CVSS: 4.3EPSS: 38%CPEs: 15EXPL: 0CVE-2007-5947 – jar: protocol XSS
https://notcve.org/view.php?id=CVE-2007-5947
The jar protocol handler in Mozilla Firefox before 2.0.0.10 and SeaMonkey before 1.1.7 retrieves the inner URL regardless of its MIME type, and considers HTML documents within a jar archive to have the same origin as the inner URL, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a jar: URI. El manejador del protocolo jar en Mozilla Firefox versiones anteriores a 2.0.0.10 y SeaMonkey versiones anteriores a 1.1.7, recupera la URL interna independientemente de su tipo MIME, y considera que los documentos HTML dentro de un archivo jar tienen el mismo origen que la URL interna, lo que permite a atacantes remotos conducir ataques de tipo cross-site scripting (XSS) por medio de un URI jar:. • http://browser.netscape.com/releasenotes http://bugs.gentoo.org/show_bug.cgi?id=198965 http://bugs.gentoo.org/show_bug.cgi?id=200909 http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00771742 http://lists.opensuse.org/opensuse-security-announce/2007-12/msg00004.html http://secunia.com/advisories/27605 http://secunia.com/advisories/27793 http://secunia.com/advisories/27796 http://secunia.com/advisories/27797 http://secunia.com/advisories/27800 http://secunia. • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2007-5896
https://notcve.org/view.php?id=CVE-2007-5896
Mozilla Firefox 2.0.0.9 allows remote attackers to cause a denial of service (CPU consumption and crash) via an iframe with Javascript that sets the document.location to contain a leading NULL byte (\x00) and a (1) res://, (2) about:config, or (3) file:/// URI. Mozilla Firefox 2.0.0.9 permite a atacantes remotos provocar una denegación de servicio (consumo de CPU y caída) mediante un iframe con Javascript que establece el document.location para que contenga un byte importante NULL (\x00) y un URI (1) res://, (2) about:config, o (3) file:///. • http://osvdb.org/45296 http://www.0x000000.com/index.php?i=467&bin=111010011 http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2007-11/msg00094.html https://exchange.xforce.ibmcloud.com/vulnerabilities/38233 • CWE-399: Resource Management Errors •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2007-5691
https://notcve.org/view.php?id=CVE-2007-5691
ParseFTPList.cpp in Mozilla Firefox 2.0.0.7 allows remote FTP servers to cause a denial of service (application crash) via a crafted reply to an unspecified listing command, related to "reading from invalid pointer." ParseFTPList.cpp de Mozilla Firefox 2.0.0.7 permite a servidores FTP remotos provocar una denegación de servicio (caída de aplicación) mediante respuestas manipuladas a un comando e listado no especificado, relativo a "leer de un puntero inválido". • http://osvdb.org/43609 http://securityreason.com/securityalert/3319 http://www.eleytt.com/advisories/eleytt_FFPARSEFTPLIST.pdf http://www.securityfocus.com/archive/1/482597/100/0/threaded http://www.securityfocus.com/bid/26159 https://exchange.xforce.ibmcloud.com/vulnerabilities/37334 • CWE-20: Improper Input Validation •
CVSS: 4.3EPSS: 11%CPEs: 1EXPL: 0CVE-2007-5335
https://notcve.org/view.php?id=CVE-2007-5335
Mozilla Firefox 2.0 before 2.0.0.8 allows remote attackers to obtain sensitive system information by using the addMicrosummaryGenerator sidebar method to access file: URIs. Mozilla Firefox 2.0 anterior a 2.0.0.8 permite a atacantes remotos obtener información sensible del sistema a través de la utilización del método sidebar addMicrosummaryGenerator en el acceso de archivo: URIs. • http://osvdb.org/42470 http://secunia.com/advisories/27335 http://secunia.com/advisories/27387 http://secunia.com/advisories/27665 http://www.gentoo.org/security/en/glsa/glsa-200711-14.xml https://bugzilla.mozilla.org/show_bug.cgi?id=390983 https://exchange.xforce.ibmcloud.com/vulnerabilities/37428 https://usn.ubuntu.com/535-1 https://www.redhat.com/archives/fedora-package-announce/2007-October/msg00355.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.3EPSS: 4%CPEs: 2EXPL: 0CVE-2007-5338
https://notcve.org/view.php?id=CVE-2007-5338
Mozilla Firefox before 2.0.0.8 and SeaMonkey before 1.1.5 allow remote attackers to execute arbitrary Javascript with user privileges by using the Script object to modify XPCNativeWrappers in a way that causes the script to be executed when a chrome action is performed. Mozilla Firefox versiones anteriores a 2.0.0.8 y SeaMonkey versiones anteriores a 1.1.5, permite a atacantes remotos ejecutar Javascript arbitrario con privilegios de usuario mediante el objeto Script para modificar XPCNativeWrappers de una manera que causa que el script se ejecute cuando una acción chrome sea realizada. • http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00771742 http://secunia.com/advisories/27276 http://secunia.com/advisories/27298 http://secunia.com/advisories/27311 http://secunia.com/advisories/27315 http://secunia.com/advisories/27325 http://secunia.com/advisories/27327 http://secunia.com/advisories/27335 http://secunia.com/advisories/27336 http://secunia.com/advisories/27356 http://secunia.com/advisories/27360 http://secunia.com/advisories/27383 http:/ • CWE-16: Configuration CWE-264: Permissions, Privileges, and Access Controls •