CVE-2009-3015

Name of the Vulnerable Software and Affected Versions: QtWeb version 3.0 Builds 001 and 003

Description: The issue allows remote attackers to conduct cross-site scripting (XSS) attacks via various vectors related to injecting or entering malicious URIs in HTTP response headers. This includes injecting a Refresh header with a javascript: URI, entering a javascript: URI for a Refresh header, injecting a Refresh header with JavaScript sequences in a data:text/html URI, entering a data:text/html URI with JavaScript sequences for a Refresh header, injecting a Location header with JavaScript sequences in a data:text/html URI, or entering a data:text/html URI with JavaScript sequences for a Location header.

Recommendations: For QtWeb version 3.0 Builds 001 and 003, consider disabling the handling of javascript: and data: URIs in Refresh and Location headers as a temporary workaround until a patch is available. Restrict access to potentially vulnerable web pages to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.