CVSS: 4.3EPSS: 11%CPEs: 2EXPL: 1CVE-2008-0592 – Mozilla text file mishandling
https://notcve.org/view.php?id=CVE-2008-0592
Mozilla Firefox before 2.0.0.12 and SeaMonkey before 1.1.8 allows user-assisted remote attackers to cause a denial of service via a plain .txt file with a "Content-Disposition: attachment" and an invalid "Content-Type: plain/text," which prevents Firefox from rendering future plain text files within the browser. Mozilla Firefox antes de 2.0.0.12 y SeaMonkey antes de 1.1.8. Permite a atacantes remotos ayudados por el usuario provocar una denegación de servicio a través del archivo plain .txt con un "disposición de contenido: adjunto" (Content-Disposition attachment) y un "Tipo de contenido: texto/plano" (Content-Type: plain/text) no válido, lo que impide a Firefox interpretar futuros archivos de texto plano en el navegador. • http://browser.netscape.com/releasenotes http://lists.opensuse.org/opensuse-security-announce/2008-02/msg00006.html http://secunia.com/advisories/28754 http://secunia.com/advisories/28818 http://secunia.com/advisories/28864 http://secunia.com/advisories/28865 http://secunia.com/advisories/28877 http://secunia.com/advisories/28879 http://secunia.com/advisories/28924 http://secunia.com/advisories/28939 http://secunia.com/advisories/28958 http://secunia.com/advisories/29086 http:/& •
CVSS: 5.0EPSS: 0%CPEs: 2EXPL: 0CVE-2008-0367
https://notcve.org/view.php?id=CVE-2008-0367
Mozilla Firefox 2.0.0.11, 3.0b2, and possibly earlier versions, when prompting for HTTP Basic Authentication, displays the site requesting the authentication after the Realm text, which might make it easier for remote HTTP servers to conduct phishing and spoofing attacks. En el navegador Mozilla Firefox 2.0.0.11, 3.0b2, y posiblemente versiones anteriores, cuando se abre la ventana de Autenticación HTTP básica, se muestra el sitio que requiere la autenticación despues del texto Realm, lo que podría provocar que servidores HTTP remotos lleven a cabo ataques de phising o spoofing. • http://aviv.raffon.net/2008/01/02/YetAnotherDialogSpoofingFirefoxBasicAuthentication.aspx http://aviv.raffon.net/2008/01/05/FirefoxDialogSpoofingFAQ.aspx http://blog.mozilla.com/security/2008/01/04/basicauth-dialog-realm-value-spoofing http://www.securityfocus.com/archive/1/485732/100/200/threaded http://www.securityfocus.com/archive/1/485738/100/200/threaded http://www.securityfocus.com/bid/27111 https://bugzilla.mozilla.org/show_bug.cgi?id=244273 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 3%CPEs: 2EXPL: 0CVE-2007-6589
https://notcve.org/view.php?id=CVE-2007-6589
The jar protocol handler in Mozilla Firefox before 2.0.0.10 and SeaMonkey before 1.1.7 does not update the origin domain when retrieving the inner URL parameter yields an HTTP redirect, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a jar: URI, a different vulnerability than CVE-2007-5947. El manejador de protocolo jar de Mozilla Firefox anterior a 2.0.0.10 y SeaMonkey anterior a 1.1.7 no actualiza el dominio de origen cuando la recuperación del parámetro URL interno da lugar a una redirección HTTP, lo cual permite a atacantes remotos llevar a cabo ataques de secuencias de comandos en sitios cruzados (XSS) mediante un URI jar:, una vulnerabilidad diferente de CVE-2007-5947. • http://blog.beford.org/?p=8 http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00771742 http://osvdb.org/43477 http://www.mozilla.org/security/announce/2007/mfsa2007-37.html http://www.vupen.com/english/advisories/2008/0083 https://bugzilla.mozilla.org/show_bug.cgi?id=369814 https://bugzilla.mozilla.org/show_bug.cgi?id=403331 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6033 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.3EPSS: 95%CPEs: 66EXPL: 0CVE-2007-5959 – Multiple flaws in Firefox
https://notcve.org/view.php?id=CVE-2007-5959
Multiple unspecified vulnerabilities in Mozilla Firefox before 2.0.0.10 and SeaMonkey before 1.1.7 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors that trigger memory corruption. Múltiples vulnerabilidades no especificadas en Mozilla Firefox versiones anteriores a 2.0.0.10 y SeaMonkey versiones anteriores a 1.1.7 permiten a atacantes remotos provocar una denegación de servicio (caída) y posiblemente ejecutar código de su elección mediante vectores desconocidos que disparan corrupción de memoria. • http://browser.netscape.com/releasenotes http://bugs.gentoo.org/show_bug.cgi?id=198965 http://bugs.gentoo.org/show_bug.cgi?id=200909 http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00771742 http://lists.opensuse.org/opensuse-security-announce/2007-12/msg00004.html http://secunia.com/advisories/27725 http://secunia.com/advisories/27793 http://secunia.com/advisories/27796 http://secunia.com/advisories/27797 http://secunia.com/advisories/27800 http://secunia. •
CVSS: 4.3EPSS: 4%CPEs: 52EXPL: 0CVE-2007-5960 – Mozilla Cross-site Request Forgery flaw
https://notcve.org/view.php?id=CVE-2007-5960
Mozilla Firefox before 2.0.0.10 and SeaMonkey before 1.1.7 sets the Referer header to the window or frame in which script is running, instead of the address of the content that initiated the script, which allows remote attackers to spoof HTTP Referer headers and bypass Referer-based CSRF protection schemes by setting window.location and using a modal alert dialog that causes the wrong Referer to be sent. Mozilla Firefox versiones anteriores a 2.0.0.10 y SeaMonkey versiones anteriores a 1.1.7, establece el encabezado Referer en la ventana o trama en la que se ejecuta el script, en lugar de la dirección del contenido que inició el script, lo que permite a atacantes remotos suplantar encabezados Referer HTTP y omitir Esquemas de protección CSRF basados ??en Referer mediante la configuración de window.location y utilizando un cuadro de diálogo de alerta modal que causa que el Referer incorrecto se envíe. • http://browser.netscape.com/releasenotes http://bugs.gentoo.org/show_bug.cgi?id=198965 http://bugs.gentoo.org/show_bug.cgi?id=200909 http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00771742 http://lists.opensuse.org/opensuse-security-announce/2007-12/msg00004.html http://secunia.com/advisories/27725 http://secunia.com/advisories/27793 http://secunia.com/advisories/27796 http://secunia.com/advisories/27797 http://secunia.com/advisories/27800 http://secunia. • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-352: Cross-Site Request Forgery (CSRF) •