QtWeb 'javascript:' And 'data:' URI XSS Vulnerability Network Vulnerability

Summary

This host is installed with QtWeb Browser and is prone to Cross-Site Scripting vulnerability.

Impact

Successful exploitation will allow attackers to conduct Cross-Site Scripting attacks in the victim's system. Impact Level: Application

Solution

Upgrade to QtWeb version 3.2 or later For updates refer to http://www.qtweb.net/

Insight

Error occurs when application fails to sanitise the 'javascript:' and 'data:' URIs in Refresh headers or Location headers in HTTP responses, which can be exploited via vectors related to injecting a Refresh header or Location HTTP response header.

Affected

QtWeb version 3.0.0.145 on Windows.

References

http://websecurity.com.ua/3386/
http://xforce.iss.net/xforce/xfdb/52993

Updated on 2015-03-25

Severity

Classification

CVE CVE-2009-3018

CVSS	Base Score: 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N

Related Vulnerabilities

Apple Safari Multiple Vulnerabilities
Adobe Flash Player Multiple Security Bypass Vulnerabilities - 01 Feb14 (Linux)
Adobe Flash Player Multiple Security Bypass Vulnerabilities - 01 Feb14 (Windows)
Apple Safari Web Script Execution Vulnerabilites - June09
Apple Mac OS X Multiple Vulnerabilities - 02 Jan14

Take action and discover your vulnerabilities