// For flags

CVE-2008-1238

Referrer spoofing bug

Severity Score

8.8
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Mozilla Firefox before 2.0.0.13 and SeaMonkey before 1.1.9, when generating the HTTP Referer header, does not list the entire URL when it contains Basic Authentication credentials without a username, which makes it easier for remote attackers to bypass application protection mechanisms that rely on Referer headers, such as with some Cross-Site Request Forgery (CSRF) mechanisms.

Mozilla Firefox versiones anteriores a 2.0.0.13 y SeaMonkey versiones anteriores a 1.1.9, cuando generan las cabeceras HTTP Referer, no listan la URL entera cuando contienen credenciales de autenticación básicas sin un nombre de usuario, lo cual hace más fácil a atacantes remotos evitar los mecanismos de protección de aplicaciones que dependen de la cabecera Referer, como con algunos mecanismos de falsificación de petición en sitios cruzados (CSRF).

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2008-03-10 CVE Reserved
  • 2008-03-27 CVE Published
  • 2024-08-07 CVE Updated
  • 2024-08-07 First Exploit
  • 2025-03-30 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-287: Improper Authentication
CAPEC
References (37)
URL Tag Source
http://secunia.com/advisories/29391 Third Party Advisory
http://secunia.com/advisories/29526 Third Party Advisory
http://secunia.com/advisories/29539 Third Party Advisory
http://secunia.com/advisories/29541 Third Party Advisory
http://secunia.com/advisories/29547 Third Party Advisory
http://secunia.com/advisories/29550 Third Party Advisory
http://secunia.com/advisories/29558 Third Party Advisory
http://secunia.com/advisories/29560 Third Party Advisory
http://secunia.com/advisories/29607 Third Party Advisory
http://secunia.com/advisories/29616 Third Party Advisory
http://secunia.com/advisories/29645 Third Party Advisory
http://secunia.com/advisories/30327 Third Party Advisory
http://secunia.com/advisories/30620 Third Party Advisory
http://sla.ckers.org/forum/read.php?10%2C20033 X_refsource_misc
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0128 X_refsource_confirm
http://www.securityfocus.com/archive/1/490196/100/0/threaded Mailing List
http://www.securityfocus.com/bid/28448 Vdb Entry
http://www.securitytracker.com/id?1019703 Vdb Entry
http://www.us-cert.gov/cas/techalerts/TA08-087A.html Third Party Advisory
http://www.vupen.com/english/advisories/2008/0998/references Vdb Entry
http://www.vupen.com/english/advisories/2008/1793/references Vdb Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/41449 Vdb Entry
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9889 Signature
URL Date SRC
http://www.mozilla.org/security/announce/2008/mfsa2008-16.html 2024-08-07
URL Date SRC
URL Date SRC
http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00002.html 2023-02-13
http://rhn.redhat.com/errata/RHSA-2008-0208.html 2023-02-13
http://sunsolve.sun.com/search/document.do?assetkey=1-26-238492-1 2023-02-13
http://www.debian.org/security/2008/dsa-1532 2023-02-13
http://www.debian.org/security/2008/dsa-1534 2023-02-13
http://www.debian.org/security/2008/dsa-1535 2023-02-13
http://www.gentoo.org/security/en/glsa/glsa-200805-18.xml 2023-02-13
http://www.mandriva.com/security/advisories?name=MDVSA-2008:080 2023-02-13
http://www.redhat.com/support/errata/RHSA-2008-0207.html 2023-02-13
http://www.redhat.com/support/errata/RHSA-2008-0209.html 2023-02-13
http://www.ubuntu.com/usn/usn-592-1 2023-02-13
https://access.redhat.com/security/cve/CVE-2008-1238 2008-04-03
https://bugzilla.redhat.com/show_bug.cgi?id=438724 2008-04-03
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Mozilla
Search vendor "Mozilla"
 Firefox
Search vendor "Mozilla" for product "Firefox"
 <= 2.0.0.12
Search vendor "Mozilla" for product "Firefox" and version " <= 2.0.0.12"
-
Affected
Mozilla
Search vendor "Mozilla"
 Seamonkey
Search vendor "Mozilla" for product "Seamonkey"
 <= 1.1.8
Search vendor "Mozilla" for product "Seamonkey" and version " <= 1.1.8"
-
Affected