CVE-2010-1394
Description
Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, allows remote attackers to inject arbitrary web script or HTML via vectors involving HTML document fragments.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Safari WebKit XSS via crafted HTML document fragments; fixed in Safari 5.0 and 4.1.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in WebKit in Apple Safari before version 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before version 4.1 on Mac OS X 10.4. The bug allows remote attackers to inject arbitrary web script or HTML via vectors involving HTML document fragments [2].
Exploitation
An attacker can exploit this vulnerability by crafting a malicious web page or HTML content that, when processed by the vulnerable WebKit engine, results in script injection. No special authentication or network position beyond the ability to serve content to the victim is required; the victim must simply load the crafted content in a vulnerable Safari browser [2][4].
Impact
Successful exploitation allows the attacker to execute arbitrary script or HTML in the context of the victim's browser session, leading to potential information disclosure, session hijacking, or other client-side attacks. The compromise occurs within the security context of the affected WebKit rendering engine [2].
Mitigation
Apple addressed this issue in Safari 5.0 and Safari 4.1, released on June 7, 2010 [2]. Users should update to Safari 5.0 (Mac OS X 10.5-10.6 and Windows) or Safari 4.1 (Mac OS X 10.4) or later. No workarounds are detailed in the available references.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
10cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*+ 7 more
- cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*range: <=4.0.5
- cpe:2.3:a:apple:safari:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:apple:safari:4.0.0b:*:*:*:*:*:*:*
- cpe:2.3:a:apple:safari:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:apple:safari:4.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:apple:safari:4.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:apple:safari:4.0.4:*:*:*:*:*:*:*
- (no CPE)range: <5.0 (Mac OS X 10.5-10.6, Windows) and <4.1 (Mac OS X 10.4)
cpe:2.3:a:apple:webkit:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:apple:webkit:*:*:*:*:*:*:*:*
- (no CPE)
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
20- lists.apple.com/archives/security-announce/2010/Jun/msg00000.htmlnvdPatchVendor Advisory
- securitytracker.com/idnvdPatch
- www.vupen.com/english/advisories/2010/1373nvdPatchVendor Advisory
- secunia.com/advisories/40105nvdVendor Advisory
- support.apple.com/kb/HT4196nvdVendor Advisory
- lists.apple.com/archives/security-announce/2010//Nov/msg00003.htmlnvd
- lists.apple.com/archives/security-announce/2010/Jun/msg00003.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2011-01/msg00006.htmlnvd
- secunia.com/advisories/41856nvd
- secunia.com/advisories/42314nvd
- secunia.com/advisories/43068nvd
- support.apple.com/kb/HT4225nvd
- support.apple.com/kb/HT4456nvd
- www.mandriva.com/security/advisoriesnvd
- www.securityfocus.com/bid/40620nvd
- www.ubuntu.com/usn/USN-1006-1nvd
- www.vupen.com/english/advisories/2010/2722nvd
- www.vupen.com/english/advisories/2011/0212nvd
- www.vupen.com/english/advisories/2011/0552nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7552nvd
News mentions
0No linked articles in our index yet.