VYPR
← All advisories
Unrated severityNVD Advisory· Published Sep 13, 2011· Updated Apr 29, 2026

CVE-2009-5097

CVE-2009-5097

Description

Palm Pre WebOS 1.1 and earlier executes JavaScript in email messages, allowing attackers to read arbitrary device files.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Palm Pre WebOS 1.1 and earlier executes JavaScript in email messages, allowing attackers to read arbitrary device files.

Vulnerability

Palm Pre WebOS versions 1.1 and earlier [1][2] process and execute JavaScript contained within email messages. This design flaw allows a remote attacker to inject arbitrary JavaScript code into a specially crafted email, which is automatically executed when the email is viewed on the device. Affected versions include all WebOS builds up to and including 1.1; the vulnerability is fixed in WebOS 1.2 [2].

Exploitation

An attacker only needs the ability to send an email to the victim's Palm Pre device [2]. No additional authentication, user interaction beyond viewing the email, or special network position is required. The attacker crafts an email containing malicious JavaScript that, when parsed and executed by the device's email client, can read the contents of any file on the filesystem (e.g., PalmDatabase.db3) and exfiltrate that data to an attacker-controlled web server [2]. A proof-of-concept email uses JavaScript to upload the targeted file to a remote server automatically [2].

Impact

Successful exploitation results in arbitrary file disclosure from the Palm Pre device [1][2]. The attacker gains access to sensitive information stored in the PalmDatabase.db3 file, which includes emails, email addresses, contact names, phone numbers, and other personal data [2]. The impact is limited to confidentiality loss; there is no direct indication of code execution or privilege escalation beyond file reading.

Mitigation

Palm released WebOS version 1.2, which patches this vulnerability [2]. All users are recommended to upgrade to WebOS 1.2 or later. If the device cannot be upgraded, no other official workaround has been published by the vendor [1][2]. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.

References
  1. Global Leader in Specialist Media - Future
  2. Palm Pre WebOS <=1.1 Remote File Access Vulnerability

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

5
  • Microfocus/Palm Webos4 versions
    cpe:2.3:o:hp:palm_pre_webos:*:*:*:*:*:*:*:*+ 3 more
    • cpe:2.3:o:hp:palm_pre_webos:*:*:*:*:*:*:*:*range: <=1.1.0
    • cpe:2.3:o:hp:palm_pre_webos:1.0.2:*:*:*:*:*:*:*
    • cpe:2.3:o:hp:palm_pre_webos:1.0.3:*:*:*:*:*:*:*
    • cpe:2.3:o:hp:palm_pre_webos:1.0.4:*:*:*:*:*:*:*
  • Palm/Pre WebOSllm-fuzzy
    Range: <=1.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"WebOS 1.1 and earlier parses and executes JavaScript embedded in email messages without sanitization, allowing arbitrary code injection."

Attack vector

An attacker sends a specially crafted email containing embedded JavaScript to the victim's Palm Pre device. When the victim views the email, WebOS 1.1 and earlier parses and executes the JavaScript [ref_id=1]. The injected script can read any file on the device (such as PalmDatabase.db3) and exfiltrate it to a remote web server controlled by the attacker [CWE-94] [ref_id=1]. No user interaction beyond opening the email is required.

Affected code

The vulnerability exists in the email processing component of Palm Pre WebOS version 1.1 and earlier. The advisory does not specify a particular function or file path, but identifies that the system parses and executes JavaScript contained within received email messages [ref_id=1].

What the fix does

Palm addressed this vulnerability in WebOS version 1.2. The advisory does not include a patch diff, but states that Palm patched the issue and recommends all users upgrade to WebOS 1.2 or later [ref_id=1]. The fix presumably prevents JavaScript in email messages from being parsed and executed, closing the code injection vector [CWE-94].

Preconditions

  • configThe victim must be using Palm Pre WebOS version 1.1 or earlier
  • inputThe victim must receive and view an email containing malicious JavaScript

Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.