QtWeb 'javascript:' And 'data:' URI XSS Vulnerability Network Vulnerability

Summary

This host is installed with QtWeb Browser and is prone to Cross-Site Scripting vulnerability.

Impact

Successful exploitation will allow attackers to conduct Cross-Site Scripting attacks in the victim's system. Impact Level: Application

Solution

Upgrade to QtWeb version 3.2 or later For updates refer to http://www.qtweb.net/

Insight

Error occurs when application fails to sanitise the 'javascript:' and 'data:' URIs in Refresh headers or Location headers in HTTP responses, which can be exploited via vectors related to injecting a Refresh header or Location HTTP response header.

Affected

QtWeb version 3.0.0.145 on Windows.

References

http://websecurity.com.ua/3386/
http://xforce.iss.net/xforce/xfdb/52993

Updated on 2015-03-25

Severity

Classification

CVE CVE-2009-3018

CVSS	Base Score: 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N

Related Vulnerabilities

Apple Safari Multiple Vulnerabilities Dec13 (Mac OS X)
Adobe Reader Multiple Unspecified Vulnerabilities Jun06 (Mac OS X)
Adobe Flex SDK 'SWF' Files Cross-Site Scripting Vulnerability (Windows)
Adobe Reader 'file://' URL Information Disclosure Vulnerability Feb07 (Linux)
aMSN session hijack vulnerability (Windows)

Take action and discover your vulnerabilities