CVSS: 4.3EPSS: 17%CPEs: 18EXPL: 0CVE-2007-2871 – Multiple Firefox flaws (CVE-2007-1562, CVE-2007-2867, CVE-2007-2868, CVE-2007-2869, CVE-2007-2870, CVE-2007-2871)
https://notcve.org/view.php?id=CVE-2007-2871
Mozilla Firefox 1.5.x before 1.5.0.12 and 2.x before 2.0.0.4, and SeaMonkey 1.0.9 and 1.1.2, allows remote attackers to spoof or hide the browser chrome, such as the location bar, by placing XUL popups outside of the browser's content pane. NOTE: this issue can be leveraged for phishing and other attacks. El Mozilla Firefox 1.5.x anterior al 1.5.0.12 y el 2.x anterior al 2.0.0.4 y el SeaMonkey 1.0.9 y 1.1.2, permiten a atacantes remotos simular o esconder el "browser chrome", como el de la barra de ubicación, mediante la colocación de popups XUL fuera de la ventana que contiene el buscador. NOTA: Esta vulnerabilidad se puede utilizar para ataques de phishing y otros tipos. • http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00771742 http://osvdb.org/35137 http://secunia.com/advisories/25469 http://secunia.com/advisories/25476 http://secunia.com/advisories/25488 http://secunia.com/advisories/25490 http://secunia.com/advisories/25491 http://secunia.com/advisories/25533 http://secunia.com/advisories/25534 http://secunia.com/advisories/25559 http://secunia.com/advisories/25635 http://secunia.com/advisories/25647 http://secunia. •
CVSS: 4.3EPSS: 22%CPEs: 4EXPL: 0CVE-2007-0995
https://notcve.org/view.php?id=CVE-2007-0995
Mozilla Firefox before 1.5.0.10 and 2.x before 2.0.0.2, and SeaMonkey before 1.0.8 ignores trailing invalid HTML characters in attribute names, which allows remote attackers to bypass content filters that use regular expressions. Mozilla Firefox anterior a 1.5.0.10 y 2.x anterior a 2.0.0.2, y SeaMonkey anterior a 1.0.8 ignoran el tratamiento de caracteres HTML inválidos en nombres de atributo, lo cual permite a atacantes remotos evitar filtros de contenido que usan expresiones regulares. • ftp://patches.sgi.com/support/free/security/advisories/20070202-01-P.asc ftp://patches.sgi.com/support/free/security/advisories/20070301-01-P.asc http://fedoranews.org/cms/node/2713 http://fedoranews.org/cms/node/2728 http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00771742 http://ha.ckers.org/xss.html#XSS_Non_alpha_non_digit2 http://lists.suse.com/archive/suse-security-announce/2007-Mar/0001.html http://osvdb.org/32112 http://rhn.redhat.com/er • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 54%CPEs: 75EXPL: 0CVE-2007-1095
https://notcve.org/view.php?id=CVE-2007-1095
Mozilla Firefox before 2.0.0.8 and SeaMonkey before 1.1.5 do not properly implement JavaScript onUnload handlers, which allows remote attackers to run certain JavaScript code and access the location DOM hierarchy in the context of the next web site that is visited by a client. Mozilla Firefox anterior a versión 2.0.0.8 y SeaMonkey anterior a versión 1.1.5, no implementan apropiadamente los manejadores onUnload de JavaScript, lo que permite a los atacantes remotos ejecutar cierto código JavaScript y acceder a la jerarquía DOM location en el contexto del siguiente sitio web visitado por un cliente • http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00771742 http://lcamtuf.coredump.cx/ietrap/ff http://lists.grok.org.uk/pipermail/full-disclosure/2007-February/052630.html http://osvdb.org/33809 http://secunia.com/advisories/27276 http://secunia.com/advisories/27298 http://secunia.com/advisories/27311 http://secunia.com/advisories/27315 http://secunia.com/advisories/27325 http://secunia.com/advisories/27327 http://secunia.com/advisories/27335 http://sec •
CVSS: 6.8EPSS: 96%CPEs: 86EXPL: 0CVE-2007-0008 – NSS: SSLv2 protocol buffer overflows
https://notcve.org/view.php?id=CVE-2007-0008
Integer underflow in the SSLv2 support in Mozilla Network Security Services (NSS) before 3.11.5, as used by Firefox before 1.5.0.10 and 2.x before 2.0.0.2, SeaMonkey before 1.0.8, Thunderbird before 1.5.0.10, and certain Sun Java System server products before 20070611, allows remote attackers to execute arbitrary code via a crafted SSLv2 server message containing a public key that is too short to encrypt the "Master Secret", which results in a heap-based overflow. Un subdesbordamiento de enteros en el soporte SSLv2 en Mozilla Network Security Services (NSS) versiones anteriores a 3.11.5, como es usado por Firefox versiones anteriores a 1.5.0.10 y versiones 2.x anteriores a 2.0.0.2, SeaMonkey versiones anteriores a 1.0.8, Thunderbird versiones anteriores a 1.5.0.10, y ciertos productos de servidor de Sun Java System anteriores a 20070611, permite a atacantes remotos ejecutar código arbitrario por medio de un mensaje de servidor SSLv2 especialmente diseñado que contiene una clave pública que es demasiado corta para cifrar el "Master Secret", lo resulta en un desbordamiento en la región heap de la memoria. • ftp://patches.sgi.com/support/free/security/advisories/20070202-01-P.asc ftp://patches.sgi.com/support/free/security/advisories/20070301-01-P.asc http://fedoranews.org/cms/node/2709 http://fedoranews.org/cms/node/2711 http://fedoranews.org/cms/node/2713 http://fedoranews.org/cms/node/2728 http://fedoranews.org/cms/node/2747 http://fedoranews.org/cms/node/2749 http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00771742 http://labs.idefense.com/ • CWE-189: Numeric Errors •