VYPR
← All advisories
Unrated severityNVD Advisory· Published Jul 30, 2010· Updated Apr 29, 2026

CVE-2010-1778

CVE-2010-1778

Description

Cross-site scripting (XSS) vulnerability in Apple Safari before 5.0.1 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1.1 on Mac OS X 10.4, allows remote attackers to inject arbitrary web script or HTML via an RSS feed.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cross-site scripting in Apple Safari via RSS feed allows remote attackers to inject arbitrary web script or HTML.

Vulnerability

A cross-site scripting (XSS) vulnerability exists in Apple Safari's handling of RSS feeds. The flaw affects Safari versions before 5.0.1 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1.1 on Mac OS X 10.4. When a user views a malicious RSS feed, the browser fails to properly sanitize the feed content, allowing arbitrary script injection [1].

Exploitation

An attacker can host a crafted RSS feed containing malicious HTML or JavaScript. The victim must view the feed in Safari (e.g., by subscribing to the feed or opening it directly). No additional authentication or network position is required beyond the ability to serve the feed. The script executes in the security context of the feed's origin [1].

Impact

Successful exploitation enables arbitrary web script or HTML injection, potentially leading to data theft, session hijacking, or defacement within the browser's security context. The attacker gains the ability to perform actions on behalf of the user within the affected Safari session [1].

Mitigation

Apple addressed this vulnerability in Safari 5.0.1 and Safari 4.1.1, released on July 28, 2010. Users should update to these or later versions. No workaround is documented; updating is the recommended mitigation [1].

References
  1. About the security content of Safari 5.0.1 and Safari 4.1.1 - Apple Support

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

10
  • Apple Inc./Safari9 versions
    cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*+ 8 more
    • cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*range: <=5.0
    • cpe:2.3:a:apple:safari:4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:4.0.0b:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:4.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:4.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:4.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:4.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:apple:safari:4.0.5:*:*:*:*:*:*:*
    • (no CPE)range: <5.0.1
  • Apple Inc./Webkit
    cpe:2.3:a:apple:webkit:*:*:*:*:*:*:*:*

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.