Common Vulnerabilities and Exposures assigned an identifier CVE-2009-4975 to the following vulnerability: Name: CVE-2009-4975 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4975 Assigned: 20100802 Reference: MISC: http://bugreports.qt.nokia.com/browse/QTWEBKIT-22 Reference: MISC: https://bugs.kde.org/show_bug.cgi?id=217464 Reference: MISC: https://bugs.webkit.org/show_bug.cgi?id=32252 Reference: XF:qtdemobrowser-webview-xss(60879) Reference: URL: http://xforce.iss.net/xforce/xfdb/60879 Cross-site scripting (XSS) vulnerability in webview.cpp in QtDemoBrowser allows remote attackers to inject arbitrary web script or HTML via a URL associated with a nonexistent domain name, related to a "universal XSS" issue, a similar vulnerability to CVE-2010-2536.
Created webkitkde tracking bugs for this issue Affects: fedora-all [bug 652111]
Created arora tracking bugs for this issue Affects: fedora-all [bug 652112]
https://bugs.kde.org/show_bug.cgi?id=217464#c3 This bug was fixed when it was reported. webkitkde is obsoleted by kwebkitpart-0.9.6 in Fedora 12+. kwebkitpart-0.9.6 have fix for this bug.
See also this thread on kde-devel: http://mail.kde.org/pipermail/webkit-devel/2010-September/001133.html
Seems like Arora just says "Failed to load" in status bar -> no injection to error page.