CVSS: 2.6EPSS: 1%CPEs: 63EXPL: 0CVE-2008-2933 – Firefox command line URL launches multi-tabs
https://notcve.org/view.php?id=CVE-2008-2933
Mozilla Firefox before 2.0.0.16, and 3.x before 3.0.1, interprets '|' (pipe) characters in a command-line URI as requests to open multiple tabs, which allows remote attackers to access chrome:i URIs, or read arbitrary local files via manipulations involving a series of URIs that is not entirely handled by a vector application, as exploited in conjunction with CVE-2008-2540. NOTE: this issue exists because of an insufficient fix for CVE-2005-2267. Mozilla Firefox en versiones anteriores a 2.0.0.16 y 3.x anteriores a 3.0.1, interpreta el caráter (|) tubería en una línea de comando URI como una petición para abrir múltiples pestañas, lo que permite a los atacantes remotos acceso chrome: i URIs o lectura arbitraria de archivos locales a través de manipulación en una serie de URIs que no son completamente controlados por un vector de la aplicación, como un exploit junto con CVE-2008-2540. NOTA: esto existe por un reparación insuficiente de CVE-2005-2267 • http://secunia.com/advisories/31106 http://secunia.com/advisories/31120 http://secunia.com/advisories/31121 http://secunia.com/advisories/31129 http://secunia.com/advisories/31145 http://secunia.com/advisories/31157 http://secunia.com/advisories/31176 http://secunia.com/advisories/31183 http://secunia.com/advisories/31261 http://secunia.com/advisories/31270 http://secunia.com/advisories/31306 http://secunia.com/advisories/31377 http://secunia.com/advisories/33433 http:/& • CWE-20: Improper Input Validation •
CVSS: 4.0EPSS: 1%CPEs: 18EXPL: 0CVE-2008-2809 – Firefox self signed certificate flaw
https://notcve.org/view.php?id=CVE-2008-2809
Mozilla 1.9 M8 and earlier, Mozilla Firefox 2 before 2.0.0.15, SeaMonkey 1.1.5 and other versions before 1.1.10, Netscape 9.0, and other Mozilla-based web browsers, when a user accepts an SSL server certificate on the basis of the CN domain name in the DN field, regard the certificate as also accepted for all domain names in subjectAltName:dNSName fields, which makes it easier for remote attackers to trick a user into accepting an invalid certificate for a spoofed web site. Mozilla 1.9 M8 y anteriores, Mozilla Firefox 2 y anteriores a 2.0.0.15, SeaMonkey 1.1.5 y otras versiones anteriores a 1.1.10, Netscape 9.0, y otras navegadores basados en Mozilla, cuando un usuario aceptar un certificado SSL de servidor sobre las bases del nombre de dominio CN en el campo DN, considerando que el certificado es también aceptado por todos los nombres de dominio en el campo subjectAltName:dNSName, el cual hace más fácil a los atacantes remotos engañar a un usuario aceptando un certificado no válido para una página web falsa. • http://lists.opensuse.org/opensuse-security-announce/2008-07/msg00004.html http://nils.toedtmann.net/pub/subjectAltName.txt http://rhn.redhat.com/errata/RHSA-2008-0616.html http://secunia.com/advisories/30878 http://secunia.com/advisories/30898 http://secunia.com/advisories/30903 http://secunia.com/advisories/30911 http://secunia.com/advisories/30949 http://secunia.com/advisories/31005 http://secunia.com/advisories/31008 http://secunia.com/advisories/31021 http://secunia.com&# • CWE-20: Improper Input Validation •
CVSS: 10.0EPSS: 66%CPEs: 37EXPL: 0CVE-2008-2799 – Firefox javascript arbitrary code execution
https://notcve.org/view.php?id=CVE-2008-2799
