CVE-2009-1307

MEDIUM

Description

The view-source: URI implementation in Mozilla Firefox before 3.0.9, Thunderbird, and SeaMonkey does not properly implement the Same Origin Policy, which allows remote attackers to (1) bypass crossdomain.xml restrictions and connect to arbitrary web sites via a Flash file; (2) read, create, or modify Local Shared Objects via a Flash file; or (3) bypass unspecified restrictions and render content via vectors involving a jar: URI.

References

http://lists.opensuse.org/opensuse-security-announce/2009-05/msg00000.html

http://rhn.redhat.com/errata/RHSA-2009-0437.html

http://secunia.com/advisories/34758

http://secunia.com/advisories/34780

http://secunia.com/advisories/34843

http://secunia.com/advisories/34844

http://secunia.com/advisories/34894

http://secunia.com/advisories/35042

http://secunia.com/advisories/35065

http://secunia.com/advisories/35536

http://secunia.com/advisories/35561

http://secunia.com/advisories/35602

http://secunia.com/advisories/35882

http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.425408

http://sunsolve.sun.com/search/document.do?assetkey=1-66-264308-1

http://www.debian.org/security/2009/dsa-1797

http://www.debian.org/security/2009/dsa-1830

http://www.mandriva.com/security/advisories?name=MDVSA-2009:111

http://www.mandriva.com/security/advisories?name=MDVSA-2009:141

http://www.mozilla.org/security/announce/2009/mfsa2009-17.html

http://www.redhat.com/support/errata/RHSA-2009-0436.html

http://www.redhat.com/support/errata/RHSA-2009-1125.html

http://www.redhat.com/support/errata/RHSA-2009-1126.html

http://www.securityfocus.com/bid/34656

http://www.securitytracker.com/id?1022093

http://www.slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.454275

http://www.ubuntu.com/usn/usn-782-1

http://www.vupen.com/english/advisories/2009/1125

https://bugzilla.mozilla.org/show_bug.cgi?id=481342

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10972

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5933

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6154

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6266

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7008

https://usn.ubuntu.com/764-1/

https://www.redhat.com/archives/fedora-package-announce/2009-April/msg00683.html

https://www.redhat.com/archives/fedora-package-announce/2009-July/msg00444.html

https://www.redhat.com/archives/fedora-package-announce/2009-July/msg00504.html

Details

Source: MITRE

Published: 2009-04-22

Updated: 2018-10-03

Type: CWE-20

Risk Information

CVSS v2.0

Base Score: 6.8

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 8.6

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:mozilla:firefox:0.1:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:0.2:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:0.3:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:0.4:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:0.5:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:0.6:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:0.6.1:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:0.7:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:0.7.1:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:0.8:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:0.9:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:0.9:rc:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:0.9.1:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:0.9.2:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:0.9.3:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:0.9_rc:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:0.10:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:0.10.1:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:1.0:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:1.0:preview_release:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:1.0.1:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:1.0.2:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:1.0.3:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:1.0.4:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:1.0.5:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:1.0.6:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:1.0.6:*:linux:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:1.0.7:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:1.0.8:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:1.5:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:1.5:beta1:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:1.5:beta2:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:1.5.0.1:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:1.5.0.2:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:1.5.0.3:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:1.5.0.4:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:1.5.0.5:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:1.5.0.6:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:1.5.0.7:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:1.5.0.8:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:1.5.0.9:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:1.5.0.10:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:1.5.0.11:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:1.5.0.12:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:1.5.1:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:1.5.2:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:1.5.3:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:1.5.4:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:1.5.5:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:1.5.6:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:1.5.7:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:1.5.8:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:1.8:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:2.0:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:2.0:beta1:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:2.0:beta_1:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:2.0:rc2:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:2.0:rc3:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:2.0.0.1:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:2.0.0.2:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:2.0.0.3:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:2.0.0.4:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:2.0.0.5:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:2.0.0.6:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:2.0.0.7:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:2.0.0.8:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:2.0.0.9:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:2.0.0.10:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:2.0.0.11:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:2.0.0.12:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:2.0.0.13:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:2.0.0.14:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:2.0.0.15:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:2.0.0.16:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:2.0.0.17:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:2.0.0.18:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:2.0.0.19:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:2.0.0.20:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:2.0.0.21:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:3.0:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:3.0:alpha:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:3.0:beta2:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:3.0:beta5:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:3.0.1:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:3.0.2:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:3.0.3:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:3.0.4:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:3.0.5:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:3.0.6:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:3.0.7:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:* versions up to 3.0.8 (inclusive)

cpe:2.3:a:mozilla:firefox:3.0beta5:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:seamonkey:*:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*

Tenable Plugins

View all (49 total)

