The execCommand JavaScript function in WebKit in Apple Safari before 5.0 or iTunes before 9.2 on Windows, does not properly restrict remote execution of clipboard commands, which allows remote attackers to modify the clipboard via a crafted HTML document.