CVE-2010-1762
Description
Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, allows remote attackers to inject arbitrary web script or HTML via vectors involving HTML in a TEXTAREA element.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
WebKit in Apple Safari before 5.0 (Mac OS X 10.5–10.6, Windows) and before 4.1 (Mac OS X 10.4) is vulnerable to XSS via crafted HTML in a TEXTAREA element.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in WebKit, the rendering engine used by Apple Safari, when processing specially crafted HTML inside a TEXTAREA element. The issue affects Safari versions prior to 5.0 on Mac OS X 10.5 through 10.6 and Windows, as well as versions prior to 4.1 on Mac OS X 10.4 [2]. The vulnerability allows injected content to bypass expected context restrictions, enabling script execution in the browser's security context of the originating site.
Exploitation
An attacker only needs to deliver a crafted HTML page (e.g., via a malicious link, iframe, or compromised site) to a user running an affected Safari version. The attack requires no additional authentication or user interaction beyond visiting the malicious page. By placing carefully constructed content inside a TEXTAREA element, the attacker can break out of the textarea's plain-text context and inject arbitrary HTML or JavaScript [3].
Impact
Successful exploitation allows the attacker to execute arbitrary web script or HTML in the context of the victim's browser session on the target domain. This can lead to information disclosure (e.g., reading cookies or local storage), modification of page content, session hijacking, or further malicious actions within the site's security boundary [1][2][3].
Mitigation
Apple has released Safari 5.0 (for Mac OS X 10.5–10.6 and Windows) and Safari 4.1 (for Mac OS X 10.4) to address this vulnerability [2]. Users should update to the latest version of Safari for their operating system. No workarounds are documented in the available references. The issue is not listed on the KEV (Known Exploited Vulnerabilities) catalog as of the publication date.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
10cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*+ 7 more
- cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*range: <=4.0.5
- cpe:2.3:a:apple:safari:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:apple:safari:4.0.0b:*:*:*:*:*:*:*
- cpe:2.3:a:apple:safari:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:apple:safari:4.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:apple:safari:4.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:apple:safari:4.0.4:*:*:*:*:*:*:*
- (no CPE)range: <5.0 on Mac OS X 10.5-10.6 and Windows; <4.1 on Mac OS X 10.4
cpe:2.3:a:apple:webkit:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:apple:webkit:*:*:*:*:*:*:*:*
- (no CPE)
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
17- lists.apple.com/archives/security-announce/2010/Jun/msg00000.htmlnvdPatchVendor Advisory
- www.securityfocus.com/bid/40620nvdPatch
- www.vupen.com/english/advisories/2010/1373nvdPatchVendor Advisory
- secunia.com/advisories/40105nvdVendor Advisory
- support.apple.com/kb/HT4196nvdVendor Advisory
- lists.apple.com/archives/security-announce/2010/Jun/msg00003.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2011-01/msg00006.htmlnvd
- secunia.com/advisories/41856nvd
- secunia.com/advisories/43068nvd
- securitytracker.com/idnvd
- support.apple.com/kb/HT4225nvd
- www.mandriva.com/security/advisoriesnvd
- www.ubuntu.com/usn/USN-1006-1nvd
- www.vupen.com/english/advisories/2010/2722nvd
- www.vupen.com/english/advisories/2011/0212nvd
- www.vupen.com/english/advisories/2011/0552nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7503nvd
News mentions
0No linked articles in our index yet.