CVE-2009-1412

high

Microsoft

CVSS v3 Base Score

7.8

AV:N/AC:L/Au:N/C:C/I:N/A:N

EPSS Score

0.3%

Exploitation probability in 30 days

Top 48% most likely to be exploited

Attack Characteristics

Attack Vector

Network

Attack Complexity

Low

Confidentiality

Integrity

None

Availability

None

Published: April 24, 2009 (6229 days ago)

Last Modified: April 23, 2026

Vendor: Microsoft

Source: NVD

Description

Argument injection vulnerability in the chromehtml: protocol handler in Google Chrome before 1.0.154.59, when invoked by Internet Explorer, allows remote attackers to determine the existence of files, and open tabs for URLs that do not satisfy the IsWebSafeScheme restriction, via a web page that sets document.location to a chromehtml: value, as demonstrated by use of a (1) javascript: or (2) data: URL. NOTE: this can be leveraged for Universal XSS by exploiting certain behavior involving persistence across page transitions.

CWE

CWE-200

Affected Products

google chrome

References

🔗 chromium.googlecode.com 🔗 code.google.com 🔗 googlechromereleases.blogspot.com 🔗 exchange.xforce.ibmcloud.com 🔗 chromium.googlecode.com

CVE-2009-1412

Vulnerability Report

Description

CWE

Affected Products

References