CVSS: 2.6EPSS: 0%CPEs: 9EXPL: 0CVE-2009-0354 – Firefox XSS using a chrome XBL method and window.eval
https://notcve.org/view.php?id=CVE-2009-0354
Cross-domain vulnerability in js/src/jsobj.cpp in Mozilla Firefox 3.x before 3.0.6 allows remote attackers to bypass the Same Origin Policy, and access the properties of an arbitrary window and conduct cross-site scripting (XSS) attacks, via vectors involving a chrome XBL method and the window.eval function. Vulnerabilidad de dominio cruzado en js/src/jsobj.cpp en Mozilla Firefox v3.x anterior a v3.0.6 permite a atacantes remotos evitar la Política de Mismo Origen (Same Origin Policy) , acceder a las propiedades de cualquier ventana de su elección y llevar a cabo ataques de ejecución de secuencias de comandos en sitios cruzados (XSS) a través de vectores que involucran al método Chrome XBL y a la función window.eval. • http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00001.html http://rhn.redhat.com/errata/RHSA-2009-0256.html http://secunia.com/advisories/33799 http://secunia.com/advisories/33809 http://secunia.com/advisories/33831 http://secunia.com/advisories/33841 http://secunia.com/advisories/33846 http://secunia.com/advisories/33869 http://support.avaya.com/elmodocs2/security/ASA-2009-040.htm http://www.mandriva.com/security/advisories?name=MDVSA-2009:044 http://www.mozi • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.0EPSS: 0%CPEs: 98EXPL: 0CVE-2009-0357 – Firefox XMLHttpRequest allows reading HTTPOnly cookies
https://notcve.org/view.php?id=CVE-2009-0357
Mozilla Firefox before 3.0.6 and SeaMonkey before 1.1.15 do not properly restrict access from web pages to the (1) Set-Cookie and (2) Set-Cookie2 HTTP response headers, which allows remote attackers to obtain sensitive information from cookies via XMLHttpRequest calls, related to the HTTPOnly protection mechanism. Mozilla Firefox anterior a v3.06 y SeaMonkey anterior a v1.1.15 no restringe adecuadamente el acceso desde las páginas web a las cabeceras de respuesta HTTP (1) Set-Cookie y (2) Set-Cookie2, lo que permite a atacantes remotos obtener información sensible de las cookies a través de llamadas XMLHttpRequest, relacionado con el mecanismo de protección HTTPOnly. • http://ha.ckers.org/blog/20070511/bluehat-errata http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00001.html http://rhn.redhat.com/errata/RHSA-2009-0256.html http://secunia.com/advisories/33799 http://secunia.com/advisories/33808 http://secunia.com/advisories/33809 http://secunia.com/advisories/33816 http://secunia.com/advisories/33831 http://secunia.com/advisories/33841 http://secunia.com/advisories/33846 http://secunia.com/advisories/33869 http://secunia. • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.1EPSS: 18%CPEs: 93EXPL: 0CVE-2009-0356 – Firefox Chrome privilege escalation via local .desktop files
https://notcve.org/view.php?id=CVE-2009-0356
Mozilla Firefox before 3.0.6 and SeaMonkey do not block links to the (1) about:plugins and (2) about:config URIs from .desktop files, which allows user-assisted remote attackers to bypass the Same Origin Policy and execute arbitrary code with chrome privileges via vectors involving the URL field in a Desktop Entry section of a .desktop file, related to representation of about: URIs as jar:file:// URIs. NOTE: this issue exists because of an incomplete fix for CVE-2008-4582. Mozilla Firefox en versiones anteriores a v3.0.6 y SeaMonkey no bloquean enlaces a las URIs (1) about:plugins y (2) about:config desde ficheros .desktop, lo que permite a atacantes remotos eludir la Same Origin Policy y ejecutar código de su elección con privilegios chrome mediante vectores relacionados con el campo URL en una sección Desktop Entry de un fichero .desktop, en relación con una representación de: URIs como jar:file:// URIs. NOTA: este problema existe debido a una resolución incompleta de CVE-2008-4582. • http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00001.html http://rhn.redhat.com/errata/RHSA-2009-0256.html http://secunia.com/advisories/33799 http://secunia.com/advisories/33809 http://secunia.com/advisories/33831 http://secunia.com/advisories/33841 http://secunia.com/advisories/33846 http://support.avaya.com/elmodocs2/security/ASA-2009-040.htm http://www.mandriva.com/security/advisories?name=MDVSA-2009:044 http://www.mozilla.org/security/announce/2009/mfsa2009- • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 10.0EPSS: 48%CPEs: 70EXPL: 0CVE-2009-0353 – Firefox javascript crashes with evidence of memory corruption
https://notcve.org/view.php?id=CVE-2009-0353
Unspecified vulnerability in Mozilla Firefox 3.x before 3.0.6, Thunderbird before 2.0.0.21, and SeaMonkey before 1.1.15 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to the JavaScript engine. Vulnerabilidad sin especificar en Mozilla Firefox v3.x anterior a v3.0.6, Thunderbird anterior a v2.0.0.21, y SeaMonkey anterior a v1.1.15 permite a atacantes remotos provocar una denegación de servicio (corrupción de memoria y caída de aplicación)o posiblemente ejecutar código de su elección a través de vectores relacionados con el motor JavaScript. • http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00001.html http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00009.html http://rhn.redhat.com/errata/RHSA-2009-0256.html http://secunia.com/advisories/33799 http://secunia.com/advisories/33802 http://secunia.com/advisories/33808 http://secunia.com/advisories/33809 http://secunia.com/advisories/33816 http://secunia.com/advisories/33831 http://secunia.com/advisories/33841 http://secunia.com/advisories/33846 • CWE-399: Resource Management Errors •
CVSS: 6.8EPSS: 2%CPEs: 1EXPL: 1CVE-2009-0253 – Mozilla Firefox 3.0.5 - Status Bar Obfuscation / Clickjacking
https://notcve.org/view.php?id=CVE-2009-0253
Mozilla Firefox 3.0.5 allows remote attackers to trick a user into visiting an arbitrary URL via an onclick action that moves a crafted element to the current mouse position, related to a "Status Bar Obfuscation" and "Clickjacking" attack. Mozilla Firefox v3.0.5 permite a atacantes remotos inducir a un usuario a visitar una URL de su elección a través de una acción onclick que mueve un elemento manipulado a la posición actual del ratón, en relación con un ataque de "Ofuscación de la barra de estado" y "Clickjacking". • https://www.exploit-db.com/exploits/7842 http://securityreason.com/securityalert/4936 https://exchange.xforce.ibmcloud.com/vulnerabilities/48212 •