VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 10, 2009· Updated Apr 23, 2026

CVE-2009-1689

CVE-2009-1689

Description

Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through 2.2.1 allows remote attackers to inject arbitrary web script or HTML via vectors involving submission of a form to the about:blank URL, leading to security-context replacement.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cross-site scripting in WebKit allows arbitrary script injection via form submission to about:blank, affecting Safari before 4.0 and older iOS.

Vulnerability

A cross-site scripting (XSS) vulnerability exists in WebKit, the rendering engine used by Apple Safari and iOS. The flaw occurs when a form is submitted to the about:blank URL, which causes a security-context replacement that allows an attacker to inject arbitrary web script or HTML. This affects Safari versions before 4.0, iPhone OS 1.0 through 2.2.1, and iPod touch OS 1.1 through 2.2.1 [1][2].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious web page that includes a form submission to about:blank. When a victim visits the page and the form is submitted (either automatically or via user interaction), the security context is replaced, enabling the attacker's script to execute in the context of the victim's browser. No authentication or special network position is required; the attack is remote and can be delivered via a link or by hosting the malicious page.

Impact

Successful exploitation allows the attacker to inject arbitrary web script or HTML into the victim's browser session. This can lead to information disclosure, session hijacking, or other actions performed in the security context of the affected website, potentially compromising user data and privacy.

Mitigation

Apple addressed this vulnerability in Safari 4.0, released on June 8, 2009 [1], and in iOS 3.0, released on June 17, 2009 [2]. Users should update to these or later versions. No workarounds are documented; the only mitigation is to apply the available patches.

References
  1. About the security content of Safari 4.0 - Apple Support
  2. About the security content of iOS 3.0 Software Update - Apple Support

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

37
  • Apple Inc./Safari35 versions
    cpe:2.3:a:apple:safari:0.8:-:mac:*:*:*:*:*+ 34 more
    • cpe:2.3:a:apple:safari:0.8:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:0.9:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.0.3:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.0:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.1:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.2:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.3.1:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.3.2:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.3:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:2.0.2:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:2.0.4:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:2.0:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0.1:-:windows:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0.2:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0.2:-:windows:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0.3:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0.3:-:windows:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0.4:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0.4:-:windows:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0:-:windows:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.1.1:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.1.1:-:windows:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.1.2:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.1.2:-:windows:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.1:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.1:-:windows:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.2.1:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.2.1:-:windows:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.2.2:-:windows:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.2.3:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.2:-:windows:*:*:*:*:*
    • cpe:2.3:a:apple:safari:*:-:mac:*:*:*:*:*range: <=4.0_beta
    • cpe:2.3:a:apple:safari:*:-:windows:*:*:*:*:*range: <=3.2.3
    • (no CPE)range: <4.0
  • Apple Inc./Iphone Osllm-fuzzy
    Range: ≥1.0 ≤2.2.1
  • Apple Inc./iPhone OS for iPod touchllm-fuzzy
    Range: ≥1.1 ≤2.2.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

14

News mentions

0

No linked articles in our index yet.