WebKit in Apple Safari before 4.0 allows remote attackers to spoof the browser's display of (1) the host name, (2) security indicators, and unspecified other UI elements via a custom cursor in conjunction with a modified CSS3 hotspot property.
Exploitability
AV:NAC:HAu:NImpact
C:PI:NA:N2.6/AV:N/AC:H/Au:N/C:P/I:N/A:N