CVE-2010-0541
Description
Cross-site scripting (XSS) vulnerability in the WEBrick HTTP server in Ruby in Apple Mac OS X 10.5.8, and 10.6 before 10.6.4, allows remote attackers to inject arbitrary web script or HTML via a crafted URI that triggers a UTF-7 error page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting in WEBrick HTTP server in Ruby on Mac OS X allows arbitrary script injection via crafted URI triggering UTF-7 error page.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in the WEBrick HTTP server included with Ruby on Apple Mac OS X versions 10.5.8 and 10.6 before 10.6.4. The flaw is triggered when a crafted URI is sent to the server, causing it to return an error page that interprets the URI as UTF-7 encoded content, allowing injection of arbitrary web script or HTML [1]. This issue also affects Ruby on other platforms; Red Hat issued updates for Ruby on Red Hat Enterprise Linux via RHSA-2011-0909 and RHSA-2011-0908 [2][3].
Exploitation
An attacker can exploit this vulnerability by sending a specially crafted HTTP request to a WEBrick server. No authentication or special privileges are required; the attacker only needs network access to the server. The server's error page will reflect the malicious input in a way that the browser interprets as UTF-7, enabling script execution.
Impact
Successful exploitation allows an attacker to inject arbitrary web script or HTML into the error page served by WEBrick. This can lead to session hijacking, defacement, or theft of sensitive data in the context of the affected web application.
Mitigation
Apple addressed this issue in Security Update 2010-004 / Mac OS X v10.6.4 [1]. Red Hat released updated Ruby packages in RHSA-2011-0909 and RHSA-2011-0908 [2][3]. Users should apply the appropriate updates for their operating system. No workaround is documented.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
11cpe:2.3:o:apple:mac_os_x:10.5.8:*:*:*:*:*:*:*+ 5 more
- cpe:2.3:o:apple:mac_os_x:10.5.8:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x:10.6.0:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x:10.6.1:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x:10.6.2:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x:10.6.3:*:*:*:*:*:*:*
- (no CPE)range: 10.5.8, >=10.6 <10.6.4
cpe:2.3:o:apple:mac_os_x_server:10.5.8:*:*:*:*:*:*:*+ 4 more
- cpe:2.3:o:apple:mac_os_x_server:10.5.8:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x_server:10.6.0:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x_server:10.6.1:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x_server:10.6.2:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x_server:10.6.3:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- support.apple.com/kb/HT4188nvdPatchVendor Advisory
- www.securityfocus.com/bid/40871nvdPatch
- lists.apple.com/archives/security-announce/2010//Jun/msg00001.htmlnvdVendor Advisory
- secunia.com/advisories/40220nvdVendor Advisory
- www.vupen.com/english/advisories/2010/1481nvdVendor Advisory
- www.mandriva.com/security/advisoriesnvd
- www.mandriva.com/security/advisoriesnvd
- www.redhat.com/support/errata/RHSA-2011-0908.htmlnvd
- www.redhat.com/support/errata/RHSA-2011-0909.htmlnvd
- www.securityfocus.com/bid/40895nvd
News mentions
0No linked articles in our index yet.