Unrated severityNVD Advisory· Published Aug 31, 2009· Updated Jun 16, 2026
CVE-2009-3016
CVE-2009-3016
Description
Apple Safari 4.0.3 does not properly block javascript: and data: URIs in Refresh headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header that contains a javascript: URI, (2) entering a javascript: URI when specifying the content of a Refresh header, (3) injecting a Refresh header that contains JavaScript sequences in a data:text/html URI, or (4) entering a data:text/html URI with JavaScript sequences when specifying the content of a Refresh header.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2cpe:2.3:a:apple:safari:4.0.3:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:apple:safari:4.0.3:*:*:*:*:*:*:*
- (no CPE)range: =4.0.3
Patches
Vulnerability mechanics
References
3News mentions
0No linked articles in our index yet.