CVE-2009-2816

Description

The implementation of Cross-Origin Resource Sharing (CORS) in WebKit, as used in Apple Safari before 4.0.4 and Google Chrome before 3.0.195.33, includes certain custom HTTP headers in the OPTIONS request during cross-origin operations with preflight, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via a crafted web page.

How to fix CVE-2009-2816

To remediate CVE-2009-2816, upgrade the affected package to a fixed version below.

• Debian/qt4-x11—upgrade to 4:4.6.2-4 or later

Is CVE-2009-2816 being exploited?

Low — EPSS is 2.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 4:4.6.2-4

References (22)

• ADVISORYlists.apple.com/archives/security-announce/2010/Jun/msg00003.html
• ADVISORYsecunia.com/advisories/37346
• ADVISORYsecunia.com/advisories/37358
• ADVISORYsecunia.com/advisories/37393
• ADVISORYsecunia.com/advisories/37397