CVE-2010-1389
Description
Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, allows user-assisted remote attackers to inject arbitrary web script or HTML via vectors involving a (1) paste or (2) drag-and-drop operation for a selection.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A user-assisted XSS in WebKit allows attackers to inject arbitrary script or HTML via paste or drag-and-drop operations, fixed in Safari 5.0/4.1.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in WebKit as used in Apple Safari before version 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before version 4.1 on Mac OS X 10.4 [2]. The flaw is triggered when a user performs a paste or drag-and-drop operation for a selected portion of a page, while visiting a malicious website. No special configuration is required beyond using an affected browser version.
Exploitation
An attacker must first trick the victim into visiting a crafted web page and persuade them to either paste or drag-and-drop a selection. Since the attack relies on user interaction (a paste or drag–and–drop action), it is considered user-assisted [1][2]. No authentication or special network position is required beyond serving the malicious content.
Impact
Successful exploitation allows a remote attacker to inject arbitrary web script or HTML into the context of the victim's browser. This can lead to disclosure of sensitive information, session hijacking, or other actions achievable through injected script, all within the security context of the target site [2].
Mitigation
Apple addressed this vulnerability in Safari 5.0 and Safari 4.1 [2]. Users should update to Safari 5.0 (or later) on Mac OS X 10.5–10.6 and Windows, or to Safari 4.1 on Mac OS X 10.4. Linux users of WebKit-based browsers can refer to Ubuntu advisory USN-1006-1 for the corresponding fixes [4]. No workaround is available; applying the security update is the recommended mitigation.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
9cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*+ 7 more
- cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*range: <=4.0.5
- cpe:2.3:a:apple:safari:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:apple:safari:4.0.0b:*:*:*:*:*:*:*
- cpe:2.3:a:apple:safari:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:apple:safari:4.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:apple:safari:4.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:apple:safari:4.0.4:*:*:*:*:*:*:*
- (no CPE)range: <5.0
- cpe:2.3:a:apple:webkit:*:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
17- lists.apple.com/archives/security-announce/2010/Jun/msg00000.htmlnvdPatchVendor Advisory
- www.securityfocus.com/bid/40620nvdPatch
- www.vupen.com/english/advisories/2010/1373nvdPatchVendor Advisory
- secunia.com/advisories/40105nvdVendor Advisory
- support.apple.com/kb/HT4196nvdVendor Advisory
- lists.apple.com/archives/security-announce/2010/Jun/msg00003.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2011-01/msg00006.htmlnvd
- secunia.com/advisories/41856nvd
- secunia.com/advisories/43068nvd
- securitytracker.com/idnvd
- support.apple.com/kb/HT4225nvd
- www.mandriva.com/security/advisoriesnvd
- www.ubuntu.com/usn/USN-1006-1nvd
- www.vupen.com/english/advisories/2010/2722nvd
- www.vupen.com/english/advisories/2011/0212nvd
- www.vupen.com/english/advisories/2011/0552nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6649nvd
News mentions
0No linked articles in our index yet.