CVE-2010-1390
Description
Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, allows remote attackers to inject arbitrary web script or HTML via vectors related to improper UTF-7 canonicalization, and lack of termination of a quoted string in an HTML document.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting in WebKit in Apple Safari before 5.0/4.1 allows remote attackers to inject arbitrary script via improper UTF-7 canonicalization and unclosed quoted strings.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in WebKit as used in Apple Safari. The flaw is due to improper UTF-7 canonicalization and a failure to properly terminate a quoted string within an HTML document [2]. This allows an attacker to inject arbitrary web script or HTML. Affected versions include Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and Safari before 4.1 on Mac OS X 10.4 [2].
Exploitation
An attacker can exploit this vulnerability by crafting a malicious HTML document that, when rendered by a vulnerable version of Safari, triggers the XSS. The attack requires no authentication or special privileges; the victim only needs to visit the attacker-controlled page. The improper UTF-7 canonicalization and unclosed quoted string cause the browser to misinterpret the input, leading to script injection [4].
Impact
Successful exploitation allows the attacker to execute arbitrary web script or HTML in the context of the victim's browser session. This can lead to theft of sensitive information such as cookies, session tokens, or credentials, and may enable actions on behalf of the authenticated user [2][4].
Mitigation
Apple addressed this vulnerability in Safari 5.0 and Safari 4.1, released on June 7, 2010 [2]. Users should update to these versions or later. No workarounds are documented. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
10cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*+ 7 more
- cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*range: <=4.0.5
- cpe:2.3:a:apple:safari:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:apple:safari:4.0.0b:*:*:*:*:*:*:*
- cpe:2.3:a:apple:safari:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:apple:safari:4.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:apple:safari:4.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:apple:safari:4.0.4:*:*:*:*:*:*:*
- (no CPE)range: <5.0 on Mac OS X 10.5-10.6 and Windows; <4.1 on Mac OS X 10.4
cpe:2.3:a:apple:webkit:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:apple:webkit:*:*:*:*:*:*:*:*
- (no CPE)
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
21- lists.apple.com/archives/security-announce/2010/Jun/msg00000.htmlnvdPatchVendor Advisory
- www.securityfocus.com/bid/40620nvdPatch
- www.vupen.com/english/advisories/2010/1373nvdPatchVendor Advisory
- secunia.com/advisories/40105nvdVendor Advisory
- support.apple.com/kb/HT4196nvdVendor Advisory
- lists.apple.com/archives/security-announce/2010//Jun/msg00002.htmlnvd
- lists.apple.com/archives/security-announce/2010/Jun/msg00003.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2011-01/msg00006.htmlnvd
- secunia.com/advisories/40196nvd
- secunia.com/advisories/41856nvd
- secunia.com/advisories/43068nvd
- securitytracker.com/idnvd
- support.apple.com/kb/HT4220nvd
- support.apple.com/kb/HT4225nvd
- www.mandriva.com/security/advisoriesnvd
- www.ubuntu.com/usn/USN-1006-1nvd
- www.vupen.com/english/advisories/2010/1512nvd
- www.vupen.com/english/advisories/2010/2722nvd
- www.vupen.com/english/advisories/2011/0212nvd
- www.vupen.com/english/advisories/2011/0552nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6888nvd
News mentions
0No linked articles in our index yet.