QtWeb 'javascript:' And 'data:' URI XSS Vulnerability Network Vulnerability

Summary

This host is installed with QtWeb Browser and is prone to Cross-Site Scripting vulnerability.

Impact

Successful exploitation will allow attackers to conduct Cross-Site Scripting attacks in the victim's system. Impact Level: Application

Solution

Upgrade to QtWeb version 3.2 or later For updates refer to http://www.qtweb.net/

Insight

Error occurs when application fails to sanitise the 'javascript:' and 'data:' URIs in Refresh headers or Location headers in HTTP responses, which can be exploited via vectors related to injecting a Refresh header or Location HTTP response header.

Affected

QtWeb version 3.0.0.145 on Windows.

References

http://websecurity.com.ua/3386/
http://xforce.iss.net/xforce/xfdb/52993

Updated on 2015-03-25

Severity

Classification

CVE CVE-2009-3018
CVSS Base Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

Related Vulnerabilities

Apple Safari 'javascript: URI' XSS Vulnerability - Sep09
Apple Safari Webcore Webkit 'XSSAuditor.cpp' XSS Vulnerability (Windows)
Asterisk SIP Response Username Enumeration Remote Information Disclosure Vulnerability
Adobe Reader Multiple Vulnerabilities - Aug07 (Linux)
Apple iTunes Tutorials Window Security Bypass Vulnerability (Windows)

Take action and discover your vulnerabilities