CVE-2009-2352

Google Chrome <1.0.154.48 - XSS

Title source: llm

Description

Google Chrome 1.0.154.48 and earlier does not block javascript: URIs in Refresh headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header or (2) specifying the content of a Refresh header, a related issue to CVE-2009-1312. NOTE: it was later reported that 2.0.172.28, 2.0.172.37, and 3.0.193.2 Beta are also affected.

Exploits (1)

exploitdb WRITEUP VERIFIED

by MustLive · textremotemultiple

https://www.exploit-db.com/exploits/33064

View Code ZIP pw:eip

References (5)

[Various Sources] http://websecurity.com.ua/3275/

[Various Sources] http://websecurity.com.ua/3386/

[Exploit] http://www.securityfocus.com/bid/35572

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/archive/1/504718/100/0/threaded

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/archive/1/504723/100/0/threaded

Scores

EPSS 0.0091

EPSS Percentile 75.6%

Classification

CWE

CWE-79

Status published

Affected Products (17)

google/chrome < 1.0.154.48

google/chrome

google/chrome

google/chrome

google/chrome

google/chrome

google/chrome

google/chrome

google/chrome

google/chrome

google/chrome

google/chrome

google/chrome

google/chrome

google/chrome

... and 2 more

Timeline

Published Jul 07, 2009

Tracked Since Feb 18, 2026