CVE-2010-0544
Description
Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, allows remote attackers to inject arbitrary web script or HTML via vectors related to a malformed URL.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Safari WebKit XSS allows remote attackers to inject arbitrary code via a malformed URL on Mac OS X 10.4–10.6 and Windows before Safari 5.0/4.1.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in WebKit, the rendering engine used in Apple Safari versions prior to 5.0 on Mac OS X 10.5 through 10.6 and Windows, and prior to 4.1 on Mac OS X 10.4. The issue is triggered by a malformed URL, which fails to properly sanitize input, allowing arbitrary web script or HTML to be injected into the context of a user's session [2].
Exploitation
An attacker can exploit this vulnerability by crafting a malicious URL that, when visited by a victim using an affected version of Safari, causes WebKit to execute attacker-controlled script or HTML in the user's browser. The attacker does not require authentication or any special network position beyond the ability to deliver the URL (e.g., via email, a link, or a compromised website). User interaction is limited to clicking the crafted link [1][2].
Impact
Successful exploitation allows an attacker to inject arbitrary web script or HTML into the Safari rendering environment, leading to potential disclosure of sensitive information (such as cookies or session tokens), modification of page content, or further attacks within the user's browser session. The attack leverages the user's existing privileges in the browser context, which could lead to broader compromise of the user's data or accounts on the affected domain [2].
Mitigation
Apple addressed this vulnerability in Safari 5.0 (for Mac OS X 10.5–10.6 and Windows) and Safari 4.1 (for Mac OS X 10.4). Users should update to these versions or later. No workarounds have been published. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date [2].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
9cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*+ 7 more
- cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*range: <=4.0.5
- cpe:2.3:a:apple:safari:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:apple:safari:4.0.0b:*:*:*:*:*:*:*
- cpe:2.3:a:apple:safari:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:apple:safari:4.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:apple:safari:4.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:apple:safari:4.0.4:*:*:*:*:*:*:*
- (no CPE)range: <5.0
- cpe:2.3:a:apple:webkit:*:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
16- lists.apple.com/archives/security-announce/2010/Jun/msg00000.htmlnvdPatchVendor Advisory
- www.securityfocus.com/bid/40620nvdPatch
- www.vupen.com/english/advisories/2010/1373nvdPatchVendor Advisory
- secunia.com/advisories/40105nvdVendor Advisory
- support.apple.com/kb/HT4196nvdVendor Advisory
- lists.apple.com/archives/security-announce/2010//Jun/msg00002.htmlnvd
- lists.apple.com/archives/security-announce/2010//Nov/msg00003.htmlnvd
- lists.apple.com/archives/security-announce/2010/Jun/msg00003.htmlnvd
- secunia.com/advisories/40196nvd
- secunia.com/advisories/42314nvd
- securitytracker.com/idnvd
- support.apple.com/kb/HT4220nvd
- support.apple.com/kb/HT4225nvd
- support.apple.com/kb/HT4456nvd
- www.vupen.com/english/advisories/2010/1512nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6656nvd
News mentions
0No linked articles in our index yet.