CVE-2009-2352

Google Chrome <= 1.0.154.48 - Cross-Site Scripting via Refresh Header

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-2352. PoCs published by MustLive.

AI-analyzed exploit summary The exploit describes a cross-site scripting (XSS) vulnerability in Google Chrome 1.0.154.48 due to improper sanitization of user-supplied input. An attacker can craft a URL with a malicious JavaScript payload in the 'refresh' header to execute arbitrary script code in the context of the user's session.

Description

Google Chrome 1.0.154.48 and earlier does not block javascript: URIs in Refresh headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header or (2) specifying the content of a Refresh header, a related issue to CVE-2009-1312. NOTE: it was later reported that 2.0.172.28, 2.0.172.37, and 3.0.193.2 Beta are also affected.

Exploits (1)

exploitdb WRITEUP VERIFIED
by MustLive · textremotemultiple
https://www.exploit-db.com/exploits/33064

The exploit describes a cross-site scripting (XSS) vulnerability in Google Chrome 1.0.154.48 due to improper sanitization of user-supplied input. An attacker can craft a URL with a malicious JavaScript payload in the 'refresh' header to execute arbitrary script code in the context of the user's session.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Google Chrome 1.0.154.48
No auth needed
Prerequisites: A vulnerable version of Google Chrome · Ability to craft a malicious URL with a 'refresh' header
MITRE ATT&CK
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (5)

Core 5
Core References
Various Sources x_refsource_misc
http://websecurity.com.ua/3386/
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/35572
Various Sources x_refsource_misc
http://websecurity.com.ua/3275/
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/504723/100/0/threaded
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/504718/100/0/threaded

Scores

EPSS 0.0205
EPSS Percentile 78.7%

Details

CWE
CWE-79
Status published
Products (16)
google/chrome 0.2.149.29
google/chrome 0.2.149.30
google/chrome 0.2.152.1
google/chrome 0.2.153.1
google/chrome 0.3.154.0
google/chrome 0.3.154.3
google/chrome 0.4.154.18
google/chrome 0.4.154.22
google/chrome 0.4.154.31
google/chrome 0.4.154.33
... and 6 more
Published Jul 07, 2009
Tracked Since Feb 18, 2026