CVSS: 7.5EPSS: 1%CPEs: 27EXPL: 0CVE-2004-0867
https://notcve.org/view.php?id=CVE-2004-0867
Mozilla Firefox 0.9.2 allows web sites to set cookies for country-specific top-level domains, such as .ltd.uk, .plc.uk, and .sch.uk, which could allow remote attackers to perform a session fixation attack and hijack a user's HTTP session. NOTE: it was later reported that 2.x is also affected. Mozilla Firefox 0.9.2 pemite a sitios web establecer cookies para dominios de nivel superior específicos de países, como .ltd.uk, .plc.uk, y .sch.uk, lo que podría permitir a atacantes remotos realizar ataques de fijación de sesión y secuestrar sesiones HTTP de un usuario. NOTA: se ha informado posteriormente que la versión 2.X también se encuentra afectada por esta vulnerabilidad. • http://kuza55.blogspot.com/2008/02/understanding-cookie-security.html http://marc.info/?l=bugtraq&m=109536612321898&w=2 http://secunia.com/advisories/12580 http://securitytracker.com/id?1011331 http://www.securityfocus.com/bid/11186 https://bugzilla.mozilla.org/show_bug.cgi?id=252342 https://exchange.xforce.ibmcloud.com/vulnerabilities/17415 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 0%CPEs: 27EXPL: 0CVE-2004-0866
https://notcve.org/view.php?id=CVE-2004-0866
Internet Explorer 6.0 allows web sites to set cookies for country-specific top-level domains, such as .ltd.uk, .plc.uk, and .sch.uk, which could allow remote attackers to perform a session fixation attack and hijack a user's HTTP session. • http://marc.info/?l=bugtraq&m=109536612321898&w=2 http://securitytracker.com/id?1011332 http://www.securityfocus.com/bid/11186 https://exchange.xforce.ibmcloud.com/vulnerabilities/17415 •
CVSS: 5.0EPSS: 0%CPEs: 18EXPL: 0CVE-2004-0870
https://notcve.org/view.php?id=CVE-2004-0870
KDE Konqueror does not prevent cookies that are sent over an insecure channel (HTTP) from also being sent over a secure channel (HTTPS/SSL) in the same domain, which could allow remote attackers to steal cookies and conduct unauthorized activities, aka "Cross Security Boundary Cookie Injection." • http://securityfocus.com/archive/1/375407 http://securitytracker.com/id?1011330 http://www.westpoint.ltd.uk/advisories/wp-04-0001.txt https://exchange.xforce.ibmcloud.com/vulnerabilities/17417 •
CVSS: 5.0EPSS: 1%CPEs: 12EXPL: 2CVE-2004-0527 – KDE Konqueror 3.x - Embedded Image URI Obfuscation
https://notcve.org/view.php?id=CVE-2004-0527
KDE Konqueror 2.1.1 and 2.2.2 allows remote attackers to spoof a legitimate URL in the status bar via A HREF tags with modified "alt" values that point to the legitimate site, combined with an image map whose href points to the malicious site, which facilitates a "phishing" attack. KDE Konqueror 2.1.1 y 2.2.2 permiten a atacantes remotos suplantar URL legítimas en la barra de estado mediante etiquetas A HREF con valores "alt" modificados que apuntan al sitio legítimo, combinado con un mapa de imagen cuyo HREF apunta al sitio malicioso, lo que facilita ataques de suplantación para robo de datos (phising)". • https://www.exploit-db.com/exploits/24136 http://www.osvdb.org/6579 http://www.securityfocus.com/bid/10383 https://exchange.xforce.ibmcloud.com/vulnerabilities/16102 •
CVSS: 7.5EPSS: 17%CPEs: 1EXPL: 0CVE-2004-0411
https://notcve.org/view.php?id=CVE-2004-0411
The URI handlers in Konqueror for KDE 3.2.2 and earlier do not properly filter "-" characters that begin a hostname in a (1) telnet, (2) rlogin, (3) ssh, or (4) mailto URI, which allows remote attackers to manipulate the options that are passed to the associated programs, possibly to read arbitrary files or execute arbitrary code. Los manejadores de URI en Konqueror de KDE 3.2.2 y anteriores no filtran adecuadamente caractéres "-" en el inicio de un nombre de máquina en URIs (1) telnet, (2) rlogin, (3) ssh, o (4) mailto, lo que permite a atacantes remotos manipular las opciones que son pasadas a los programas asociados, posiblemente permitiendo leer ficheros o ejecutar código de su elección. • http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000843 http://marc.info/?l=bugtraq&m=108481412427344&w=2 http://secunia.com/advisories/11602 http://security.gentoo.org/glsa/glsa-200405-11.xml http://www.ciac.org/ciac/bulletins/o-146.shtml http://www.debian.org/security/2004/dsa-518 http://www.kde.org/info/security/advisory-20040517-1.txt http://www.novell.com/linux/security/advisories/2004_14_kdelibs.html http://www.osvdb.org/6107 http://www.red • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •