Page 383 of 2337 results (0.016 seconds)

CVSS: 5.8EPSS: 3%CPEs: 108EXPL: 3

CVE-2009-2654 – Mozilla Firefox 3.5.1 - Error Page Address Bar URI Spoofing

https://notcve.org/view.php?id=CVE-2009-2654

Mozilla Firefox before 3.0.13, and 3.5.x before 3.5.2, allows remote attackers to spoof the address bar, and possibly conduct phishing attacks, via a crafted web page that calls window.open with an invalid character in the URL, makes document.write calls to the resulting object, and then calls the stop method during the loading of the error page. Firefox de Mozilla anterior a versión 3.0.13, y versiones 3.5.x anteriores a 3.5.2, permite a atacantes remotos falsificar la barra de direcciones y posiblemente realizar ataques de tipo phishing, por medio de una página web diseñada que llama a window.open con un carácter no válido en la URL, hace llamadas de document.write hacia el objeto resultante y luego llama al método stop durante la carga de la página de error. • https://www.exploit-db.com/exploits/33103 http://blog.mozilla.com/security/2009/07/28/url-bar-spoofing-vulnerability http://es.geocities.com/jplopezy/firefoxspoofing.html http://osvdb.org/56717 http://secunia.com/advisories/36001 http://secunia.com/advisories/36126 http://secunia.com/advisories/36141 http://secunia.com/advisories/36435 http://secunia.com/advisories/36669 http://secunia.com/advisories/36670 http://sunsolve.sun.com/search/document.do?assetkey=1-66-266148-1 ht • CWE-20: Improper Input Validation •

CVSS: 6.8EPSS: 0%CPEs: 12EXPL: 0

CVE-2009-2408 – firefox/nss: doesn't handle NULL in Common Name properly

https://notcve.org/view.php?id=CVE-2009-2408

Mozilla Network Security Services (NSS) before 3.12.3, Firefox before 3.0.13, Thunderbird before 2.0.0.23, and SeaMonkey before 1.1.18 do not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. NOTE: this was originally reported for Firefox before 3.5. Mozilla Firefox anterior a v3.5 y NSS anterior a v3.12.3 no tratan apropiadamente un carácter '\0' en un nombre de dominio en el campo nombre común (CN) del asunto de un certificado X.509, que permite a un atacante de hombre-en-el-medio suplantar servidores SSL arbitrarios a través de un certificado manipulado por una autoridad de certificación. • http://isc.sans.org/diary.html?storyid=7003 http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00004.html http://marc.info/?l=oss-security&m=125198917018936&w=2 http://osvdb.org/56723 http://secunia.com/advisories/36088 http://secunia.com/advisories/36125 http://secunia.com/advisories/36139 http://secunia.com/advisories/36157 http://secunia.com/advisories/36434 http://secunia.com/advisories/36669 http://secunia.com/advisories/37098 http://sunsolve.sun.com • CWE-295: Improper Certificate Validation •

CVSS: 4.3EPSS: 0%CPEs: 10EXPL: 0

CVE-2009-2472 – Mozilla multiple cross origin wrapper bypasses

https://notcve.org/view.php?id=CVE-2009-2472

Mozilla Firefox before 3.0.12 does not always use XPCCrossOriginWrapper when required during object construction, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via a crafted document, related to a "cross origin wrapper bypass." Mozilla Firefox anteriores a v3.0.12 no usa siempre XPCCrossOriginWrapper cuando es requerido durante la construcción del objeto, lo que permite a atacantes remotos eludir la "Same Origin Policy" y realizar ataques de secuencias de comandos en sitios cruzados (XSS) mediante un documento manipulado, relacionado con una "cross origin wrapper bypass." • http://lists.opensuse.org/opensuse-security-announce/2009-07/msg00005.html http://lists.opensuse.org/opensuse-security-announce/2009-08/msg00002.html http://rhn.redhat.com/errata/RHSA-2009-1162.html http://secunia.com/advisories/35914 http://secunia.com/advisories/35944 http://secunia.com/advisories/36005 http://secunia.com/advisories/36145 http://sunsolve.sun.com/search/document.do?assetkey=1-26-265068-1 http://sunsolve.sun.com/search/document.do?assetkey=1-77-1020800.1-1 http: • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 10.0EPSS: 50%CPEs: 116EXPL: 1

CVE-2009-2466 – Mozilla JavaScript engine crashes

https://notcve.org/view.php?id=CVE-2009-2466

The JavaScript engine in Mozilla Firefox before 3.0.12 and Thunderbird allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to (1) nsDOMClassInfo.cpp, (2) JS_HashTableRawLookup, and (3) MirrorWrappedNativeParent and js_LockGCThingRT. JavaScript engine en Mozilla Firefox anteriores v3.0.12 y Thunderbird permite a atacantes remotos causar una denegación de servicio (consumo de memoria y caída de aplicación) o posiblemente ejecutar código a su elección a través de vectores relacionados a (1) nsDOMClassInfo.cpp, (2) JS_HashTableRawLookup, y(3) MirrorWrappedNativeParent and js_LockGCThingRT. • http://lists.opensuse.org/opensuse-security-announce/2009-07/msg00005.html http://lists.opensuse.org/opensuse-security-announce/2009-08/msg00002.html http://rhn.redhat.com/errata/RHSA-2009-1162.html http://rhn.redhat.com/errata/RHSA-2009-1163.html http://secunia.com/advisories/35914 http://secunia.com/advisories/35943 http://secunia.com/advisories/35944 http://secunia.com/advisories/35947 http://secunia.com/advisories/36005 http://secunia.com/advisories/36145 http://sunsolve. • CWE-399: Resource Management Errors •

CVSS: 10.0EPSS: 1%CPEs: 95EXPL: 0

CVE-2009-2471 – Mozilla setTimeout loses XPCNativeWrappers

https://notcve.org/view.php?id=CVE-2009-2471

The setTimeout function in Mozilla Firefox before 3.0.12 does not properly preserve object wrapping, which allows remote attackers to execute arbitrary JavaScript with chrome privileges via a crafted call, related to XPCNativeWrapper. La función setTimeout en Mozilla Firefox anterior a 3.0.12 no conserva adecuadamente la encapsulación del objeto, lo que permite a atacantes remotos ejecutar código JavaScript de su elección con privilegios chrome a través de una llamada manipulada. Relacionado con XPCNativeWrapper. • http://lists.opensuse.org/opensuse-security-announce/2009-07/msg00005.html http://lists.opensuse.org/opensuse-security-announce/2009-08/msg00002.html http://rhn.redhat.com/errata/RHSA-2009-1162.html http://secunia.com/advisories/35914 http://secunia.com/advisories/35944 http://secunia.com/advisories/36005 http://secunia.com/advisories/36145 http://www.mozilla.org/security/announce/2009/mfsa2009-39.html http://www.securityfocus.com/bid/35758 http://www.vupen.com/english/advisories •