CVSS: 6.5EPSS: 1%CPEs: 92EXPL: 0CVE-2009-0355 – Firefox local file stealing with SessionStore
https://notcve.org/view.php?id=CVE-2009-0355
04 Feb 2009 — components/sessionstore/src/nsSessionStore.js in Mozilla Firefox before 3.0.6 does not block changes of INPUT elements to type="file" during tab restoration, which allows user-assisted remote attackers to read arbitrary files on a client machine via a crafted INPUT element. components/sessionstore/src/nsSessionStore.js en Mozilla Firefox anterior a v3.0.6 no bloquea los cambios de los elementos INPUT al tyoe="file" durante la restauración de pestañas, lo que permite a atacantes asistidos por el usuario leer... • http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00001.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.6EPSS: 0%CPEs: 93EXPL: 0CVE-2009-0356 – Firefox Chrome privilege escalation via local .desktop files
https://notcve.org/view.php?id=CVE-2009-0356
04 Feb 2009 — Mozilla Firefox before 3.0.6 and SeaMonkey do not block links to the (1) about:plugins and (2) about:config URIs from .desktop files, which allows user-assisted remote attackers to bypass the Same Origin Policy and execute arbitrary code with chrome privileges via vectors involving the URL field in a Desktop Entry section of a .desktop file, related to representation of about: URIs as jar:file:// URIs. NOTE: this issue exists because of an incomplete fix for CVE-2008-4582. Mozilla Firefox en versiones anter... • http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00001.html • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 5.3EPSS: 0%CPEs: 98EXPL: 0CVE-2009-0357 – Firefox XMLHttpRequest allows reading HTTPOnly cookies
https://notcve.org/view.php?id=CVE-2009-0357
04 Feb 2009 — Mozilla Firefox before 3.0.6 and SeaMonkey before 1.1.15 do not properly restrict access from web pages to the (1) Set-Cookie and (2) Set-Cookie2 HTTP response headers, which allows remote attackers to obtain sensitive information from cookies via XMLHttpRequest calls, related to the HTTPOnly protection mechanism. Mozilla Firefox anterior a v3.06 y SeaMonkey anterior a v1.1.15 no restringe adecuadamente el acceso desde las páginas web a las cabeceras de respuesta HTTP (1) Set-Cookie y (2) Set-Cookie2, lo qu... • http://ha.ckers.org/blog/20070511/bluehat-errata • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 10.0EPSS: 3%CPEs: 10EXPL: 0CVE-2008-5500 – Layout engine crashes - Firefox 2 and 3
https://notcve.org/view.php?id=CVE-2008-5500
17 Dec 2008 — The layout engine in Mozilla Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 allows remote attackers to cause a denial of service (crash) and possibly trigger memory corruption via vectors related to (1) a reachable assertion or (2) an integer overflow. El motor de diseño de Mozilla Firefox 3.x anterior a 3.0.5 y 2.x anterior a 2.0.0.19, Thunderbird 2.x anterior a 2.0.0.19 y SeaMonkey 1.x anterior a 1.1.14, permite a atacantes remotos provoc... • http://secunia.com/advisories/33184 • CWE-399: Resource Management Errors •
CVSS: 7.5EPSS: 3%CPEs: 5EXPL: 0CVE-2008-5501 – Layout engine crash - Firefox 3 only
https://notcve.org/view.php?id=CVE-2008-5501
17 Dec 2008 — The layout engine in Mozilla Firefox 3.x before 3.0.5, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 allows remote attackers to cause a denial of service via vectors that trigger an assertion failure. El motor de diseño en Mozilla Firefox 3.x en versiones anteriores 3.0.5, Thunderbird 2.x en versiones anteriores a 2.0.0.19, y SeaMonkey 1.x en versiones anteriores 1.1.14 que permite a los atacantes remotos causar una denegación de servicios a través de vectores que lanzar un fallo de evalu... • http://secunia.com/advisories/33188 •
CVSS: 7.5EPSS: 2%CPEs: 5EXPL: 0CVE-2008-5502 – JavaScript engine crash - Firefox 3 only
https://notcve.org/view.php?id=CVE-2008-5502
17 Dec 2008 — The layout engine in Mozilla Firefox 3.x before 3.0.5, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 allows remote attackers to cause a denial of service (crash) via vectors that trigger memory corruption, related to the GetXMLEntity and FastAppendChar functions. El motor de diseño en Mozilla Firefox 3.x antes de v3.0.5, Thunderbird 2.x antes de v2.0.0.19 y SeaMonkey 1.x antes de v1.1.14 permite a atacantes remotos provocar una denegación de servicio (caída) mediante vectores que disparan... • http://secunia.com/advisories/33188 • CWE-399: Resource Management Errors •
CVSS: 7.5EPSS: 0%CPEs: 54EXPL: 0CVE-2008-5503 – Firefox 2 Information stealing via loadBindingDocument
https://notcve.org/view.php?id=CVE-2008-5503
17 Dec 2008 — The loadBindingDocument function in Mozilla Firefox 2.x before 2.0.0.19, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 does not perform any security checks related to the same-domain policy, which allows remote attackers to read or access data from other domains via crafted XBL bindings. La función loadBindingDocument en Mozilla Firefox 2.x antes de v2.0.0.19, Thunderbird 2.x antes de v2.0.0.19 y SeaMonkey 1.x antes de v1.1.14 no realiza ninguna comprobación de seguridad relacionada con l... • http://secunia.com/advisories/33184 •
CVSS: 7.5EPSS: 2%CPEs: 19EXPL: 0CVE-2008-5504 – Firefox 2 XSS attack vectors in feed preview
https://notcve.org/view.php?id=CVE-2008-5504
17 Dec 2008 — Mozilla Firefox 2.x before 2.0.0.19 allows remote attackers to run arbitrary JavaScript with chrome privileges via vectors related to the feed preview, a different vulnerability than CVE-2008-3836. Mozilla Firefox 2.x versiones anteriores a v2.0.0.19 permite a atacantes remotos ejecutar JavaScript de su elección con privilegios chrome a través de vectores relacionados con la vista previa de las semillas, una vulnerabilidad diferente a CVE-2008-3836. • http://secunia.com/advisories/33184 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.3EPSS: 0%CPEs: 5EXPL: 0CVE-2008-5505 – Firefox 3 User tracking via XUL persist attribute
https://notcve.org/view.php?id=CVE-2008-5505
17 Dec 2008 — Mozilla Firefox 3.x before 3.0.5 allows remote attackers to bypass intended privacy restrictions by using the persist attribute in an XUL element to create and access data entities that are similar to cookies. Mozilla Firefox 3.x antes de v3.0.5 permite a atacantes remotos evitar las restricciones de privacidad previstas utilizando el atributo persist en un elemento XUL para crear y acceder las entidades de datos que son parecidas a las cookies. • http://secunia.com/advisories/33188 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.8EPSS: 1%CPEs: 10EXPL: 0CVE-2008-5506 – Firefox XMLHttpRequest 302 response disclosure
https://notcve.org/view.php?id=CVE-2008-5506
17 Dec 2008 — Mozilla Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 allows remote attackers to bypass the same origin policy by causing the browser to issue an XMLHttpRequest to an attacker-controlled resource that uses a 302 redirect to a resource in a different domain, then reading content from the response, aka "response disclosure." Mozilla Firefox 3.x versiones anteriores a v3.0.5 y 2.x versiones anteriores a v2.0.0.19, Thunderbird 2.x versiones an... • http://secunia.com/advisories/33184 • CWE-264: Permissions, Privileges, and Access Controls •