IDNameProductFamilySeverity
67881Oracle Linux 4 : thunderbird (ELSA-2009-1125)NessusOracle Linux Local Security Checks
high
67848Oracle Linux 3 / 4 : seamonkey (ELSA-2009-0437)NessusOracle Linux Local Security Checks
medium
67847Oracle Linux 4 / 5 : firefox (ELSA-2009-0436)NessusOracle Linux Local Security Checks
medium
63881RHEL 5 : thunderbird (RHSA-2009:1126)NessusRed Hat Local Security Checks
high
63402GLSA-201301-01 : Mozilla Products: Multiple vulnerabilities (BEAST)NessusGentoo Local Security Checks
critical
60608Scientific Linux Security Update : thunderbird on SL4.x, SL5.x i386/x86_64NessusScientific Linux Local Security Checks
high
60573Scientific Linux Security Update : seamonkey on SL3.x, SL4.x i386/x86_64NessusScientific Linux Local Security Checks
medium
60572Scientific Linux Security Update : firefox on SL4.x, SL5.x i386/x86_64NessusScientific Linux Local Security Checks
medium
44695Debian DSA-1830-1 : icedove - several vulnerabilitiesNessusDebian Local Security Checks
critical
43762CentOS 5 : thunderbird (CESA-2009:1126)NessusCentOS Local Security Checks
high
43743CentOS 4 / 5 : firefox (CESA-2009:0436)NessusCentOS Local Security Checks
medium
42327openSUSE 10 Security Update : seamonkey (seamonkey-6538)NessusSuSE Local Security Checks
high
42206openSUSE Security Update : seamonkey (seamonkey-1364)NessusSuSE Local Security Checks
high
42202openSUSE Security Update : seamonkey (seamonkey-1364)NessusSuSE Local Security Checks
high
42048SuSE9 Security Update : epiphany (YOU Patch Number 12519)NessusSuSE Local Security Checks
high
41985openSUSE 10 Security Update : MozillaThunderbird (MozillaThunderbird-6347)NessusSuSE Local Security Checks
high
41437SuSE 11 Security Update : Mozilla (SAT Patch Number 834)NessusSuSE Local Security Checks
medium
41354SuSE 11 Security Update : MozillaFirefox (SAT Patch Number 835)NessusSuSE Local Security Checks
medium
40280openSUSE Security Update : mozilla-xulrunner190 (mozilla-xulrunner190-832)NessusSuSE Local Security Checks
medium
40176openSUSE Security Update : MozillaThunderbird (MozillaThunderbird-1091)NessusSuSE Local Security Checks
high
40172openSUSE Security Update : MozillaFirefox (MozillaFirefox-833)NessusSuSE Local Security Checks
medium
40076openSUSE Security Update : mozilla-xulrunner190 (mozilla-xulrunner190-832)NessusSuSE Local Security Checks
medium
39896openSUSE Security Update : MozillaThunderbird (MozillaThunderbird-1091)NessusSuSE Local Security Checks
high
39889openSUSE Security Update : MozillaFirefox (MozillaFirefox-833)NessusSuSE Local Security Checks
medium
39846Fedora 11 : seamonkey-1.1.17-1.fc11 (2009-7614)NessusFedora Local Security Checks
high
39845Fedora 10 : seamonkey-1.1.17-1.fc10 (2009-7567)NessusFedora Local Security Checks
high
39581Mandriva Linux Security Advisory : mozilla-thunderbird (MDVSA-2009:141)NessusMandriva Local Security Checks
high
39560Slackware 10.2 / 11.0 / 12.0 / 12.1 / 12.2 / current : mozilla-thunderbird (SSA:2009-178-01)NessusSlackware Local Security Checks
high
39533Ubuntu 8.04 LTS / 8.10 / 9.04 : thunderbird vulnerabilities (USN-782-1)NessusUbuntu Local Security Checks
high
39528RHEL 4 : thunderbird (RHSA-2009:1125)NessusRed Hat Local Security Checks
high
39522Slackware 11.0 / 12.0 / 12.1 / 12.2 / current : seamonkey (SSA:2009-176-01)NessusSlackware Local Security Checks
high
39494SeaMonkey < 1.1.17 Multiple VulnerabilitiesNessusWindows
high
39493Mozilla Thunderbird < 2.0.0.22 Multiple VulnerabilitiesNessusWindows
high
38899CentOS 3 / 4 : seamonkey (CESA-2009:0437)NessusCentOS Local Security Checks
medium
38853Mandriva Linux Security Advisory : firefox (MDVSA-2009:111-1)NessusMandriva Local Security Checks
high
38724Debian DSA-1797-1 : xulrunner - several vulnerabilitiesNessusDebian Local Security Checks
medium
38160Fedora 10 : Miro-2.0.3-3.fc10 / blam-1.8.5-9.fc10 / devhelp-0.22-7.fc10 / epiphany-2.24.3-5.fc10 / etc (2009-3893)NessusFedora Local Security Checks
medium
37309Fedora 9 : Miro-2.0.3-3.fc9 / blam-1.8.5-8.fc9.1 / chmsee-1.0.1-11.fc9 / devhelp-0.19.1-11.fc9 / etc (2009-3875)NessusFedora Local Security Checks
medium
36228Ubuntu 8.04 LTS / 8.10 / 9.04 : firefox-3.0, xulrunner-1.9 vulnerabilities (USN-764-1)NessusUbuntu Local Security Checks
medium
4998Mozilla Firefox < 3.0.9 Multiple VulnerabilitiesNessus Network MonitorWeb Clients
medium
36215Firefox < 3.0.9 Multiple VulnerabilitiesNessusWindows
high
36214RHEL 2.1 / 3 / 4 : seamonkey (RHSA-2009:0437)NessusRed Hat Local Security Checks
medium
36213RHEL 4 / 5 : firefox (RHSA-2009:0436)NessusRed Hat Local Security Checks
medium
36212FreeBSD : mozilla -- multiple vulnerabilities (3b18e237-2f15-11de-9672-0030843d3802)NessusFreeBSD Local Security Checks
medium
5084SeaMonkey < 1.1.17 Multiple VulnerabilitiesNessus Network MonitorWeb Clients
medium
5001Mozilla Thunderbird < 2.0.0.22 Multiple VulnerabilitiesNessus Network MonitorSMTP Clients
medium
801255Mozilla SeaMonkey < 1.1.17 Multiple VulnerabilitiesLog Correlation EngineWeb Clients
high
801249Mozilla Thunderbird < 2.0.0.21 Multiple VulnerabilitiesLog Correlation EngineSMTP Clients
high
800746Firefox < 3.0.9 Multiple VulnerabilitiesLog Correlation EngineWeb Clients
high