VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 10, 2009· Updated Apr 23, 2026

CVE-2009-1715

CVE-2009-1715

Description

Cross-site scripting (XSS) vulnerability in Web Inspector in WebKit in Apple Safari before 4.0 allows user-assisted remote attackers to inject arbitrary web script or HTML, and read local files, via vectors related to script execution with incorrect privileges.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cross-site scripting in Web Inspector of WebKit in Safari before 4.0 allows user-assisted remote attackers to inject script and read local files.

Vulnerability

The vulnerability is a cross-site scripting (XSS) issue in the Web Inspector component of WebKit, as used in Apple Safari versions prior to 4.0. The bug allows script execution with incorrect privileges, enabling injection of arbitrary web script or HTML. Affected versions: Safari before 4.0 on Mac OS X v10.4.11 and v10.5.x (as per reference [1]).

Exploitation

Exploitation requires user assistance, such as convincing a user to interact with a maliciously crafted web page or file that triggers the Web Inspector. The attacker does not need authentication but relies on the user opening the inspector or performing actions that lead to script execution with elevated privileges.

Impact

Successful exploitation allows an attacker to inject arbitrary web script or HTML, potentially leading to disclosure of local files due to incorrect privilege separation. The impact includes information disclosure and potential further compromise.

Mitigation

Apple addressed this issue in Safari 4.0, released on June 8, 2009. Users should update to Safari 4.0 or later. No workarounds are documented. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.

References
  1. About the security content of Safari 4.0 - Apple Support

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

35
  • Apple Inc./Safari35 versions
    cpe:2.3:a:apple:safari:0.8:*:mac:*:*:*:*:*+ 34 more
    • cpe:2.3:a:apple:safari:0.8:*:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:0.9:*:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.0.3:*:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.0:*:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.1:*:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.2:*:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.3.1:*:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.3.2:*:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:1.3:*:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:2.0.2:*:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:2.0.4:*:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:2.0:*:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0.1:*:windows:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0.2:-:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0.2:*:windows:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0.3:*:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0.3:*:windows:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0.4:*:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0.4:*:windows:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0:*:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.0:*:windows:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.1.1:*:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.1.1:*:windows:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.1.2:*:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.1.2:*:windows:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.1:*:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.1:*:windows:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.2.1:*:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.2.1:*:windows:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.2.2:*:windows:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.2.3:*:mac:*:*:*:*:*
    • cpe:2.3:a:apple:safari:3.2:*:windows:*:*:*:*:*
    • cpe:2.3:a:apple:safari:*:*:mac:*:*:*:*:*range: <=4.0_beta
    • cpe:2.3:a:apple:safari:*:*:windows:*:*:*:*:*range: <=3.2.3
    • (no CPE)range: <4.0

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

11

News mentions

0

No linked articles in our index yet.