CVSS: 4.3EPSS: 0%CPEs: 102EXPL: 0CVE-2009-1306 – jar: scheme ignores the content-disposition: header on the inner URI
https://notcve.org/view.php?id=CVE-2009-1306
The jar: URI implementation in Mozilla Firefox before 3.0.9, Thunderbird, and SeaMonkey does not follow the Content-Disposition header of the inner URI, which allows remote attackers to conduct cross-site scripting (XSS) attacks and possibly other attacks via an uploaded .jar file with a "Content-Disposition: attachment" designation. La implementación de jar: URI en Mozilla Firefox anteriores 3.0.9, Thunderbird, y SeaMonkey no cumplen la cabecera "Content-Disposition" de la URI interna, permitiendo a atacantes remotos realizar ataques de secuencias de comandos en sitios cruzados (XSS) y posiblemente otros ataques al utilizar un fichero .jar cargado con una designación "Content-Disposition: attachment". • http://lists.opensuse.org/opensuse-security-announce/2009-05/msg00000.html http://rhn.redhat.com/errata/RHSA-2009-0437.html http://secunia.com/advisories/34758 http://secunia.com/advisories/34780 http://secunia.com/advisories/34843 http://secunia.com/advisories/34844 http://secunia.com/advisories/34894 http://secunia.com/advisories/35042 http://secunia.com/advisories/35065 http://secunia.com/advisories/35536 http://sunsolve.sun.com/search/document.do?assetkey=1-66-264308-1 h • CWE-16: Configuration •
CVSS: 6.8EPSS: 14%CPEs: 77EXPL: 1CVE-2009-1305 – Firefox 2 and 3 JavaScript engine crash
https://notcve.org/view.php?id=CVE-2009-1305
The JavaScript engine in Mozilla Firefox before 3.0.9, Thunderbird before 2.0.0.22, and SeaMonkey before 1.1.16 allows remote attackers to cause a denial of service (application crash) and possibly trigger memory corruption via vectors involving JSOP_DEFVAR and properties that lack the JSPROP_PERMANENT attribute. El motor JavaScript en Mozilla Firefox antes de 3.0.9, Thunderbird antes de 2.0.0.22, y SeaMonkey antes de 1.1.16 permite a atacantes remotos provocar una denegación de servicio (caída de la aplicación) y posiblemente disparar una corrupción de memoria mediante vectores en relación con JSOP_DEFVAR y con las propiedades que carecen del atributo JSPROP_PERMANENT. • http://lists.opensuse.org/opensuse-security-announce/2009-05/msg00000.html http://rhn.redhat.com/errata/RHSA-2009-0437.html http://secunia.com/advisories/34758 http://secunia.com/advisories/34780 http://secunia.com/advisories/34843 http://secunia.com/advisories/34844 http://secunia.com/advisories/34894 http://secunia.com/advisories/35042 http://secunia.com/advisories/35065 http://secunia.com/advisories/35536 http://secunia.com/advisories/35602 http://sunsolve.sun.com/search&# • CWE-399: Resource Management Errors •
CVSS: 6.8EPSS: 5%CPEs: 198EXPL: 0CVE-2009-1303 – Firefox 2 and 3 Layout engine crash
https://notcve.org/view.php?id=CVE-2009-1303
The browser engine in Mozilla Firefox before 3.0.9, Thunderbird before 2.0.0.22, and SeaMonkey before 1.1.16 allows remote attackers to cause a denial of service (application crash) and possibly trigger memory corruption via vectors related to nsSVGElement::BindToTree. El navegador del motor en Mozilla Firefox versiones anteriores a v3.0.9, Thunderbird versiones anteriores a v2.0.0.22, y SeaMonkey versiones anteriores a v1.1.16 permite a atacantes remotos provocar una denegación de servicio (caída de aplicación) y posiblemente disparar corrupción de memoria a través de vectores relacionados con nsSVGElement::BindToTre. • http://lists.opensuse.org/opensuse-security-announce/2009-05/msg00000.html http://rhn.redhat.com/errata/RHSA-2009-0437.html http://secunia.com/advisories/34758 http://secunia.com/advisories/34780 http://secunia.com/advisories/34843 http://secunia.com/advisories/34844 http://secunia.com/advisories/34894 http://secunia.com/advisories/35042 http://secunia.com/advisories/35065 http://secunia.com/advisories/35536 http://secunia.com/advisories/35602 http://sunsolve.sun.com/search&# • CWE-16: Configuration •
CVSS: 4.3EPSS: 0%CPEs: 132EXPL: 1CVE-2009-1311 – Firefox POST data sent to wrong site when saving web page with embedded frame
https://notcve.org/view.php?id=CVE-2009-1311
Mozilla Firefox before 3.0.9 and SeaMonkey before 1.1.17 allow user-assisted remote attackers to obtain sensitive information via a web page with an embedded frame, which causes POST data from an outer page to be sent to the inner frame's URL during a SAVEMODE_FILEONLY save of the inner frame. Mozilla Firefox anteriores a v3.0.9 y SeaMonkey anteriores a v1.1.17 permite a atacantes remotos con la intervención del usuario obtener información sensible al utilizar una página web con un "frame" embebido, provocando que una operación "POST" desde una página externa sea enviada al "frame" contenido en la URL al realizar un almacenamiento "SAVEMODE_FILEONLY" del "frame" contenido. • http://lists.opensuse.org/opensuse-security-announce/2009-05/msg00000.html http://rhn.redhat.com/errata/RHSA-2009-0437.html http://secunia.com/advisories/34758 http://secunia.com/advisories/34843 http://secunia.com/advisories/34844 http://secunia.com/advisories/34894 http://secunia.com/advisories/35042 http://secunia.com/advisories/35065 http://secunia.com/advisories/35561 http://secunia.com/advisories/35882 http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m& • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 83%CPEs: 12EXPL: 3CVE-2009-1232 – Mozilla Firefox 3.0.x - XML Parser Memory Corruption / Denial of Service (PoC)
https://notcve.org/view.php?id=CVE-2009-1232
Mozilla Firefox 3.0.8 and earlier 3.0.x versions allows remote attackers to cause a denial of service (memory corruption) via an XML document composed of a long series of start-tags with no corresponding end-tags. NOTE: it was later reported that 3.0.10 and earlier are also affected. Firefox de Mozilla versiones 3.0.8 y anteriores a 3.0.x, permite a los atacantes remotos causar una denegación de servicio (corrupción de memoria) por medio de un documento XML compuesto por una serie larga de etiquetas de inicio sin las etiquetas finales correspondientes. NOTA: más tarde se informó que la versión 3.0.10 y anteriores también están afectadas. • https://www.exploit-db.com/exploits/8306 http://milw0rm.com/sploits/2009-Firefox-XUL-0day-PoC.rar http://websecurity.com.ua/3216 http://www.securityfocus.com/bid/34522 https://bugzilla.mozilla.org/show_bug.cgi?id=485941 https://exchange.xforce.ibmcloud.com/vulnerabilities/49521 • CWE-20: Improper Input Validation •