CVE-2009-1699
high-risk
Published 2009-06-10
The XSL stylesheet implementation in WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through 2.2.1 does not properly handle XML external entities, which allows remote attackers to read arbitrary files via a crafted DTD, as demonstrated by a file:///etc/passwd URL in an entity declaration, related to an "XXE attack."
Do I need to act?
~
9.3% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
!
1 public exploit available
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10
High
NETWORK
/ LOW complexity
Affected Products (6)
References (34)
Broken Link
http://osvdb.org/54972
Broken Link
http://secunia.com/advisories/35379
Broken Link
http://secunia.com/advisories/43068
Vendor Advisory
http://support.apple.com/kb/HT3639
Broken Link
http://www.securityfocus.com/bid/35260
Broken Link
http://www.securityfocus.com/bid/35321
Third Party Advisory
http://www.ubuntu.com/usn/USN-857-1
and 14 more references
56
/ 100
high-risk
Severity
26/34 · High
Exploitability
17/34 · Moderate
Exposure
13/34 · Low