VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 10, 2009· Updated Apr 23, 2026

CVE-2009-1714

CVE-2009-1714

Description

Cross-site scripting (XSS) vulnerability in Web Inspector in WebKit in Apple Safari before 4.0 allows user-assisted remote attackers to inject arbitrary web script or HTML, and read local files, via vectors related to the improper escaping of HTML attributes.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A cross-site scripting vulnerability in WebKit's Web Inspector allows user-assisted attackers to inject arbitrary script or HTML and read local files.

Vulnerability

A cross-site scripting (XSS) vulnerability exists in the Web Inspector component of WebKit, as used in Apple Safari before version 4.0. The issue involves improper escaping of HTML attributes within the Web Inspector interface, allowing injected script or HTML to be executed in the context of the user's session. Affected versions include Safari prior to 4.0 on Mac OS X and Windows [1].

Exploitation

Exploitation requires user assistance, such as tricking a user into clicking a crafted link or opening a specially crafted web page while the Web Inspector is active. An attacker must first induce the user to inspect certain content that triggers the XSS, which can then bypass expected security boundaries [1].

Impact

Successful exploitation allows an attacker to execute arbitrary web script or HTML in the context of the affected user's browser, potentially leading to information disclosure (e.g., reading local files) or further compromise of the user's session [1].

Mitigation

Apple addressed this issue in Safari 4.0, released on June 10, 2009. Users should upgrade to Safari 4.0 or later to mitigate the vulnerability. No workarounds were documented by Apple, and this CVE is not listed on the CISA KEV [1].

References
  1. About the security content of Safari 4.0 - Apple Support

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

36
  • Apple Inc./Safari35 versions
    cpe:2.3:a:apple:safari:0.8:-:mac:*:*:*:*:*+ 34 more
    • cpe:2.3:a:apple:safari:0.8:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:0.9:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.0.3:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.0:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.1:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.2:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.3.1:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.3.2:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.3:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:2.0.2:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:2.0.4:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:2.0:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0.1:-:windows:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0.2:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0.2:-:windows:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0.3:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0.3:-:windows:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0.4:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0.4:-:windows:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0:-:windows:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.1.1:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.1.1:-:windows:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.1.2:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.1.2:-:windows:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.1:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.1:-:windows:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.2.1:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.2.1:-:windows:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.2.2:-:windows:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.2.3:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.2:-:windows:*:*:*:*:*
    • cpe:2.3:a:apple:safari:*:-:mac:*:*:*:*:*range: <=4.0_beta
    • cpe:2.3:a:apple:safari:*:-:windows:*:*:*:*:*range: <=3.2.3
    • (no CPE)range: <4.0
  • osv-coords
    pkg:deb/debian/qt4-x11?arch=source
    Range: < 4:4.6.3-1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

14

News mentions

0

No linked articles in our index yet.