CVE-2011-0161

Safari < 5.0.4 - Same Origin Policy Bypass via Attr.style Accessor

Title source: llm
STIX 2.1

Description

WebKit, as used in Apple Safari before 5.0.4 and iOS before 4.3, does not properly handle the Attr.style accessor, which allows remote attackers to bypass the Same Origin Policy and inject Cascading Style Sheets (CSS) token sequences via a crafted web site.

References (7)

Core 7
Core References
Vendor Advisory x_refsource_confirm
http://support.apple.com/kb/HT4564
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/66000
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/46814
Vendor Advisory x_refsource_confirm
http://support.apple.com/kb/HT4566
Vendor Advisory vendor-advisory x_refsource_apple
http://lists.apple.com/archives/security-announce/2011//Mar/msg00003.html
Vendor Advisory vendor-advisory x_refsource_apple
http://lists.apple.com/archives/security-announce/2011//Mar/msg00004.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1025182

Scores

EPSS 0.0165
EPSS Percentile 73.8%

Details

CWE
CWE-20 CWE-264
Status published
Products (46)
apple/iphone_os 1.0.0
apple/iphone_os 1.0.1
apple/iphone_os 1.0.2
apple/iphone_os 1.1.0
apple/iphone_os 1.1.1
apple/iphone_os 1.1.2
apple/iphone_os 1.1.3
apple/iphone_os 1.1.4
apple/iphone_os 1.1.5
apple/iphone_os 2.0
... and 36 more
Published Mar 11, 2011
Tracked Since Feb 18, 2026