Vulnerability Description
WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through 2.2.1 does not prevent web sites from loading third-party content into a subframe, which allows remote attackers to bypass the Same Origin Policy and conduct "clickjacking" attacks via a crafted HTML document.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apple | Safari | <= 4.0_beta |
References
- http://lists.apple.com/archives/security-announce/2009/Jun/msg00005.html
- http://lists.apple.com/archives/security-announce/2009/jun/msg00002.htmlPatchVendor Advisory
- http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00006.html
- http://osvdb.org/54981
- http://secunia.com/advisories/35379Vendor Advisory
- http://secunia.com/advisories/37746
- http://secunia.com/advisories/43068
- http://support.apple.com/kb/HT3613PatchVendor Advisory
- http://support.apple.com/kb/HT3639
- http://www.debian.org/security/2009/dsa-1950
- http://www.securityfocus.com/bid/35260Exploit
- http://www.securityfocus.com/bid/35317
- http://www.vupen.com/english/advisories/2009/1522PatchVendor Advisory
- http://www.vupen.com/english/advisories/2009/1621
- http://www.vupen.com/english/advisories/2011/0212
FAQ
What is CVE-2009-1681?
CVE-2009-1681 is a vulnerability with a CVSS score of 4.3 (MEDIUM). WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through 2.2.1 does not prevent web sites from loading third-party content into a subframe, which allows...
How severe is CVE-2009-1681?
CVE-2009-1681 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2009-1681?
Check the references section above for vendor advisories and patch information. Affected products include: Apple Safari.