CVSS: 6.8EPSS: 1%CPEs: 157EXPL: 0CVE-2009-3984 – Mozilla SSL spoofing with document.location and empty SSL response page
https://notcve.org/view.php?id=CVE-2009-3984
Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey before 2.0.1, allows remote attackers to spoof an SSL indicator for an http URL or a file URL by setting document.location to an https URL corresponding to a site that responds with a No Content (aka 204) status code and an empty body. Mozilla Firefox en versiones anteriores a v3.0.16 y v3.5.x antes de v3.5.6, y SeaMonkey antes de v2.0.1, permite a atacantes remotos suplantar un indicador de SSL para una URL o fichero HTTP URL estableciendo el valor de document.location a una URL https correspondiente a un sitio que responde con un código de estado "No Content" (Código 204) y un cuerpo vacío. • http://secunia.com/advisories/37699 http://secunia.com/advisories/37703 http://secunia.com/advisories/37704 http://secunia.com/advisories/37785 http://secunia.com/advisories/37813 http://secunia.com/advisories/37856 http://secunia.com/advisories/37881 http://securitytracker.com/id?1023342 http://securitytracker.com/id?1023343 http://www.debian.org/security/2009/dsa-1956 http://www.mozilla.org/security/announce/2009/mfsa2009-69.html http://www.novell.com/linux/security/advis •
CVSS: 9.3EPSS: 1%CPEs: 52EXPL: 0CVE-2009-3376 – Firefox download filename spoofing with RTL override
https://notcve.org/view.php?id=CVE-2009-3376
Mozilla Firefox before 3.0.15 and 3.5.x before 3.5.4, and SeaMonkey before 2.0, does not properly handle a right-to-left override (aka RLO or U+202E) Unicode character in a download filename, which allows remote attackers to spoof file extensions via a crafted filename, as demonstrated by displaying a non-executable extension for an executable file. Mozilla Firefox anteriores a v3.0.15 y v3.5.x anteriores a v3.5.4, y SeaMonkey anteriores a v2.0, no maneja adecuadamente una anulación de carácter Unicode "right-to-left" (también conocido como RLO o U+202E) en un nombre de fichero de descarga, lo que permite a atacantes remotos falsificar las extensiones de fichero a través de un nombre de fichero manipulado como se demuestra en una extensión no ejecutable de un fichero ejecutable. • http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.html http://secunia.com/advisories/38977 http://sunsolve.sun.com/search/document.do?assetkey=1-26-272909-1 http://www.mandriva.com/security/advisories?name=MDVSA-2009:294 http://www.mozilla.org/security/announce/2009/mfsa2009-62.html http://www.redhat.com/support/errata/RHSA-2010-0153.html http://www.redhat.com/support/errata/RHSA-2010-0154.html http://www.ubuntu.com/usn/USN-915-1 http://www.vupen.co • CWE-16: Configuration •
CVSS: 9.3EPSS: 8%CPEs: 52EXPL: 0CVE-2009-3372 – Firefox crash in proxy auto-configuration regexp parsing
https://notcve.org/view.php?id=CVE-2009-3372
Mozilla Firefox before 3.0.15 and 3.5.x before 3.5.4, and SeaMonkey before 2.0, allows remote attackers to execute arbitrary code via a crafted regular expression in a Proxy Auto-configuration (PAC) file. Mozilla Firefox anteriores a v3.0.15 y v3.5.x anteriores a v3.5.4, y SeaMonkey anteriores a v2.0, permite a atacantes remotos ejecutar código arbitrario a través de un expresión regular manipulada en un fichero de autoconfiguración de proxy. • http://sunsolve.sun.com/search/document.do?assetkey=1-26-272909-1 http://www.mandriva.com/security/advisories?name=MDVSA-2009:294 http://www.mozilla.org/security/announce/2009/mfsa2009-55.html http://www.vupen.com/english/advisories/2009/3334 https://bugzilla.mozilla.org/show_bug.cgi?id=500644 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10977 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6347 https://access& •
CVSS: 10.0EPSS: 32%CPEs: 56EXPL: 1CVE-2009-3373 – Mozilla Firefox 3.5.3 / SeaMonkey 1.1.17 - 'libpr0n' .GIF Parser Heap Buffer Overflow
https://notcve.org/view.php?id=CVE-2009-3373
Heap-based buffer overflow in the GIF image parser in Mozilla Firefox before 3.0.15 and 3.5.x before 3.5.4, and SeaMonkey before 2.0, allows remote attackers to execute arbitrary code via unspecified vectors. Desbordamiento de búfer basado en memoria dinámica en el parseador de imágenes GIF en Mozilla Firefox anteriores a v3.0.15 y v3.5.x anteriores a v3.5.4, y SeaMonkey anteriores a v2.0, permite a atacantes remotos ejecutar código arbitrario a través de vectores desconocidos. • https://www.exploit-db.com/exploits/33313 http://sunsolve.sun.com/search/document.do?assetkey=1-26-272909-1 http://www.mandriva.com/security/advisories?name=MDVSA-2009:294 http://www.mozilla.org/security/announce/2009/mfsa2009-56.html http://www.vupen.com/english/advisories/2009/3334 https://bugzilla.mozilla.org/show_bug.cgi?id=511689 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10684 https://oval.cisecurity.org/repository/search/definition/oval&# • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-122: Heap-based Buffer Overflow •
CVSS: 4.3EPSS: 0%CPEs: 79EXPL: 0CVE-2008-6961
https://notcve.org/view.php?id=CVE-2008-6961
mailnews in Mozilla Thunderbird before 2.0.0.18 and SeaMonkey before 1.1.13, when JavaScript is enabled in mail, allows remote attackers to obtain sensitive information about the recipient, or comments in forwarded mail, via script that reads the (1) .documentURI or (2) .textContent DOM properties. mailnews en Mozilla Thunderbird anteriores a v2.0.0.18 y SeaMonkey anteriores a v1.1.13, cuando JavaScript es habilita en correo electrónico, permite a los atacantes remotos obtener información sensible acerca del recipiente, o comentarios en correos re-enviados, a través de una secuencia de comando que lee las propiedades (1) .documentURI or (2) .textContent DOM • http://secunia.com/advisories/32714 http://secunia.com/advisories/32715 http://www.mozilla.org/security/announce/2008/mfsa2008-59.html http://www.securityfocus.com/bid/32363 http://www.securitytracker.com/id?1021247 https://bugzilla.mozilla.org/show_bug.cgi?id=458883 https://exchange.xforce.ibmcloud.com/vulnerabilities/46734 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •