CVE-2009-3018
CVE-2009-3018 is a medium-severity vulnerability in Maxthon Maxthon Browser with a CVSS 2.0 base score of 4.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-79.
Key facts
- Severity: Medium (CVSS 2.0 base score 4.3)
- EPSS exploit prediction: 1% (61st percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-79
- Affected product: Maxthon Maxthon Browser
- Published:
- Last modified:
Description
Maxthon Browser 3.0.0.145 Alpha with Ultramode does not properly block javascript: and data: URIs in Refresh headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header that contains a javascript: URI, (2) entering a javascript: URI when specifying the content of a Refresh header, (3) injecting a Refresh header that contains JavaScript sequences in a data:text/html URI, or (4) entering a data:text/html URI with JavaScript sequences when specifying the content of a Refresh header; does not properly block data: URIs in Location headers in HTTP responses, which allows user-assisted remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (5) injecting a Location header that contains JavaScript sequences in a data:text/html URI or (6) entering a data:text/html URI with JavaScript sequences when specifying the content of a Location header; and does not properly handle javascript: URIs in HTML links within (a) 301 and (b) 302 error documents sent from web servers, which allows user-assisted remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (7) injecting a Location HTTP response header or (8) specifying the content of a Location HTTP response header.
Frequently asked questions
- What is CVE-2009-3018?
- Maxthon Browser 3.0.0.145 Alpha with Ultramode does not properly block javascript: and data: URIs in Refresh headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header that contains a javascript: URI, (2) entering a javascript: URI when specifying the content of a Refresh header, (3) injecting a Refresh header that contains JavaScript sequences in a data:text/html URI, or (4) entering a data:text/html URI with JavaScript sequences when specifying the content of a Refresh header; does not properly block data: URIs in Location headers in HTTP responses, which allows user-assisted remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (5) injecting a Location header that contains JavaScript sequences in a data:text/html URI or (6) entering a data:text/html URI with JavaScript sequences when specifying the content of a Location header; and does not properly handle javascript: URIs in HTML links within (a) 301 and (b) 302 error documents sent from web servers, which allows user-assisted remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (7) injecting a Location HTTP response header or (8) specifying the content of a Location HTTP response header.
- How severe is CVE-2009-3018?
- CVE-2009-3018 has a CVSS 2.0 base score of 4.3, rated medium severity.
- Is CVE-2009-3018 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (61st percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2009-3018?
- CVE-2009-3018 affects Maxthon Maxthon Browser. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2009-3018?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2009-3018 published?
- CVE-2009-3018 was published on 2009-08-31 and last updated on 2026-06-16.
References
- http://websecurity.com.ua/3386/
- http://www.securityfocus.com/archive/1/506163/100/0/threaded
- https://exchange.xforce.ibmcloud.com/vulnerabilities/53001
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6524
Affected products (1)
- cpe:2.3:a:maxthon:maxthon_browser:3.0.0.145:alpha:*:*:*:*:*:*
More vulnerabilities in Maxthon Maxthon Browser
- CVE-2019-16647 — High (CVSS 7.2): Unquoted Search Path in Maxthon 5.1.0 to 5.2.7 Browser for Windows.
- CVE-2010-5246 — Medium (CVSS 6.9): Multiple untrusted search path vulnerabilities in Maxthon Browser 1.6.7.35 and 2.5.15 allow local users to gain…
- CVE-2008-3667 — Medium (CVSS 6.8): Stack-based buffer overflow in Maxthon Browser 2.0 and earlier allows remote attackers to execute arbitrary code via a…
- CVE-2009-3006 — Medium (CVSS 4.3): Maxthon Browser 2.5.3.80 UNICODE allows remote attackers to spoof the address bar, via window.open with a relative URI,…
All CVEs affecting Maxthon Maxthon Browser →
Other CWE-79 (Cross-site Scripting (XSS)) vulnerabilities
- CVE-2025-49410 — Critical (CVSS 10.0): Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Imran Emu TC…
- CVE-2024-47875 — Critical (CVSS 10.0): DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMpurify was vulnerable to…
- CVE-2024-6886 — Critical (CVSS 10.0): Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Gitea…
- CVE-2023-45144 — Critical (CVSS 10.0): com.xwiki.identity-oauth:identity-oauth-ui is a package to aid in building identity and service providers based on…
- CVE-2023-45138 — Critical (CVSS 10.0): Change Request is an pplication allowing users to request changes on a wiki without publishing the changes directly.…
- CVE-2022-4361 — Critical (CVSS 10.0): Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) vulnerability in the…
Browse all CWE-79 (Cross-site Scripting (XSS)) vulnerabilities →