CVE-2009-1307

MEDIUM

Description

The view-source: URI implementation in Mozilla Firefox before 3.0.9, Thunderbird, and SeaMonkey does not properly implement the Same Origin Policy, which allows remote attackers to (1) bypass crossdomain.xml restrictions and connect to arbitrary web sites via a Flash file; (2) read, create, or modify Local Shared Objects via a Flash file; or (3) bypass unspecified restrictions and render content via vectors involving a jar: URI.

References

http://lists.opensuse.org/opensuse-security-announce/2009-05/msg00000.html

http://rhn.redhat.com/errata/RHSA-2009-0437.html

http://secunia.com/advisories/34758

http://secunia.com/advisories/34780

http://secunia.com/advisories/34843

http://secunia.com/advisories/34844

http://secunia.com/advisories/34894

http://secunia.com/advisories/35042

http://secunia.com/advisories/35065

http://secunia.com/advisories/35536

http://secunia.com/advisories/35561

http://secunia.com/advisories/35602

http://secunia.com/advisories/35882

http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.425408

http://sunsolve.sun.com/search/document.do?assetkey=1-66-264308-1

http://www.debian.org/security/2009/dsa-1797

http://www.debian.org/security/2009/dsa-1830

http://www.mandriva.com/security/advisories?name=MDVSA-2009:111

http://www.mandriva.com/security/advisories?name=MDVSA-2009:141

http://www.mozilla.org/security/announce/2009/mfsa2009-17.html

http://www.redhat.com/support/errata/RHSA-2009-0436.html

http://www.redhat.com/support/errata/RHSA-2009-1125.html

http://www.redhat.com/support/errata/RHSA-2009-1126.html

http://www.securityfocus.com/bid/34656

http://www.securitytracker.com/id?1022093

http://www.slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.454275

http://www.ubuntu.com/usn/usn-782-1

http://www.vupen.com/english/advisories/2009/1125

https://bugzilla.mozilla.org/show_bug.cgi?id=481342

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10972

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5933

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6154

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6266

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7008

https://usn.ubuntu.com/764-1/

https://www.redhat.com/archives/fedora-package-announce/2009-April/msg00683.html

https://www.redhat.com/archives/fedora-package-announce/2009-July/msg00444.html

https://www.redhat.com/archives/fedora-package-announce/2009-July/msg00504.html

Details

Source: MITRE

Published: 2009-04-22

Updated: 2018-10-03

Type: CWE-20

Risk Information

CVSS v2.0

Base Score: 6.8

Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)

Impact Score: 6.4

Exploitability Score: 8.6

Severity: MEDIUM