CVSS: 4.3EPSS: 3%CPEs: 3EXPL: 1CVE-2008-0418 – Mozilla Firefox 2.0 - 'chrome://' URI JavaScript File Request Information Disclosure
https://notcve.org/view.php?id=CVE-2008-0418
Directory traversal vulnerability in Mozilla Firefox before 2.0.0.12, Thunderbird before 2.0.0.12, and SeaMonkey before 1.1.8, when using "flat" addons, allows remote attackers to read arbitrary Javascript, image, and stylesheet files via the chrome: URI scheme, as demonstrated by stealing session information from sessionstore.js. Vulnerabilidad de salto de directorio en Mozilla Firefox before 2.0.0.12, Thunderbird before 2.0.0.12, y SeaMonkey en versiones anteriores a 1.1.8, cuando usa addons "llanos", permite a atacantes remotos leer Javascript, imágenes, y ficheros de hojas de estilo de su elección a través de chrome: URI scheme, tal y como se demostró robando información de la sesión de sessionstore.js. • https://www.exploit-db.com/exploits/31051 http://browser.netscape.com/releasenotes http://lists.opensuse.org/opensuse-security-announce/2008-02/msg00006.html http://secunia.com/advisories/28622 http://secunia.com/advisories/28754 http://secunia.com/advisories/28766 http://secunia.com/advisories/28808 http://secunia.com/advisories/28815 http://secunia.com/advisories/28818 http://secunia.com/advisories/28839 http://secunia.com/advisories/28864 http://secunia.com/advisories/28865 ht • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.3EPSS: 27%CPEs: 2EXPL: 0CVE-2008-0419 – Mozilla arbitrary code execution
https://notcve.org/view.php?id=CVE-2008-0419
Mozilla Firefox before 2.0.0.12 and SeaMonkey before 1.1.8 allows remote attackers to steal navigation history and cause a denial of service (crash) via images in a page that uses designMode frames, which triggers memory corruption related to resize handles. Mozilla Firefox versiones anteriores a 2.0.0.12 y SeaMonkey versiones anteriores a 1.1.8, permite a los atacantes remotos robar el historial de navegación y causar una denegación de servicio (bloqueo) por medio de imágenes en una página que usa tramas designMode, lo que desencadena corrupción de memoria relacionada con el manejo del redimensionamiento. • http://browser.netscape.com/releasenotes http://lists.opensuse.org/opensuse-security-announce/2008-02/msg00006.html http://secunia.com/advisories/28754 http://secunia.com/advisories/28758 http://secunia.com/advisories/28766 http://secunia.com/advisories/28808 http://secunia.com/advisories/28815 http://secunia.com/advisories/28818 http://secunia.com/advisories/28839 http://secunia.com/advisories/28864 http://secunia.com/advisories/28865 http://secunia.com/advisories/28877 http:/& • CWE-399: Resource Management Errors •
CVSS: 4.3EPSS: 14%CPEs: 2EXPL: 1CVE-2008-0591 – Mozilla information disclosure flaw
https://notcve.org/view.php?id=CVE-2008-0591
Mozilla Firefox before 2.0.0.12 and Thunderbird before 2.0.0.12 does not properly manage a delay timer used in confirmation dialogs, which might allow remote attackers to trick users into confirming an unsafe action, such as remote file execution, by using a timer to change the window focus, aka the "dialog refocus bug" or "ffclick2". Mozilla Firefox versiones anteriores a 2.0.0.12 y Thunderbird versiones anteriores a 2.0.0.12, no administra apropiadamente un temporizador de retardo utilizado en los diálogos de confirmación, que podría permitir a atacantes remotos engañar a los usuarios para que confirmen una acción no segura, como la ejecución remota de archivos, mediante el uso de un temporizador para cambiar el enfoque de ventana, también conocido como el "dialog refocus bug" o "ffclick2". • http://archives.neohapsis.com/archives/fulldisclosure/2007-06/0026.html http://browser.netscape.com/releasenotes http://lcamtuf.coredump.cx/ffclick2 http://lists.opensuse.org/opensuse-security-announce/2008-02/msg00006.html http://secunia.com/advisories/28754 http://secunia.com/advisories/28758 http://secunia.com/advisories/28766 http://secunia.com/advisories/28808 http://secunia.com/advisories/28818 http://secunia.com/advisories/28839 http://secunia.com/advisories/28864 http://secuni •
CVSS: 4.3EPSS: 11%CPEs: 2EXPL: 1CVE-2008-0592 – Mozilla text file mishandling
https://notcve.org/view.php?id=CVE-2008-0592
Mozilla Firefox before 2.0.0.12 and SeaMonkey before 1.1.8 allows user-assisted remote attackers to cause a denial of service via a plain .txt file with a "Content-Disposition: attachment" and an invalid "Content-Type: plain/text," which prevents Firefox from rendering future plain text files within the browser. Mozilla Firefox antes de 2.0.0.12 y SeaMonkey antes de 1.1.8. Permite a atacantes remotos ayudados por el usuario provocar una denegación de servicio a través del archivo plain .txt con un "disposición de contenido: adjunto" (Content-Disposition attachment) y un "Tipo de contenido: texto/plano" (Content-Type: plain/text) no válido, lo que impide a Firefox interpretar futuros archivos de texto plano en el navegador. • http://browser.netscape.com/releasenotes http://lists.opensuse.org/opensuse-security-announce/2008-02/msg00006.html http://secunia.com/advisories/28754 http://secunia.com/advisories/28818 http://secunia.com/advisories/28864 http://secunia.com/advisories/28865 http://secunia.com/advisories/28877 http://secunia.com/advisories/28879 http://secunia.com/advisories/28924 http://secunia.com/advisories/28939 http://secunia.com/advisories/28958 http://secunia.com/advisories/29086 http:/& •
CVSS: 5.0EPSS: 0%CPEs: 2EXPL: 0CVE-2008-0367
https://notcve.org/view.php?id=CVE-2008-0367
Mozilla Firefox 2.0.0.11, 3.0b2, and possibly earlier versions, when prompting for HTTP Basic Authentication, displays the site requesting the authentication after the Realm text, which might make it easier for remote HTTP servers to conduct phishing and spoofing attacks. En el navegador Mozilla Firefox 2.0.0.11, 3.0b2, y posiblemente versiones anteriores, cuando se abre la ventana de Autenticación HTTP básica, se muestra el sitio que requiere la autenticación despues del texto Realm, lo que podría provocar que servidores HTTP remotos lleven a cabo ataques de phising o spoofing. • http://aviv.raffon.net/2008/01/02/YetAnotherDialogSpoofingFirefoxBasicAuthentication.aspx http://aviv.raffon.net/2008/01/05/FirefoxDialogSpoofingFAQ.aspx http://blog.mozilla.com/security/2008/01/04/basicauth-dialog-realm-value-spoofing http://www.securityfocus.com/archive/1/485732/100/200/threaded http://www.securityfocus.com/archive/1/485738/100/200/threaded http://www.securityfocus.com/bid/27111 https://bugzilla.mozilla.org/show_bug.cgi?id=244273 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •