CVE-2009-2797

Description

The WebKit component in Safari in Apple iPhone OS before 3.1, and iPhone OS before 3.1.1 for iPod touch, does not remove usernames and passwords from URLs sent in Referer headers, which allows remote attackers to obtain sensitive information by reading Referer logs on a web server.

How to fix CVE-2009-2797

To remediate CVE-2009-2797, upgrade the affected package to a fixed version below.

• Debian/qt4-x11—upgrade to 4:4.6.2-4 or later

Is CVE-2009-2797 being exploited?

Low — EPSS is 2.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 4:4.6.2-4

References (13)

• ADVISORYsecunia.com/advisories/36677
• ADVISORYsecunia.com/advisories/41856
• ADVISORYsecunia.com/advisories/43068
• ADVISORYwww.mandriva.com/security/advisories?name=MDVSA-2011:039
• ADVISORYwww.ubuntu.com/usn/USN-1006-1