CVE-2010-1395
Description
Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, allows remote attackers to inject arbitrary web script or HTML via vectors involving DOM constructor objects, related to a "scope management issue."
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting vulnerability in WebKit in Apple Safari before 5.0 and 4.1 allows remote attackers to inject arbitrary web script via DOM constructor objects.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in WebKit, the rendering engine used by Apple Safari. The issue is a scope management issue involving DOM constructor objects. Safari versions before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and versions before 4.1 on Mac OS X 10.4 are affected [2].
Exploitation
An attacker can exploit this vulnerability by hosting a malicious website that, when visited by a user running an affected version of Safari, injects arbitrary web script or HTML into the context of the victim's browser. No authentication or additional privileges are required; the attack is conducted remotely.
Impact
Successful exploitation allows the attacker to execute arbitrary script in the user's browser session, potentially leading to information disclosure, session hijacking, or other actions that the user could perform on the affected site.
Mitigation
Apple addressed the issue in Safari 5.0 and Safari 4.1. Users should upgrade to these or later versions. The fix was released on June 7, 2010, as part of the Safari 5.0 and Safari 4.1 security updates [2].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
9cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*+ 7 more
- cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*range: <=4.0.5
- cpe:2.3:a:apple:safari:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:apple:safari:4.0.0b:*:*:*:*:*:*:*
- cpe:2.3:a:apple:safari:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:apple:safari:4.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:apple:safari:4.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:apple:safari:4.0.4:*:*:*:*:*:*:*
- (no CPE)range: <5.0 on Mac OS X 10.5-10.6 and Windows; <4.1 on Mac OS X 10.4
- cpe:2.3:a:apple:webkit:*:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
21- lists.apple.com/archives/security-announce/2010/Jun/msg00000.htmlnvdPatchVendor Advisory
- www.securityfocus.com/bid/40620nvdPatch
- www.vupen.com/english/advisories/2010/1373nvdPatchVendor Advisory
- secunia.com/advisories/40105nvdVendor Advisory
- support.apple.com/kb/HT4196nvdVendor Advisory
- lists.apple.com/archives/security-announce/2010//Jun/msg00002.htmlnvd
- lists.apple.com/archives/security-announce/2010/Jun/msg00003.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2011-01/msg00006.htmlnvd
- secunia.com/advisories/40196nvd
- secunia.com/advisories/41856nvd
- secunia.com/advisories/43068nvd
- securitytracker.com/idnvd
- support.apple.com/kb/HT4220nvd
- support.apple.com/kb/HT4225nvd
- www.mandriva.com/security/advisoriesnvd
- www.ubuntu.com/usn/USN-1006-1nvd
- www.vupen.com/english/advisories/2010/1512nvd
- www.vupen.com/english/advisories/2010/2722nvd
- www.vupen.com/english/advisories/2011/0212nvd
- www.vupen.com/english/advisories/2011/0552nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7464nvd
News mentions
0No linked articles in our index yet.