High severity7.5NVD Advisory· Published Jun 10, 2009· Updated Apr 23, 2026
CVE-2009-1699
CVE-2009-1699
Description
The XSL stylesheet implementation in WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through 2.2.1 does not properly handle XML external entities, which allows remote attackers to read arbitrary files via a crafted DTD, as demonstrated by a file:///etc/passwd URL in an entity declaration, related to an "XXE attack."
Affected products
6cpe:2.3:o:canonical:ubuntu_linux:8.10:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:canonical:ubuntu_linux:8.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:9.04:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
17- lists.apple.com/archives/security-announce/2009/jun/msg00002.htmlnvdBroken LinkMailing ListPatchVendor Advisory
- support.apple.com/kb/HT3613nvdPatchVendor Advisory
- www.vupen.com/english/advisories/2009/1522nvdBroken LinkPatchVendor Advisory
- scary.beasts.org/security/CESA-2009-006.htmlnvdExploit
- scarybeastsecurity.blogspot.com/2009/06/apples-safari-4-fixes-local-file-theft.htmlnvdExploit
- www.securityfocus.com/bid/35260nvdBroken LinkExploitThird Party AdvisoryVDB Entry
- www.exploit-db.com/exploits/8907nvdExploitThird Party AdvisoryVDB Entry
- secunia.com/advisories/35379nvdBroken LinkVendor Advisory
- support.apple.com/kb/HT3639nvdVendor Advisory
- www.securityfocus.com/bid/35321nvdBroken LinkThird Party AdvisoryVDB Entry
- www.ubuntu.com/usn/USN-857-1nvdThird Party Advisory
- lists.apple.com/archives/security-announce/2009/Jun/msg00005.htmlnvdMailing List
- lists.opensuse.org/opensuse-security-announce/2011-01/msg00006.htmlnvdMailing List
- osvdb.org/54972nvdBroken Link
- secunia.com/advisories/43068nvdBroken Link
- www.vupen.com/english/advisories/2009/1621nvdBroken Link
- www.vupen.com/english/advisories/2011/0212nvdBroken Link
News mentions
0No linked articles in our index yet.