← back
CVE-2009-2352

CVE-2009-2352

EPSS 2.0%
Google Chrome 1.0.154.48 and earlier does not block javascript: URIs in Refresh headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header or (2) specifying the content of a Refresh header, a related issue to CVE-2009-1312. NOTE: it was later reported that 2.0.172.28, 2.0.172.37, and 3.0.193.2 Beta are also affected.
Affected products
n/a · n/a
public PoCs found1
exploitdbwww.exploit-db.com/exploits/33064unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://websecurity.com.ua/3275/http://websecurity.com.ua/3386/http://www.securityfocus.com/archive/1/504718/100/0/threadedhttp://www.securityfocus.com/archive/1/504723/100/0/threadedhttp://www.securityfocus.com/bid/35572