CVE-2009-1681

WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through 2.2.1 does not prevent web sites from loading third-party content into a subframe, which allows remote attackers to bypass the Same Origin Policy and conduct clickjacking attacks via a crafted HTML document.

Affected Software

Name	Vendor	Start Version	End Version
Safari	Apple	*	4.0_beta (including)
Safari	Apple	0.8 (including)	0.8 (including)
Safari	Apple	0.9 (including)	0.9 (including)
Safari	Apple	1.0 (including)	1.0 (including)
Safari	Apple	1.0.3 (including)	1.0.3 (including)
Safari	Apple	1.1 (including)	1.1 (including)
Safari	Apple	1.2 (including)	1.2 (including)
Safari	Apple	1.3 (including)	1.3 (including)
Safari	Apple	1.3.1 (including)	1.3.1 (including)
Safari	Apple	1.3.2 (including)	1.3.2 (including)
Safari	Apple	2.0 (including)	2.0 (including)
Safari	Apple	2.0.2 (including)	2.0.2 (including)
Safari	Apple	2.0.4 (including)	2.0.4 (including)
Safari	Apple	3.0 (including)	3.0 (including)
Safari	Apple	3.0.2 (including)	3.0.2 (including)
Safari	Apple	3.0.3 (including)	3.0.3 (including)
Safari	Apple	3.0.4 (including)	3.0.4 (including)
Safari	Apple	3.1 (including)	3.1 (including)
Safari	Apple	3.1.1 (including)	3.1.1 (including)
Safari	Apple	3.1.2 (including)	3.1.2 (including)
Safari	Apple	3.2.1 (including)	3.2.1 (including)
Safari	Apple	3.2.3 (including)	3.2.3 (including)
Qt4-x11	Ubuntu	intrepid	*
Qt4-x11	Ubuntu	jaunty	*
Webkit	Ubuntu	hardy	*
Webkit	Ubuntu	intrepid	*
Webkit	Ubuntu	jaunty	*

NVD	https://nvd.nist.gov/vuln/detail/CVE-2009-1681
CWE	https://cwe.mitre.org/data/definitions/NVD-Other.html

Affected Software

References