CVE-2009-2816

Currently unrated

Key Information:

Vendor: Apple
Status: iPhone OS; Safari; Chrome
Vendor: CVE Published:; 13 November 2009

Summary

The implementation of Cross-Origin Resource Sharing (CORS) in WebKit, as used in Apple Safari before 4.0.4 and Google Chrome before 3.0.195.33, includes certain custom HTTP headers in the OPTIONS request during cross-origin operations with preflight, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via a crafted web page.

References

http://secunia.com/advisories/43068

third-party-advisoryx_refsource_SECUNIA

http://www.vupen.com/english/advisories/2009/3233

vdb-entryx_refsource_VUPEN

http://lists.apple.com/archives/security-announce/2009/No...

vendor-advisoryx_refsource_APPLE

Timeline

Vulnerability published
Nov 13, 2009
Vulnerability Reserved
Aug 17, 2009