Multiple unspecified vulnerabilities in Mozilla Firefox before 2.0.0.15, Thunderbird 2.0.0.14 and earlier, and SeaMonkey before 1.1.10 allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via unknown vectors related to the JavaScript engine. Múltiples vulnerabilidades no especificadas en versiones de Mozilla Firefox anteriores a la 2.0.0.15, Thunderbird 2.0.0.14 y anteriores, y SeaMonkey anteriores a la 1.1.10, que permiten a los atacantes remotos causar una denegación de servicios (caída de la aplicación) y posiblemente ejecutar arbitrariamente código a través de vectores desconocidos relativos a JavaScript Engine • http://lists.opensuse.org/opensuse-security-announce/2008-07/msg00004.html http://rhn.redhat.com/errata/RHSA-2008-0616.html http://secunia.com/advisories/30878 http://secunia.com/advisories/30898 http://secunia.com/advisories/30903 http://secunia.com/advisories/30911 http://secunia.com/advisories/30915 http://secunia.com/advisories/30949 http://secunia.com/advisories/31005 http://secunia.com/advisories/31008 http://secunia.com/advisories/31021 http://secunia.com/advisories/3 • CWE-399: Resource Management Errors •
CVSS: 6.8EPSS: 1%CPEs: 24EXPL: 0CVE-2008-2810 – Firefox arbitrary file disclosure
https://notcve.org/view.php?id=CVE-2008-2810
Mozilla Firefox before 2.0.0.15 and SeaMonkey before 1.1.10 do not properly identify the context of Windows shortcut files, which allows user-assisted remote attackers to bypass the Same Origin Policy via a crafted web site for which the user has previously saved a shortcut. Mozilla Firefox anterior a 2.0.0.15 y SeaMonkey anterior a 1.1.10, no identifican correctamente el contexto de los ficheros de acceso de directo de Windows, esto permite a atacantes remotos con la ayuda del usuario evitar el Same Origin Policy mediante un sitio Web manipulado en el que el usuario haya guardado previamente un acceso directo. • http://lists.opensuse.org/opensuse-security-announce/2008-07/msg00004.html http://rhn.redhat.com/errata/RHSA-2008-0616.html http://secunia.com/advisories/30878 http://secunia.com/advisories/30898 http://secunia.com/advisories/30903 http://secunia.com/advisories/30911 http://secunia.com/advisories/30949 http://secunia.com/advisories/31005 http://secunia.com/advisories/31008 http://secunia.com/advisories/31021 http://secunia.com/advisories/31023 http://secunia.com/advisories/3 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.0EPSS: 1%CPEs: 24EXPL: 0CVE-2008-2807 – Firefox .properties memory leak
https://notcve.org/view.php?id=CVE-2008-2807
Mozilla Firefox before 2.0.0.15 and SeaMonkey before 1.1.10 do not properly handle an invalid .properties file for an add-on, which allows remote attackers to read uninitialized memory, as demonstrated by use of ISO 8859 encoding instead of UTF-8 encoding in a French .properties file. Mozilla Firefox y versiones anteriores a la 2.0.0.15 y SeaMonkey y versiones anteriores a la 1.1.10 que no gestionan correctamente una propiedad inválida de un fichero para un complemento, el cual permite a los atacantes remotos leer memorias no inicializadas, como demuestra el cifrado ISO 8859 en lugar del cifrado UTF-8 en un propiedad francesa del fichero. • http://lists.opensuse.org/opensuse-security-announce/2008-07/msg00004.html http://rhn.redhat.com/errata/RHSA-2008-0616.html http://secunia.com/advisories/30878 http://secunia.com/advisories/30898 http://secunia.com/advisories/30903 http://secunia.com/advisories/30911 http://secunia.com/advisories/30949 http://secunia.com/advisories/31005 http://secunia.com/advisories/31008 http://secunia.com/advisories/31021 http://secunia.com/advisories/31023 http://secunia.com/advisories/3 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-401: Missing Release of Memory after Effective Lifetime •