CVSS: 6.0EPSS: 0%CPEs: 10EXPL: 0CVE-2008-5507 – Firefox Cross-domain data theft via script redirect error message
https://notcve.org/view.php?id=CVE-2008-5507
Mozilla Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 allow remote attackers to bypass the same origin policy and access portions of data from another domain via a JavaScript URL that redirects to the target resource, which generates an error if the target data does not have JavaScript syntax, which can be accessed using the window.onerror DOM API. Mozilla Firefox 3.x versiones anteriores a v3.0.5 y 2.x versiones anteriores a v2.0.0.19, Thunderbird 2.x versiones anteriores a v2.0.0.19 y SeaMonkey 1.x versiones anteriores a v1.1.14 permite a atacantes remotos evitar la política origen y acceder a partes de datos de otro dominio a través de URL javascript que redirige a la fuente objetivo, el cual genera un error si los datos objetivo no tienen sintaxis Javascript, a los que se puede acceder utilizando la API window.onerror DOM. • http://scary.beasts.org/security/CESA-2008-011.html http://secunia.com/advisories/33184 http://secunia.com/advisories/33188 http://secunia.com/advisories/33189 http://secunia.com/advisories/33203 http://secunia.com/advisories/33204 http://secunia.com/advisories/33205 http://secunia.com/advisories/33216 http://secunia.com/advisories/33231 http://secunia.com/advisories/33232 http://secunia.com/advisories/33408 http://secunia.com/advisories/33415 http://secunia.com/advisories • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.0EPSS: 0%CPEs: 9EXPL: 0CVE-2008-5510 – Firefox null characters ignored by CSS parser
https://notcve.org/view.php?id=CVE-2008-5510
The CSS parser in Mozilla Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 ignores the '\0' escaped null character, which might allow remote attackers to bypass protection mechanisms such as sanitization routines. El analizador CSS en Mozilla Firefox 3.x en versiones anteriores a 3.0.5 y 2.x en versiones anteriores 2.0.0.19, Thunderbird 2.x en versiones anteriores a 2.0.0.19, y SeaMonkey 1.x en versiones anteriores a 1.1.14 ignora el carácter de escape nulo '\0', el cual debería permitir a un atacante remoto evitar los mecanismos de protección como las rutinas de limpieza. • http://secunia.com/advisories/33184 http://secunia.com/advisories/33188 http://secunia.com/advisories/33203 http://secunia.com/advisories/33204 http://secunia.com/advisories/33205 http://secunia.com/advisories/33216 http://secunia.com/advisories/33231 http://secunia.com/advisories/33408 http://secunia.com/advisories/33523 http://secunia.com/advisories/34501 http://secunia.com/advisories/35080 http://sunsolve.sun.com/search/document.do?assetkey=1-26-256408-1 http://sunso •
CVSS: 4.3EPSS: 0%CPEs: 10EXPL: 0CVE-2008-5511 – Firefox XSS via XBL bindings to unloaded document
https://notcve.org/view.php?id=CVE-2008-5511
Mozilla Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 allows remote attackers to bypass the same origin policy and conduct cross-site scripting (XSS) attacks via an XBL binding to an "unloaded document." Mozilla Firefox 3.x antes de v3.0.5 y 2.x antes de v2.0.0.19, Thunderbird 2.x antes 2.0.0.19 y SeaMonkey 1.x antes de v1.1.14 permite a atacantes remotos evitar la política de mismo origen y llevar a cabo ataques de secuencias de comandos en sitios cruzados (XSS) mediante una vinculación XBL a un "documento no descargado". • http://secunia.com/advisories/33184 http://secunia.com/advisories/33188 http://secunia.com/advisories/33189 http://secunia.com/advisories/33203 http://secunia.com/advisories/33204 http://secunia.com/advisories/33205 http://secunia.com/advisories/33216 http://secunia.com/advisories/33231 http://secunia.com/advisories/33232 http://secunia.com/advisories/33408 http://secunia.com/advisories/33415 http://secunia.com/advisories/33421 http://secunia.com/advisories/33433 http:/& • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 2.6EPSS: 4%CPEs: 54EXPL: 0CVE-2008-5503 – Firefox 2 Information stealing via loadBindingDocument
https://notcve.org/view.php?id=CVE-2008-5503
The loadBindingDocument function in Mozilla Firefox 2.x before 2.0.0.19, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 does not perform any security checks related to the same-domain policy, which allows remote attackers to read or access data from other domains via crafted XBL bindings. La función loadBindingDocument en Mozilla Firefox 2.x antes de v2.0.0.19, Thunderbird 2.x antes de v2.0.0.19 y SeaMonkey 1.x antes de v1.1.14 no realiza ninguna comprobación de seguridad relacionada con la política de mismo dominio, que permite a atacantes remotos leer o acceder a datos de otros dominios mediante vínculos XBL manipulados. • http://secunia.com/advisories/33184 http://secunia.com/advisories/33189 http://secunia.com/advisories/33204 http://secunia.com/advisories/33205 http://secunia.com/advisories/33231 http://secunia.com/advisories/33232 http://secunia.com/advisories/33408 http://secunia.com/advisories/33415 http://secunia.com/advisories/33421 http://secunia.com/advisories/33433 http://secunia.com/advisories/33434 http://secunia.com/advisories/33523 http://secunia.com/advisories/33547 http:/& •
CVSS: 4.3EPSS: 0%CPEs: 9EXPL: 0CVE-2008-5513 – Firefox XSS vulnerabilities in SessionStore
https://notcve.org/view.php?id=CVE-2008-5513
Unspecified vulnerability in the session-restore feature in Mozilla Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19 allows remote attackers to bypass the same origin policy, inject content into documents associated with other domains, and conduct cross-site scripting (XSS) attacks via unknown vectors related to restoration of SessionStore data. Vulnerabilidad no especificada en la característica session-restore en Mozilla Firefox 3.x versiones anteriores a v3.0.5 y 2.x versiones anteriores a v2.0.0.19 permite a atacantes remotos evitar la misma política de origen, inyectar contenido dentro de documentos asociados con otros dominios, y llevar a cabo un ataque de secuencias de comandos en sitios cruzados (XSS) a través de vectores desconocidos relacionados con la restauración de datos SessionStore. • http://secunia.com/advisories/33184 http://secunia.com/advisories/33188 http://secunia.com/advisories/33189 http://secunia.com/advisories/33203 http://secunia.com/advisories/33216 http://secunia.com/advisories/33231 http://secunia.com/advisories/33421 http://secunia.com/advisories/33523 http://secunia.com/advisories/34501 http://sunsolve.sun.com/search/document.do?assetkey=1-26-256408-1 http://www.debian.org/security/2009/dsa-1707 http://www.mandriva.com/security/advisor • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •