CVSS: 7.5EPSS: 2%CPEs: 132EXPL: 0CVE-2008-3835 – mozilla: nsXMLDocument:: OnChannelRedirect() same-origin violation
https://notcve.org/view.php?id=CVE-2008-3835
The nsXMLDocument::OnChannelRedirect function in Mozilla Firefox before 2.0.0.17, Thunderbird before 2.0.0.17, and SeaMonkey before 1.1.12 allows remote attackers to bypass the Same Origin Policy and execute arbitrary JavaScript code via unknown vectors. La función nsXMLDocument::OnChannelRedirect en Firefox de Mozilla antes de 2.0.0.17, Thunderbird antes de 2.0.0.17 y SeaMonkey antes de 1.1.12 permite a atacantes remotos evitar "Same Origin Policy (Política de Mismo Origen)" y ejecutar código javaScript de su elección mediante desconocidos. • http://download.novell.com/Download?buildid=WZXONb-tqBw~ http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00005.html http://secunia.com/advisories/31984 http://secunia.com/advisories/31985 http://secunia.com/advisories/32007 http://secunia.com/advisories/32010 http://secunia.com/advisories/32012 http://secunia.com/advisories/32025 http://secunia.com/advisories/32042 http://secunia.com/advisories/32044 http://secunia.com/advisories/32082 http://secunia.com/advisorie • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 2%CPEs: 51EXPL: 0CVE-2008-3836
https://notcve.org/view.php?id=CVE-2008-3836
feedWriter in Mozilla Firefox before 2.0.0.17 allows remote attackers to execute scripts with chrome privileges via vectors related to feed preview and the (1) elem.doCommand, (2) elem.dispatchEvent, (3) _setTitleText, (4) _setTitleImage, and (5) _initSubscriptionUI functions. feedWriter en Firefox de Mozilla antes de 2.0.0.17 permite a atacantes remotos ejecutar secuencias de comandos con privilegios chrome mediante vectores relacionados con la previsualización feed y las funciones (1) elem.doCommand, (2) elem.dispatchEvent, (3) _setTitleText, (4) _setTitleImage y (5) _initSubscriptionUI. • http://download.novell.com/Download?buildid=WZXONb-tqBw~ http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00005.html http://secunia.com/advisories/31984 http://secunia.com/advisories/32012 http://secunia.com/advisories/32042 http://secunia.com/advisories/32144 http://secunia.com/advisories/32185 http://secunia.com/advisories/32196 http://secunia.com/advisories/32845 http://secunia.com/advisories/33433 http://secunia.com/advisories/34501 http://slackware.com/securit • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.3EPSS: 0%CPEs: 8EXPL: 0CVE-2008-3837 – mozilla: Forced mouse drag
https://notcve.org/view.php?id=CVE-2008-3837
Mozilla Firefox before 2.0.0.17 and 3.x before 3.0.2, and SeaMonkey before 1.1.12, allow user-assisted remote attackers to move a window during a mouse click, and possibly force a file download or unspecified other drag-and-drop action, via a crafted onmousedown action that calls window.moveBy, a variant of CVE-2003-0823. Firefox de Mozilla antes de 2.0.0.17 y 3.x antes de 3.0.2 y SeaMonkey antes de 1.1.12, permiten a atacantes remotos ayudados por el usuario mover una ventana durante un click de ratón y posiblemente forzar una descarga de archivos u otras acciones "arrastrar y soltar", mediante una acción onmousedown manipulada que llama a window.moveBy, una variante de CVE-2003-0823. • http://download.novell.com/Download?buildid=WZXONb-tqBw~ http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00005.html http://secunia.com/advisories/31984 http://secunia.com/advisories/31985 http://secunia.com/advisories/31987 http://secunia.com/advisories/32010 http://secunia.com/advisories/32011 http://secunia.com/advisories/32012 http://secunia.com/advisories/32042 http://secunia.com/advisories/32044 http://secunia.com/advisories/32089 http://secunia.com/advisorie •
CVSS: 7.5EPSS: 8%CPEs: 9EXPL: 0CVE-2008-4058 – Mozilla privilege escalation via XPCnativeWrapper pollution
https://notcve.org/view.php?id=CVE-2008-4058
The XPConnect component in Mozilla Firefox before 2.0.0.17 and 3.x before 3.0.2, Thunderbird before 2.0.0.17, and SeaMonkey before 1.1.12 allows remote attackers to "pollute XPCNativeWrappers" and execute arbitrary code with chrome privileges via vectors related to (1) chrome XBL and (2) chrome JS. El componente XPConnect en Mozilla Firefox antes de 2.0.0.17 y 3.x antes de 3.0.2, Thunderbird antes de 2.0.0.17 y SeaMonkey before 1.1.12 permite a atacantes remotos "contaminar XPCNativeWrappers" y ejecutar código de su elección con privilegios chrome mediante vectores relacionados con (1) chrome XBL y (2) chrome JS. • http://download.novell.com/Download?buildid=WZXONb-tqBw~ http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00005.html http://secunia.com/advisories/31984 http://secunia.com/advisories/31985 http://secunia.com/advisories/31987 http://secunia.com/advisories/32007 http://secunia.com/advisories/32010 http://secunia.com/advisories/32011 http://secunia.com/advisories/32012 http://secunia.com/advisories/32025 http://secunia.com/advisories/32042 http://secunia.com/advisorie • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.3EPSS: 95%CPEs: 3EXPL: 2CVE-2008-4066 – Mozilla low surrogates stripped from JavaScript before execution
https://notcve.org/view.php?id=CVE-2008-4066
Mozilla Firefox 2.0.0.14, and other versions before 2.0.0.17, allows remote attackers to bypass cross-site scripting (XSS) protection mechanisms and conduct XSS attacks via HTML-escaped low surrogate characters that are ignored by the HTML parser, as demonstrated by a "jav�ascript" sequence, aka "HTML escaped low surrogates bug." Mozilla Firefox versión 2.0.0.14, y otras versiones anteriores a 2.0.0.17, permiten a los atacantes remotos omitir los mecanismos de protección de cross-site scripting (XSS) y conducir ataques de tipo XSS por medio de caracteres sustitutos bajos con escape de HTML que son ignorados por el analizador HTML, como es demostrado por una secuencia "jav?ascript", también se conoce como "HTML escaped low surrogates bug." • http://blogs.technet.com/bluehat/archive/2008/08/14/targeted-fuzzing.aspx http://download.novell.com/Download?buildid=WZXONb-tqBw~ http://jvn.jp/en/jp/JVN96950482/index.html http://jvndb.jvn.jp/ja/contents/2011/JVNDB-2011-000058.html http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00005.html http://secunia.com/advisories/31984 http://secunia.com/advisories/31985 http://secunia.com/advisories/32007 http://secunia.com/advisories/32010 http://secunia.com/advi • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •