CVE-2007-5947

jar: protocol XSS

Severity Score

6.1

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The jar protocol handler in Mozilla Firefox before 2.0.0.10 and SeaMonkey before 1.1.7 retrieves the inner URL regardless of its MIME type, and considers HTML documents within a jar archive to have the same origin as the inner URL, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a jar: URI.

El manejador del protocolo jar en Mozilla Firefox versiones anteriores a 2.0.0.10 y SeaMonkey versiones anteriores a 1.1.7, recupera la URL interna independientemente de su tipo MIME, y considera que los documentos HTML dentro de un archivo jar tienen el mismo origen que la URL interna, lo que permite a atacantes remotos conducir ataques de tipo cross-site scripting (XSS) por medio de un URI jar:.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2007-11-13 CVE Reserved
2007-11-14 CVE Published
2024-08-07 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (63)

URL	Tag	Source
http://browser.netscape.com/releasenotes	X_refsource_confirm
http://bugs.gentoo.org/show_bug.cgi?id=198965	X_refsource_misc
http://bugs.gentoo.org/show_bug.cgi?id=200909	X_refsource_misc
http://secunia.com/advisories/29164	Third Party Advisory
http://wiki.rpath.com/Advisories:rPSA-2008-0093	X_refsource_confirm
http://wiki.rpath.com/wiki/Advisories:rPSA-2007-0260	X_refsource_confirm
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0093	X_refsource_confirm
http://www.gnucitizen.org/blog/web-mayhem-firefoxs-jar-protocol-issues	X_refsource_misc
http://www.kb.cert.org/vuls/id/715737	Third Party Advisory
http://www.securityfocus.com/archive/1/488002/100/0/threaded	Mailing List
http://www.securityfocus.com/archive/1/488971/100/0/threaded	Mailing List
http://www.securityfocus.com/bid/26385	Vdb Entry
http://www.securitytracker.com/id?1018928	Vdb Entry
http://www.vupen.com/english/advisories/2007/3818	Vdb Entry
http://www.vupen.com/english/advisories/2007/4002	Vdb Entry
http://www.vupen.com/english/advisories/2007/4018	Vdb Entry
http://www.vupen.com/english/advisories/2008/0083	Vdb Entry
http://www.vupen.com/english/advisories/2008/0643	Vdb Entry
https://bugzilla.mozilla.org/show_bug.cgi?id=369814	X_refsource_confirm
https://exchange.xforce.ibmcloud.com/vulnerabilities/38356	Vdb Entry
https://issues.rpath.com/browse/RPL-1984	X_refsource_confirm
https://issues.rpath.com/browse/RPL-1995	X_refsource_confirm
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9873	Signature

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00771742	2018-10-15
http://lists.opensuse.org/opensuse-security-announce/2007-12/msg00004.html	2018-10-15
http://secunia.com/advisories/27605	2018-10-15
http://secunia.com/advisories/27793	2018-10-15
http://secunia.com/advisories/27796	2018-10-15
http://secunia.com/advisories/27797	2018-10-15
http://secunia.com/advisories/27800	2018-10-15
http://secunia.com/advisories/27816	2018-10-15
http://secunia.com/advisories/27838	2018-10-15
http://secunia.com/advisories/27845	2018-10-15
http://secunia.com/advisories/27855	2018-10-15
http://secunia.com/advisories/27944	2018-10-15
http://secunia.com/advisories/27955	2018-10-15
http://secunia.com/advisories/27957	2018-10-15
http://secunia.com/advisories/27979	2018-10-15
http://secunia.com/advisories/28001	2018-10-15
http://secunia.com/advisories/28016	2018-10-15
http://secunia.com/advisories/28171	2018-10-15
http://secunia.com/advisories/28277	2018-10-15
http://secunia.com/advisories/28398	2018-10-15
http://security.gentoo.org/glsa/glsa-200712-21.xml	2018-10-15
http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.365006	2018-10-15
http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.374833	2018-10-15
http://sunsolve.sun.com/search/document.do?assetkey=1-26-231441-1	2018-10-15
http://sunsolve.sun.com/search/document.do?assetkey=1-77-1018977.1-1	2018-10-15
http://www.debian.org/security/2007/dsa-1424	2018-10-15
http://www.debian.org/security/2007/dsa-1425	2018-10-15
http://www.mandriva.com/security/advisories?name=MDKSA-2007:246	2018-10-15
http://www.mozilla.org/security/announce/2007/mfsa2007-37.html	2018-10-15
http://www.redhat.com/support/errata/RHSA-2007-1082.html	2018-10-15
http://www.redhat.com/support/errata/RHSA-2007-1083.html	2018-10-15
http://www.redhat.com/support/errata/RHSA-2007-1084.html	2018-10-15
http://www.ubuntu.com/usn/usn-546-2	2018-10-15
https://usn.ubuntu.com/546-1	2018-10-15
https://www.redhat.com/archives/fedora-package-announce/2007-December/msg00115.html	2018-10-15
https://www.redhat.com/archives/fedora-package-announce/2007-December/msg00135.html	2018-10-15
https://www.redhat.com/archives/fedora-package-announce/2007-December/msg00168.html	2018-10-15
https://www.redhat.com/archives/fedora-package-announce/2007-November/msg01011.html	2018-10-15
https://access.redhat.com/security/cve/CVE-2007-5947	2007-11-26
https://bugzilla.redhat.com/show_bug.cgi?id=394211	2007-11-26

