VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 11, 2010· Updated Apr 29, 2026

CVE-2010-1418

CVE-2010-1418

Description

Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, allows remote attackers to inject arbitrary web script or HTML via a FRAME element with a SRC attribute composed of a javascript: sequence preceded by spaces.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A cross-site scripting vulnerability in WebKit allows remote attackers to inject arbitrary script via a specially crafted FRAME element with spaces before a javascript: URL in the SRC attribute.

Vulnerability

The vulnerability is a cross-site scripting (XSS) issue in WebKit, the rendering engine used by Apple Safari. It affects Safari before version 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before version 4.1 on Mac OS X 10.4. The bug occurs when a FRAME element contains a SRC attribute that begins with one or more spaces followed by a javascript: URL. This sequence bypasses security checks in WebKit, allowing the execution of arbitrary script or HTML in the context of the affected page.

Exploitation

To exploit this vulnerability, an attacker must craft a malicious web page containing a FRAME element with a SRC attribute that starts with spaces (e.g., javascript:alert(1)). The attacker then needs to lure the victim into visiting this page using an affected version of Safari. No additional authentication or user interaction beyond visiting the page is required, as the payload executes automatically when the page is loaded.

Impact

Successful exploitation allows a remote attacker to inject arbitrary web script or HTML into the browser's rendering of a legitimate site. This can lead to information disclosure (e.g., reading cookies or session tokens), content modification, or phishing attacks, all within the security context of the affected domain.

Mitigation

Apple addressed this vulnerability in Safari 5.0 and Safari 4.1, released on June 7, 2010 [2]. Users should update Safari to version 5.0 (or later) for Mac OS X 10.5–10.6 and Windows, or version 4.1 for Mac OS X 10.4. No workaround is available, as the fix requires updating the affected software. The CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.

References
  1. About the security content of Safari 5.0 and Safari 4.1 - Apple Support

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

9
  • Apple Inc./Safari8 versions
    cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*+ 7 more
    • cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*range: <=4.0.5
    • cpe:2.3:a:apple:safari:4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:4.0.0b:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:4.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:4.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:4.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:4.0.4:*:*:*:*:*:*:*
    • (no CPE)range: <5.0 (Mac OS X 10.5-10.6, Windows) and <4.1 (Mac OS X 10.4)
  • Apple Inc./Webkit
    cpe:2.3:a:apple:webkit:*:*:*:*:*:*:*:*

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

24

News mentions

0

No linked articles in our index yet.