VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 10, 2009· Updated Apr 23, 2026

CVE-2009-1691

CVE-2009-1691

Description

Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through 2.2.1 allows remote attackers to inject arbitrary web script or HTML via vectors related to insufficient access control for standard JavaScript prototypes in other domains.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cross-site scripting in WebKit allows remote attackers to inject arbitrary script via insufficient access control for JavaScript prototypes.

Vulnerability

The vulnerability is a cross-site scripting (XSS) issue in WebKit, the rendering engine used in Apple Safari and iOS. It arises from insufficient access control for standard JavaScript prototypes when accessed from different domains. An attacker can bypass the same-origin policy by manipulating prototypes, leading to script injection. Affected versions include Safari before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through 2.2.1. [1][2]

Exploitation

To exploit, an attacker hosts a malicious webpage that contains specially crafted JavaScript. When a victim visits the page, the attacker's script can access standard JavaScript prototypes (e.g., Object.prototype) in the context of another domain, enabling cross-domain script execution. No authentication or user interaction beyond visiting the page is required. The attack is launched remotely over the web. [1][2]

Impact

Successful exploitation allows arbitrary script execution in the victim's browser, within the security context of any domain the victim visits. This can lead to theft of cookies, session tokens, or other sensitive data, as well as site redirection or defacement. The impact is limited to the browser; no system-level compromise is described. [1][2]

Mitigation

Apple addressed this issue in Safari 4.0 (released June 8, 2009) and iOS 3.0 (released June 17, 2009). Users should update to the latest available versions. No workarounds are provided for unpatched systems. [1][2]

References
  1. About the security content of Safari 4.0 - Apple Support
  2. About the security content of iOS 3.0 Software Update - Apple Support

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

37
  • Apple Inc./Safari35 versions
    cpe:2.3:a:apple:safari:0.8:-:mac:*:*:*:*:*+ 34 more
    • cpe:2.3:a:apple:safari:0.8:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:0.9:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.0.3:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.0:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.1:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.2:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.3.1:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.3.2:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.3:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:2.0.2:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:2.0.4:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:2.0:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0.1:-:windows:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0.2:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0.2:-:windows:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0.3:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0.3:-:windows:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0.4:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0.4:-:windows:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0:-:windows:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.1.1:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.1.1:-:windows:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.1.2:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.1.2:-:windows:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.1:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.1:-:windows:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.2.1:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.2.1:-:windows:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.2.2:-:windows:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.2.3:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.2:-:windows:*:*:*:*:*
    • cpe:2.3:a:apple:safari:*:-:mac:*:*:*:*:*range: <=4.0_beta
    • cpe:2.3:a:apple:safari:*:-:windows:*:*:*:*:*range: <=3.2.3
    • (no CPE)range: <4.0
  • Apple Inc./Iphone Osllm-fuzzy
    Range: 1.0 through 2.2.1
  • Apple Inc./iPhone OS for iPod touchllm-fuzzy
    Range: 1.1 through 2.2.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

14

News mentions

0

No linked articles in our index yet.