-2010-0656

WebKit before r51295, as used in Google Chrome before 4.0.249.78, presents a directory-listing page in response to an XMLHttpRequest for a file:/// URL that corresponds to a directory, which allows attackers to obtain sensitive information or possibly have unspecified other impact via a crafted loc...

4.3CVSS8.3AI score0.00606EPSS

CVE•added 2010/06/11 6:0 p.m.•57 views

CVE-2010-1390

Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, allows remote attackers to inject arbitrary web script or HTML via vectors related to improper UTF-7 canonicalization, and lack of termination of...

4.3CVSS7.1AI score0.01195EPSS

CVE•added 2010/06/11 6:0 p.m.•54 views

CVE-2010-1389

Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, allows user-assisted remote attackers to inject arbitrary web script or HTML via vectors involving a (1) paste or (2) drag-and-drop operation for...

4.3CVSS7.1AI score0.01007EPSS

CVE•added 2010/06/11 6:0 p.m.•54 views

CVE-2010-1391

Multiple directory traversal vulnerabilities in the (a) Local Storage and (b) Web SQL database implementations in WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, allow remote attackers to create arbitrary database files via vectors invol...

4.3CVSS8.9AI score0.00565EPSS

CVE•added 2010/06/11 6:0 p.m.•54 views

CVE-2010-1416

WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, does not properly restrict the reading of a canvas that contains an SVG image pattern from a different web site, which allows remote attackers to read images from other sites via a crafted ...

4.3CVSS7.8AI score0.01397EPSS

CVE•added 2008/04/17 7:5 p.m.•53 views

CVE-2008-1025

Cross-site scripting (XSS) vulnerability in Apple WebKit, as used in Safari before 3.1.1, allows remote attackers to inject arbitrary web script or HTML via a crafted URL with a colon in the hostname portion.

4.3CVSS5.2AI score0.01125EPSS

CVE•added 2010/06/11 7:30 p.m.•53 views

CVE-2010-1418

Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, allows remote attackers to inject arbitrary web script or HTML via a FRAME element with a SRC attribute composed of a javascript: sequence preced...

4.3CVSS6.8AI score0.01199EPSS

CVE•added 2010/06/11 6:0 p.m.•51 views

CVE-2010-1388

WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6, and before 4.1 on Mac OS X 10.4, does not properly handle clipboard (1) drag and (2) paste operations for URLs, which allows user-assisted remote attackers to read arbitrary files via a crafted HTML document.

4.3CVSS7.7AI score0.0086EPSS

CVE•added 2010/06/11 6:0 p.m.•50 views

CVE-2010-1408

WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, allows remote attackers to bypass intended restrictions on outbound connections to "non-default TCP ports" via a crafted port number, related to an "integer truncation issue." NOTE: this ma...

4.3CVSS8.2AI score0.00443EPSS

CVE•added 2010/06/11 6:0 p.m.•50 views

CVE-2010-1422

WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, does not properly handle changes to keyboard focus that occur during processing of key press events, which allows remote attackers to force arbitrary key presses via a crafted HTML document...

4.3CVSS7.8AI score0.01082EPSS

CVE•added 2011/03/11 10:55 p.m.•50 views

CVE-2011-0163

WebKit, as used in Apple Safari before 5.0.4 and iOS before 4.3, does not properly handle unspecified "cached resources," which allows remote attackers to cause a denial of service (resource unavailability) via a crafted web site that conducts a cache-poisoning attack.

4.3CVSS7.9AI score0.01049EPSS

CVE•added 2010/06/11 6:0 p.m.•49 views

CVE-2010-1394

4.3CVSS7AI score0.01195EPSS

CVE•added 2010/06/11 6:0 p.m.•49 views

CVE-2010-1406

WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, sends an https URL in the Referer header of an http request in certain circumstances involving https to http redirection, which allows remote HTTP servers to obtain potentially sensitive in...

4.3CVSS8.2AI score0.00762EPSS

CVE•added 2011/03/11 10:55 p.m.•49 views

CVE-2011-0167

The windows functionality in WebKit in Apple Safari before 5.0.4 allows remote attackers to bypass the Same Origin Policy, and force the upload of arbitrary local files from a client computer, via a crafted web site.

4.3CVSS8.2AI score0.02629EPSS

CVE•added 2010/05/06 2:53 p.m.•48 views

CVE-2010-1729

WebKit.dll in WebKit, as used in Safari.exe 4.531.9.1 in Apple Safari, allows remote attackers to cause a denial of service (application crash) via JavaScript that writes <marquee> sequences in an infinite loop.

4.3CVSS7.6AI score0.00643EPSS

CVE•added 2010/11/22 1:0 p.m.•48 views

CVE-2010-3810

WebKit in Apple Safari before 5.0.3 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1.3 on Mac OS X 10.4, does not properly handle the History object, which allows remote attackers to spoof the location bar's URL or add URLs to the history via a cross-origin attack.

4.3CVSS7.8AI score0.00819EPSS

CVE•added 2010/06/11 7:30 p.m.•47 views

CVE-2010-1762

4.3CVSS6.7AI score0.00908EPSS

CVE•added 2010/06/11 7:30 p.m.•47 views

CVE-2010-1764

WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, follows multiple redirections during form submission, which allows remote web servers to obtain sensitive information by recording the form data.

4.3CVSS8.1AI score0.00905EPSS

CVE•added 2010/07/30 8:30 p.m.•47 views

CVE-2010-1778

Cross-site scripting (XSS) vulnerability in Apple Safari before 5.0.1 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1.1 on Mac OS X 10.4, allows remote attackers to inject arbitrary web script or HTML via an RSS feed.

4.3CVSS6.7AI score0.00277EPSS

CVE•added 2010/06/11 7:30 p.m.•46 views

CVE-2010-1421

The execCommand JavaScript function in WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, does not properly restrict remote execution of clipboard commands, which allows remote attackers to modify the clipboard via a crafted HTML document.

4.3CVSS7.8AI score0.03913EPSS

CVE•added 2011/03/11 10:55 p.m.•44 views

CVE-2011-0161

WebKit, as used in Apple Safari before 5.0.4 and iOS before 4.3, does not properly handle the Attr.style accessor, which allows remote attackers to bypass the Same Origin Policy and inject Cascading Style Sheets (CSS) token sequences via a crafted web site.

4.3CVSS8AI score0.00391EPSS

CVE•added 2011/07/21 11:55 p.m.•43 views

CVE-2011-0242

Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari before 5.0.6 allows remote attackers to inject arbitrary web script or HTML via vectors involving a URL that contains a username.

4.3CVSS6.4AI score0.00277EPSS

CVE•added 2011/07/21 11:55 p.m.•42 views

CVE-2011-0244

WebKit in Apple Safari before 5.0.6 allows user-assisted remote attackers to read arbitrary files via vectors related to improper canonicalization of URLs within RSS feeds.

4.3CVSS7.6AI score0.0023EPSS

CVE•added 2010/06/24 5:30 p.m.•39 views

CVE-2010-2441

WebKit does not properly restrict focus changes, which allows remote attackers to read keystrokes via "cross-domain IFRAME gadgets," a different vulnerability than CVE-2010-1126, CVE-2010-1422, and CVE-2010-2295.

4.3CVSS8.6AI score0.01184EPSS