VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 10, 2009· Updated Apr 23, 2026

CVE-2009-1688

CVE-2009-1688

Description

Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through 2.2.1 allows remote attackers to inject arbitrary web script or HTML via vectors related to determining a security context through an approach that is not the "HTML 5 standard method."

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

WebKit in Apple Safari before 4.0 and iOS before 3.0 has an XSS flaw due to incorrect security context determination.

Vulnerability

CVE-2009-1688 is a cross-site scripting (XSS) vulnerability in WebKit, affecting Apple Safari versions before 4.0 on Mac OS X, and iPhone OS 1.0 through 2.2.1 (for iPhone and iPod touch) [1][2]. The issue arises because the browser does not follow the HTML 5 standard method for determining a security context, allowing improper script execution across origins.

Exploitation

A remote attacker can exploit this by crafting a malicious web page that, when visited by a user on an affected browser, injects arbitrary web script or HTML into the context of a legitimate site. No authentication or special network position is required beyond luring the victim to the attacker-controlled page [1][2].

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript within the security context of another website, potentially leading to session hijacking, data theft, or other malicious actions as if they were the legitimate site. The impact is typical of a cross-site scripting attack, with full ability to manipulate the affected web application's behavior from the user's perspective.

Mitigation

The fix was released in Safari 4.0 [1] and in the iOS 3.0 software update [2]. Users should update to these or later versions. No workarounds were provided for unpatched systems; affected versions are now well past their support lifecycle.

References
  1. About the security content of Safari 4.0 - Apple Support
  2. About the security content of iOS 3.0 Software Update - Apple Support

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

37
  • Apple Inc./Safari35 versions
    cpe:2.3:a:apple:safari:0.8:*:mac:*:*:*:*:*+ 34 more
    • cpe:2.3:a:apple:safari:0.8:*:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:0.9:*:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.0.3:*:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.0:*:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.1:*:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.2:*:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.3.1:*:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.3.2:*:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.3:*:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:2.0.2:*:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:2.0.4:*:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:2.0:*:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0.1:*:windows:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0.2:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0.2:*:windows:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0.3:*:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0.3:*:windows:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0.4:*:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0.4:*:windows:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0:*:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0:*:windows:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.1.1:*:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.1.1:*:windows:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.1.2:*:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.1.2:*:windows:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.1:*:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.1:*:windows:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.2.1:*:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.2.1:*:windows:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.2.2:*:windows:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.2.3:*:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.2:-:windows:*:*:*:*:*
    • cpe:2.3:a:apple:safari:*:*:mac:*:*:*:*:*range: <=4.0_beta
    • cpe:2.3:a:apple:safari:*:*:windows:*:*:*:*:*range: <=3.2.3
    • (no CPE)range: <4.0
  • Apple Inc./Iphone Osllm-fuzzy
    Range: 1.0 through 2.2.1
  • Apple Inc./iPhone OS for iPod touchllm-fuzzy
    Range: 1.1 through 2.2.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

14

News mentions

0

No linked articles in our index yet.