CVE-2010-1373
Description
Cross-site scripting (XSS) vulnerability in Help Viewer in Apple Mac OS X 10.6 before 10.6.4 allows remote attackers to inject arbitrary web script or HTML via a crafted help: URL, related to "URL parameters in HTML content."
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Help Viewer in Apple Mac OS X 10.6 before 10.6.4 is vulnerable to XSS via crafted help: URLs, allowing arbitrary script injection.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in the Help Viewer component of Apple Mac OS X 10.6 prior to version 10.6.4. The flaw affects how Help Viewer processes help: URLs and is related to URL parameters in HTML content. An attacker can craft a malicious help: link that, when opened, injects arbitrary web script or HTML into the Help Viewer context [1].
Exploitation
To exploit this vulnerability, an attacker must craft a specially designed help: URL containing malicious script or HTML. The attacker then needs to persuade a user to click or navigate to this URL, for example via a link in an email, a web page, or other means. No authentication is required beyond user interaction; the Help Viewer application processes the crafted URL without adequate sanitization [1].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript or inject HTML into the Help Viewer environment. This can lead to information disclosure, session hijacking, or other actions within the context of the Help Viewer application. The scope is limited to the Help Viewer's sandbox, but it can still expose sensitive data or enable phishing attacks [1].
Mitigation
Apple addressed this vulnerability in Mac OS X 10.6.4, released as part of Security Update 2010-004 on June 15, 2010. Users should upgrade to Mac OS X 10.6.4 or later. There are no documented workarounds for unpatched systems [1].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
9cpe:2.3:o:apple:mac_os_x:10.6.0:*:*:*:*:*:*:*+ 4 more
- cpe:2.3:o:apple:mac_os_x:10.6.0:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x:10.6.1:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x:10.6.2:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x:10.6.3:*:*:*:*:*:*:*
- (no CPE)range: <10.6.4
cpe:2.3:o:apple:mac_os_x_server:10.6.0:*:*:*:*:*:*:*+ 3 more
- cpe:2.3:o:apple:mac_os_x_server:10.6.0:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x_server:10.6.1:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x_server:10.6.2:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x_server:10.6.3:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- support.apple.com/kb/HT4188nvdPatchVendor Advisory
- www.securityfocus.com/bid/40871nvdPatch
- www.vupen.com/english/advisories/2010/1481nvdPatchVendor Advisory
- lists.apple.com/archives/security-announce/2010//Jun/msg00001.htmlnvdVendor Advisory
- secunia.com/advisories/40220nvdVendor Advisory
- securitytracker.com/idnvd
News mentions
0No linked articles in our index yet.