// For flags

CVE-2008-0418

Mozilla Firefox 2.0 - 'chrome://' URI JavaScript File Request Information Disclosure

Severity Score

4.3
*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Directory traversal vulnerability in Mozilla Firefox before 2.0.0.12, Thunderbird before 2.0.0.12, and SeaMonkey before 1.1.8, when using "flat" addons, allows remote attackers to read arbitrary Javascript, image, and stylesheet files via the chrome: URI scheme, as demonstrated by stealing session information from sessionstore.js.

Vulnerabilidad de salto de directorio en Mozilla Firefox before 2.0.0.12, Thunderbird before 2.0.0.12, y SeaMonkey en versiones anteriores a 1.1.8, cuando usa addons "llanos", permite a atacantes remotos leer Javascript, imágenes, y ficheros de hojas de estilo de su elección a través de chrome: URI scheme, tal y como se demostró robando información de la sesión de sessionstore.js.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2008-01-19 First Exploit
  • 2008-01-23 CVE Reserved
  • 2008-02-08 CVE Published
  • 2024-08-07 CVE Updated
  • 2024-11-04 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CAPEC
References (70)
URL Tag Source
http://browser.netscape.com/releasenotes X_refsource_confirm
http://secunia.com/advisories/28622 Third Party Advisory
http://secunia.com/advisories/28754 Third Party Advisory
http://secunia.com/advisories/28766 Third Party Advisory
http://secunia.com/advisories/28808 Third Party Advisory
http://secunia.com/advisories/28815 Third Party Advisory
http://secunia.com/advisories/28818 Third Party Advisory
http://secunia.com/advisories/28839 Third Party Advisory
http://secunia.com/advisories/28864 Third Party Advisory
http://secunia.com/advisories/28865 Third Party Advisory
http://secunia.com/advisories/28877 Third Party Advisory
http://secunia.com/advisories/28879 Third Party Advisory
http://secunia.com/advisories/28924 Third Party Advisory
http://secunia.com/advisories/28939 Third Party Advisory
http://secunia.com/advisories/28958 Third Party Advisory
http://secunia.com/advisories/29049 Third Party Advisory
http://secunia.com/advisories/29086 Third Party Advisory
http://secunia.com/advisories/29098 Third Party Advisory
http://secunia.com/advisories/29164 Third Party Advisory
http://secunia.com/advisories/29167 Third Party Advisory
http://secunia.com/advisories/29211 Third Party Advisory
http://secunia.com/advisories/29567 Third Party Advisory
http://secunia.com/advisories/30327 Third Party Advisory
http://secunia.com/advisories/30620 Third Party Advisory
http://secunia.com/advisories/31043 Third Party Advisory
http://support.novell.com/techcenter/psdb/6251b18e050302ebe7fe74294b55c818.html X_refsource_confirm
http://wiki.rpath.com/Advisories:rPSA-2008-0051 X_refsource_confirm
http://wiki.rpath.com/Advisories:rPSA-2008-0093 X_refsource_confirm
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0093 X_refsource_confirm
http://www.hiredhacker.com/2008/01/19/firefox-chrome-url-handling-directory-traversal X_refsource_misc
http://www.kb.cert.org/vuls/id/309608 Third Party Advisory
http://www.mozilla.org/security/announce/2008/mfsa2008-05.html X_refsource_confirm
http://www.securityfocus.com/archive/1/487826/100/0/threaded Mailing List
http://www.securityfocus.com/archive/1/488002/100/0/threaded Mailing List
http://www.securityfocus.com/archive/1/488971/100/0/threaded Mailing List
http://www.securityfocus.com/bid/27406 Vdb Entry
http://www.securitytracker.com/id?1019329 Vdb Entry
http://www.vupen.com/english/advisories/2008/0263 Vdb Entry
http://www.vupen.com/english/advisories/2008/0453/references Vdb Entry
http://www.vupen.com/english/advisories/2008/0454/references Vdb Entry
http://www.vupen.com/english/advisories/2008/0627/references Vdb Entry
http://www.vupen.com/english/advisories/2008/1793/references Vdb Entry
http://www.vupen.com/english/advisories/2008/2091/references Vdb Entry
https://issues.rpath.com/browse/RPL-1995 X_refsource_confirm
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10705 Signature
URL Date SRC
URL Date SRC
http://lists.opensuse.org/opensuse-security-announce/2008-02/msg00006.html 2018-10-15
http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.445399 2018-10-15
http://sunsolve.sun.com/search/document.do?assetkey=1-26-238492-1 2018-10-15
http://sunsolve.sun.com/search/document.do?assetkey=1-26-239546-1 2018-10-15
http://www.debian.org/security/2008/dsa-1484 2018-10-15
http://www.debian.org/security/2008/dsa-1485 2018-10-15
http://www.debian.org/security/2008/dsa-1489 2018-10-15
http://www.debian.org/security/2008/dsa-1506 2018-10-15
http://www.gentoo.org/security/en/glsa/glsa-200805-18.xml 2018-10-15
http://www.mandriva.com/security/advisories?name=MDVSA-2008:048 2018-10-15
http://www.mandriva.com/security/advisories?name=MDVSA-2008:062 2018-10-15
http://www.redhat.com/support/errata/RHSA-2008-0103.html 2018-10-15
http://www.redhat.com/support/errata/RHSA-2008-0104.html 2018-10-15
http://www.redhat.com/support/errata/RHSA-2008-0105.html 2018-10-15
http://www.ubuntu.com/usn/usn-576-1 2018-10-15
http://www.ubuntu.com/usn/usn-582-1 2018-10-15
http://www.ubuntu.com/usn/usn-582-2 2018-10-15
https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00274.html 2018-10-15
https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00309.html 2018-10-15
https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00381.html 2018-10-15
https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00905.html 2018-10-15
https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00946.html 2018-10-15
https://access.redhat.com/security/cve/CVE-2008-0418 2008-02-08
https://bugzilla.redhat.com/show_bug.cgi?id=431748 2008-02-08
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Mozilla
Search vendor "Mozilla"
Firefox
Search vendor "Mozilla" for product "Firefox"
<= 2.0.0.11
Search vendor "Mozilla" for product "Firefox" and version " <= 2.0.0.11"
-
Affected
Mozilla
Search vendor "Mozilla"
Seamonkey
Search vendor "Mozilla" for product "Seamonkey"
<= 1.1.7
Search vendor "Mozilla" for product "Seamonkey" and version " <= 1.1.7"
-
Affected
Mozilla
Search vendor "Mozilla"
Thunderbird
Search vendor "Mozilla" for product "Thunderbird"
<= 2.0.0.11
Search vendor "Mozilla" for product "Thunderbird" and version " <= 2.0.0.11"
-
Affected