CVE-2009-3015

Priority
Description
QtWeb 3.0 Builds 001 and 003 does not properly block javascript: and data:
URIs in Refresh and Location headers in HTTP responses, which allows remote
attackers to conduct cross-site scripting (XSS) attacks via vectors related
to (1) injecting a Refresh header that contains a javascript: URI, (2)
entering a javascript: URI when specifying the content of a Refresh header,
(3) injecting a Refresh header that contains JavaScript sequences in a
data:text/html URI, (4) entering a data:text/html URI with JavaScript
sequences when specifying the content of a Refresh header, (5) injecting a
Location header that contains JavaScript sequences in a data:text/html URI,
or (6) entering a data:text/html URI with JavaScript sequences when
specifying the content of a Location header.
Notes
mdeslaurdebian says: This is a web site issue (open redirector), not a
browser problem.
Package
Upstream:not-affected
Package
Upstream:not-affected
Package
Upstream:not-affected
Package
Upstream:not-affected
More Information

Updated: 2020-01-29 19:36:01 UTC (commit 768ceb2fdee6790d707d0f681e1b54916744af1e)