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Mozilla Search vendor "Mozilla"		Firefox Search vendor "Mozilla" for product "Firefox"				<= 2.0.0.9 Search vendor "Mozilla" for product "Firefox" and version " <= 2.0.0.9"		-		Affected
Mozilla Search vendor "Mozilla"		Firefox Search vendor "Mozilla" for product "Firefox"				2.0.0.1 Search vendor "Mozilla" for product "Firefox" and version "2.0.0.1"		-		Affected
Mozilla Search vendor "Mozilla"		Firefox Search vendor "Mozilla" for product "Firefox"				2.0.0.2 Search vendor "Mozilla" for product "Firefox" and version "2.0.0.2"		-		Affected
Mozilla Search vendor "Mozilla"		Firefox Search vendor "Mozilla" for product "Firefox"				2.0.0.3 Search vendor "Mozilla" for product "Firefox" and version "2.0.0.3"		-		Affected
Mozilla Search vendor "Mozilla"		Firefox Search vendor "Mozilla" for product "Firefox"				2.0.0.4 Search vendor "Mozilla" for product "Firefox" and version "2.0.0.4"		-		Affected
Mozilla Search vendor "Mozilla"		Firefox Search vendor "Mozilla" for product "Firefox"				2.0.0.5 Search vendor "Mozilla" for product "Firefox" and version "2.0.0.5"		-		Affected
Mozilla Search vendor "Mozilla"		Firefox Search vendor "Mozilla" for product "Firefox"				2.0.0.6 Search vendor "Mozilla" for product "Firefox" and version "2.0.0.6"		-		Affected
Mozilla Search vendor "Mozilla"		Firefox Search vendor "Mozilla" for product "Firefox"				2.0.0.7 Search vendor "Mozilla" for product "Firefox" and version "2.0.0.7"		-		Affected
Mozilla Search vendor "Mozilla"		Firefox Search vendor "Mozilla" for product "Firefox"				2.0.0.8 Search vendor "Mozilla" for product "Firefox" and version "2.0.0.8"		-		Affected
Mozilla Search vendor "Mozilla"		Seamonkey Search vendor "Mozilla" for product "Seamonkey"				<= 1.1.6 Search vendor "Mozilla" for product "Seamonkey" and version " <= 1.1.6"		-		Affected
Mozilla Search vendor "Mozilla"		Seamonkey Search vendor "Mozilla" for product "Seamonkey"				1.1.1 Search vendor "Mozilla" for product "Seamonkey" and version "1.1.1"		-		Affected
Mozilla Search vendor "Mozilla"		Seamonkey Search vendor "Mozilla" for product "Seamonkey"				1.1.2 Search vendor "Mozilla" for product "Seamonkey" and version "1.1.2"		-		Affected
Mozilla Search vendor "Mozilla"		Seamonkey Search vendor "Mozilla" for product "Seamonkey"				1.1.3 Search vendor "Mozilla" for product "Seamonkey" and version "1.1.3"		-		Affected
Mozilla Search vendor "Mozilla"		Seamonkey Search vendor "Mozilla" for product "Seamonkey"				1.1.4 Search vendor "Mozilla" for product "Seamonkey" and version "1.1.4"		-		Affected
Mozilla Search vendor "Mozilla"		Seamonkey Search vendor "Mozilla" for product "Seamonkey"				1.1.5 Search vendor "Mozilla" for product "Seamonkey" and version "1.1.5"		-		Affected