[Forgot Password]
Login  Register Subscribe

30479

 
 

423868

 
 

248149

 
 

909

 
 

194803

 
 

282

 
Paid content will be excluded from the download.


Download | Alert*
CVE
view JSON

CVE-2009-1312Date: (C)2009-04-22   (M)2024-03-27


Mozilla Firefox before 3.0.9 and SeaMonkey 1.1.17 do not block javascript: URIs in Refresh headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header or (2) specifying the content of a Refresh header. NOTE: it was later reported that Firefox 3.6 a1 pre and Mozilla 1.7.x and earlier are also affected.

CVSS Score and Metrics +CVSS Score and Metrics -

CVSS V2 Severity:
CVSS Score : 4.3
Exploit Score: 8.6
Impact Score: 2.9
 
CVSS V2 Metrics:
Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality: NONE
Integrity: PARTIAL
Availability: NONE
  
Reference:
SECTRACK-1022096
http://www.securityfocus.com/archive/1/archive/1/504718/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/504723/100/0/threaded
SUNALERT-264308
BID-34656
SECUNIA-34758
SECUNIA-34843
SECUNIA-34844
SECUNIA-34894
SECUNIA-35065
ADV-2009-1125
FEDORA-2009-3875
MDVSA-2009:111
RHSA-2009:0436
RHSA-2009:0437
SUSE-SR:2009:010
USN-764-1
http://ha.ckers.org/blog/20070309/firefox-header-redirection-javascript-execution/
http://websecurity.com.ua/3275/
http://websecurity.com.ua/3386/
http://www.mozilla.org/security/announce/2009/mfsa2009-22.html
https://bugzilla.mozilla.org/show_bug.cgi?id=475636
oval:org.mitre.oval:def:6064
oval:org.mitre.oval:def:6131
oval:org.mitre.oval:def:6731
oval:org.mitre.oval:def:9818

CPE    82
cpe:/a:mozilla:firefox:1.5:beta2
cpe:/a:mozilla:firefox:1.5:beta1
cpe:/a:mozilla:firefox:0.8
cpe:/a:mozilla:firefox:0.7
...
CWE    1
CWE-16
OVAL    57
oval:org.secpod.oval:def:200597
oval:org.mitre.oval:def:6064
oval:org.secpod.oval:def:202680
oval:org.mitre.oval:def:6131
...

© SecPod Technologies