CVE-2009-0776

high
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

nsIRDFService in Mozilla Firefox before 3.0.7, Thunderbird before 2.0.0.21, and SeaMonkey before 1.1.15 allows remote attackers to bypass the same-origin policy and read XML data from another domain via a cross-domain redirect.

References

http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00002.html

http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00009.html

http://secunia.com/advisories/34137

http://secunia.com/advisories/34140

http://secunia.com/advisories/34145

http://secunia.com/advisories/34272

http://secunia.com/advisories/34324

http://secunia.com/advisories/34383

http://secunia.com/advisories/34387

http://secunia.com/advisories/34417

http://secunia.com/advisories/34462

http://secunia.com/advisories/34464

http://secunia.com/advisories/34527

http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.405420

http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.433952

http://support.avaya.com/elmodocs2/security/ASA-2009-069.htm

http://support.avaya.com/japple/css/japple?temp.documentID=366362&temp.productID=154235&temp.releaseID=361845&temp.bucketID=126655&PAGE=Document

http://www.debian.org/security/2009/dsa-1751

http://www.debian.org/security/2009/dsa-1830

http://www.mandriva.com/security/advisories?name=MDVSA-2009:075

http://www.mandriva.com/security/advisories?name=MDVSA-2009:083

http://www.mozilla.org/security/announce/2009/mfsa2009-09.html

http://www.redhat.com/support/errata/RHSA-2009-0258.html

http://www.redhat.com/support/errata/RHSA-2009-0315.html

http://www.redhat.com/support/errata/RHSA-2009-0325.html

http://www.securityfocus.com/bid/33990

http://www.securitytracker.com/id?1021797

http://www.vupen.com/english/advisories/2009/0632

https://bugzilla.mozilla.org/show_bug.cgi?id=414540

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5956

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6017

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6191

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7390

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9241

https://usn.ubuntu.com/741-1/

https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00769.html

https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00771.html

https://www.redhat.com/archives/fedora-package-announce/2009-March/msg01077.html

Details

Source: MITRE

Published: 2009-03-05

Updated: 2018-10-03

Type: CWE-200

Risk Information

CVSS v2

Base Score: 7.1

Vector: AV:N/AC:M/Au:N/C:C/I:N/A:N

Impact Score: 6.9

Exploitability Score: 8.6

Severity: HIGH

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:mozilla:firefox:1.0:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:1.0.1:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:1.0.2:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:1.0.3:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:1.0.4:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:1.0.5:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:1.0.6:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:1.0.7:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:1.0.8:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:1.5:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:1.5.0.1:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:1.5.0.2:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:1.5.0.3:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:1.5.0.4:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:1.5.0.5:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:1.5.0.6:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:1.5.0.7:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:1.5.0.8:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:1.5.0.9:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:1.5.0.10:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:1.5.0.11:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:1.5.0.12:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:2.0:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:2.0.0.1:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:2.0.0.2:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:2.0.0.3:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:2.0.0.4:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:2.0.0.5:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:2.0.0.6:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:2.0.0.7:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:2.0.0.8:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:2.0.0.9:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:2.0.0.10:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:2.0.0.11:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:2.0.0.12:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:2.0.0.13:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:2.0.0.14:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:2.0.0.15:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:2.0.0.16:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:2.0.0.17:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:2.0.0.18:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:2.0.0.19:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:2.0.0.20:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:3.0:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:3.0.1:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:3.0.2:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:3.0.3:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:3.0.4:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:3.0.5:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:* versions up to 3.0.6 (inclusive)

cpe:2.3:a:mozilla:seamonkey:1.0:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:1.0.1:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:1.0.2:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:1.0.3:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:1.0.5:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:1.0.6:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:1.0.7:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:1.0.8:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:1.0.9:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:1.1:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:1.1:alpha:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:1.1:beta:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:1.1.1:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:1.1.2:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:1.1.3:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:1.1.4:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:1.1.5:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:1.1.6:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:1.1.7:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:1.1.8:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:1.1.9:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:1.1.10:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:1.1.11:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:1.1.12:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:1.1.13:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:*:*:*:*:*:*:*:* versions up to 1.1.14 (inclusive)

cpe:2.3:a:mozilla:thunderbird:2.0.0.0:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:thunderbird:2.0.0.4:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:thunderbird:2.0.0.5:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:thunderbird:2.0.0.6:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:thunderbird:2.0.0.9:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:thunderbird:2.0.0.12:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:thunderbird:2.0.0.14:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:thunderbird:2.0.0.16:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:thunderbird:2.0.0.17:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:thunderbird:2.0.0.18:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:thunderbird:2.0.0.19:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:* versions up to 2.0.0.20 (inclusive)

Tenable Plugins

View all (45 total)

