CVE-2009-3263
Description
Cross-site scripting (XSS) vulnerability in Google Chrome 2.x and 3.x before 3.0.195.21 allows remote attackers to inject arbitrary web script or HTML via a (1) RSS or (2) Atom feed, related to the rendering of the application/rss+xml content type as XML "active content."
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting vulnerability in Google Chrome 2.x and 3.x before 3.0.195.21 allows remote attackers to inject arbitrary web script via RSS/Atom feeds.
Vulnerability
Cross-site scripting (XSS) vulnerability exists in Google Chrome versions 2.x and 3.x prior to 3.0.195.21. The flaw occurs when the browser renders RSS or Atom feeds with the application/rss+xml content type as XML "active content," allowing injection of arbitrary web script or HTML.
Exploitation
An attacker can exploit this by crafting a malicious RSS or Atom feed containing embedded JavaScript or HTML. When a user using a vulnerable Chrome version accesses the feed, the injected script executes in the context of the feed's origin. No additional authentication or user interaction beyond viewing the feed is required.
Impact
Successful exploitation allows the attacker to execute arbitrary web script or HTML in the user's browser session, potentially leading to data theft, session hijacking, or defacement of the feed content.
Mitigation
The vulnerability is fixed in Google Chrome version 3.0.195.21 and later. Users should upgrade to the latest version. No workarounds are documented in the available references.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
22cpe:2.3:a:google:chrome:2.0.156.1:*:*:*:*:*:*:*+ 21 more
- cpe:2.3:a:google:chrome:2.0.156.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:2.0.157.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:2.0.157.2:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:2.0.158.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:2.0.159.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:2.0.169.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:2.0.169.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:2.0.170.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:2.0.172:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:2.0.172.2:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:2.0.172.27:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:2.0.172.28:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:2.0.172.30:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:2.0.172.31:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:2.0.172.33:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:2.0.172.37:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:2.0.172.38:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:2.0.172.8:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:3.0.182.2:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:3.0.190.2:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:3.0.193.2:beta:*:*:*:*:*:*
- (no CPE)range: >=2.0, <=3.0, <3.0.195.21
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- securethoughts.com/2009/09/exploiting-chrome-and-operas-inbuilt-atomrss-reader-with-script-execution-and-more/nvdExploit
- googlechromereleases.blogspot.com/2009/09/stable-channel-update.htmlnvdVendor Advisory
- secunia.com/advisories/36770nvdVendor Advisory
- code.google.com/p/chromium/issues/detailnvd
- www.securityfocus.com/archive/1/506517/100/0/threadednvd
- www.securityfocus.com/bid/36416nvd
News mentions
0No linked articles in our index yet.