IDNameProductFamilySeverity
67811Oracle Linux 3 / 4 : seamonkey (ELSA-2009-0325)NessusOracle Linux Local Security Checks
critical
67810Oracle Linux 4 / 5 : firefox (ELSA-2009-0315)NessusOracle Linux Local Security Checks
critical
67797Oracle Linux 4 : thunderbird (ELSA-2009-0258)NessusOracle Linux Local Security Checks
critical
65116Ubuntu 6.06 LTS : firefox vulnerabilities (USN-728-3)NessusUbuntu Local Security Checks
high
65115Ubuntu 7.10 : firefox vulnerabilities (USN-728-2)NessusUbuntu Local Security Checks
high
63402GLSA-201301-01 : Mozilla Products: Multiple vulnerabilities (BEAST)NessusGentoo Local Security Checks
critical
60553Scientific Linux Security Update : thunderbird on SL4.x, SL5.x i386/x86_64NessusScientific Linux Local Security Checks
critical
60540Scientific Linux Security Update : seamonkey on SL3.x, SL4.x i386/x86_64NessusScientific Linux Local Security Checks
critical
60538Scientific Linux Security Update : firefox on SL4.x, SL5.x i386/x86_64NessusScientific Linux Local Security Checks
critical
44695Debian DSA-1830-1 : icedove - several vulnerabilitiesNessusDebian Local Security Checks
critical
41467SuSE 10 Security Update : MozillaFirefox (ZYPP Patch Number 6187)NessusSuSE Local Security Checks
critical
41352SuSE 11 Security Update : MozillaFirefox (SAT Patch Number 656)NessusSuSE Local Security Checks
critical
40309openSUSE Security Update : seamonkey (seamonkey-1014)NessusSuSE Local Security Checks
critical
40170openSUSE Security Update : MozillaFirefox (MozillaFirefox-591)NessusSuSE Local Security Checks
critical
40133openSUSE Security Update : seamonkey (seamonkey-1014)NessusSuSE Local Security Checks
critical
39887openSUSE Security Update : MozillaFirefox (MozillaFirefox-591)NessusSuSE Local Security Checks
critical
39462openSUSE 10 Security Update : seamonkey (seamonkey-6310)NessusSuSE Local Security Checks
critical
38891CentOS 4 / 5 : thunderbird (CESA-2009:0258)NessusCentOS Local Security Checks
critical
38036Ubuntu 8.04 LTS / 8.10 : firefox-3.0, xulrunner-1.9 vulnerabilities (USN-728-1)NessusUbuntu Local Security Checks
critical
37911Fedora 10 : seamonkey-1.1.15-3.fc10 (2009-3161)NessusFedora Local Security Checks
critical
37610Mandriva Linux Security Advisory : firefox (MDVSA-2009:075)NessusMandriva Local Security Checks
critical
37220Ubuntu 6.06 LTS / 7.10 / 8.04 LTS / 8.10 : mozilla-thunderbird, thunderbird vulnerabilities (USN-741-1)NessusUbuntu Local Security Checks
critical
36866Fedora 10 : Miro-2.0-4.fc10 / blam-1.8.5-7.fc10 / devhelp-0.22-5.fc10 / epiphany-2.24.3-3.fc10 / etc (2009-2422)NessusFedora Local Security Checks
critical
36827Fedora 10 : thunderbird-2.0.0.21-1.fc10 (2009-2882)NessusFedora Local Security Checks
critical
36318Mandriva Linux Security Advisory : mozilla-thunderbird (MDVSA-2009:083)NessusMandriva Local Security Checks
critical
36199openSUSE 10 Security Update : MozillaFirefox (MozillaFirefox-6194)NessusSuSE Local Security Checks
critical
36054Fedora 9 : seamonkey-1.1.15-3.fc9 (2009-3101)NessusFedora Local Security Checks
critical
36014RHEL 4 / 5 : thunderbird (RHSA-2009:0258)NessusRed Hat Local Security Checks
critical
36011Slackware 10.2 / 11.0 / 12.0 / 12.1 / 12.2 / current : mozilla-thunderbird (SSA:2009-083-03)NessusSlackware Local Security Checks
critical
36010Slackware 11.0 / 12.0 / 12.1 / 12.2 / current : seamonkey (SSA:2009-083-02)NessusSlackware Local Security Checks
critical
4965SeaMonkey < 1.1.15 Multiple VulnerabilitiesNessus Network MonitorWeb Clients
medium
4964Mozilla Thunderbird < 2.0.0.21 Multiple VulnerabilitiesNessus Network MonitorSMTP Clients
medium
35989Debian DSA-1751-1 : xulrunner - several vulnerabilitiesNessusDebian Local Security Checks
critical
35984Fedora 9 : thunderbird-2.0.0.21-1.fc9 (2009-2884)NessusFedora Local Security Checks
critical
35978SeaMonkey < 1.1.15 Multiple VulnerabilitiesNessusWindows
high
35977Mozilla Thunderbird < 2.0.0.21 Multiple VulnerabilitiesNessusWindows
high
35802Fedora 9 : Miro-1.2.7-5.fc9 / blam-1.8.5-6.fc9.1 / chmsee-1.0.1-9.fc9 / devhelp-0.19.1-9.fc9 / etc (2009-2421)NessusFedora Local Security Checks
critical
35789CentOS 4 / 5 : firefox (CESA-2009:0315)NessusCentOS Local Security Checks
critical
35780CentOS 3 / 4 : seamonkey (CESA-2009:0325)NessusCentOS Local Security Checks
critical
4950Mozilla Firefox < 3.0.7 Multiple VulnerabilitiesNessus Network MonitorWeb Clients
medium
35778Firefox 3.0.x < 3.0.7 Multiple VulnerabilitiesNessusWindows
high
35774RHEL 2.1 / 3 / 4 : seamonkey (RHSA-2009:0325)NessusRed Hat Local Security Checks
critical
35773RHEL 4 / 5 : firefox (RHSA-2009:0315)NessusRed Hat Local Security Checks
critical
801212Mozilla Thunderbird < 2.0.0.21 Multiple VulnerabilitiesLog Correlation EngineSMTP Clients
high
800869SeaMonkey < 1.1.15 Multiple VulnerabilitiesLog Correlation EngineWeb Clients
high