CVE-2009-1840

HIGH

Description

Mozilla Firefox before 3.0.11, Thunderbird, and SeaMonkey do not check content policy before loading a script file into a XUL document, which allows remote attackers to bypass intended access restrictions via a crafted HTML document, as demonstrated by a "web bug" in an e-mail message, or web script or an advertisement in a web page.

References

http://osvdb.org/55158

http://secunia.com/advisories/35331

http://secunia.com/advisories/35415

http://secunia.com/advisories/35431

http://secunia.com/advisories/35439

http://secunia.com/advisories/35440

http://secunia.com/advisories/35468

http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.372468

http://sunsolve.sun.com/search/document.do?assetkey=1-66-264308-1

http://www.debian.org/security/2009/dsa-1820

http://www.mandriva.com/security/advisories?name=MDVSA-2009:141

http://www.mozilla.org/security/announce/2009/mfsa2009-31.html

http://www.securityfocus.com/bid/35326

http://www.securitytracker.com/id?1022379

http://www.vupen.com/english/advisories/2009/1572

https://bugzilla.mozilla.org/show_bug.cgi?id=477979

https://bugzilla.redhat.com/show_bug.cgi?id=503582

https://exchange.xforce.ibmcloud.com/vulnerabilities/51076

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9448

https://rhn.redhat.com/errata/RHSA-2009-1095.html

https://www.redhat.com/archives/fedora-package-announce/2009-June/msg00574.html

https://www.redhat.com/archives/fedora-package-announce/2009-June/msg00657.html

Details

Source: MITRE

Published: 2009-06-12

Updated: 2017-09-29

Type: CWE-264

Risk Information

CVSS v2.0

Base Score: 9.3

Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

Impact Score: 10

Exploitability Score: 8.6

Severity: HIGH

Tenable Plugins

View all (26 total)

IDNameProductFamilySeverity
67870Oracle Linux 3 / 4 : seamonkey (ELSA-2009-1096)NessusOracle Linux Local Security Checks
high
67869Oracle Linux 4 / 5 : firefox (ELSA-2009-1095)NessusOracle Linux Local Security Checks
high
63402GLSA-201301-01 : Mozilla Products: Multiple vulnerabilities (BEAST)NessusGentoo Local Security Checks
critical
60593Scientific Linux Security Update : firefox on SL4.x, SL5.x i386/x86_64NessusScientific Linux Local Security Checks
high
43755CentOS 5 : firefox (CESA-2009:1095)NessusCentOS Local Security Checks
high
41356SuSE 11 Security Update : MozillaFirefox (SAT Patch Number 1001)NessusSuSE Local Security Checks
high
40174openSUSE Security Update : MozillaFirefox (MozillaFirefox-1000)NessusSuSE Local Security Checks
high
39891openSUSE Security Update : MozillaFirefox (MozillaFirefox-1000)NessusSuSE Local Security Checks
high
39581Mandriva Linux Security Advisory : mozilla-thunderbird (MDVSA-2009:141)NessusMandriva Local Security Checks
high
39452Debian DSA-1820-1 : xulrunner - several vulnerabilitiesNessusDebian Local Security Checks
high
39443Mandriva Linux Security Advisory : firefox (MDVSA-2009:134)NessusMandriva Local Security Checks
high
39421Slackware 12.2 / current : mozilla-firefox (SSA:2009-167-01)NessusSlackware Local Security Checks
high
39406Fedora 9 : Miro-2.0.3-5.fc9 / blam-1.8.5-10.fc9.1 / chmsee-1.0.1-13.fc9 / devhelp-0.19.1-13.fc9 / etc (2009-6411)NessusFedora Local Security Checks
high
39403Fedora 10 : Miro-2.0.3-5.fc10 / blam-1.8.5-11.fc10 / devhelp-0.22-9.fc10 / epiphany-2.24.3-7.fc10 / etc (2009-6366)NessusFedora Local Security Checks
high
39390Ubuntu 8.04 LTS / 8.10 / 9.04 : firefox-3.0, xulrunner-1.9 vulnerabilities (USN-779-1)NessusUbuntu Local Security Checks
high
39376FreeBSD : mozilla -- multiple vulnerabilities (da185955-5738-11de-b857-000f20797ede)NessusFreeBSD Local Security Checks
high
39373CentOS 3 : seamonkey (CESA-2009:1096)NessusCentOS Local Security Checks
high
39372Firefox < 3.0.11 Multiple VulnerabilitiesNessusWindows
high
39370RHEL 3 / 4 : seamonkey (RHSA-2009:1096)NessusRed Hat Local Security Checks
high
39369RHEL 4 / 5 : firefox (RHSA-2009:1095)NessusRed Hat Local Security Checks
high
5084SeaMonkey < 1.1.17 Multiple VulnerabilitiesNessus Network MonitorWeb Clients
medium
5072Mozilla Firefox < 3.0.11 Multiple VulnerabilitiesNessus Network MonitorWeb Clients
medium
5001Mozilla Thunderbird < 2.0.0.22 Multiple VulnerabilitiesNessus Network MonitorSMTP Clients
medium
801255Mozilla SeaMonkey < 1.1.17 Multiple VulnerabilitiesLog Correlation EngineWeb Clients
high
801249Mozilla Thunderbird < 2.0.0.21 Multiple VulnerabilitiesLog Correlation EngineSMTP Clients
high
800755Firefox < 3.0.11 Multiple VulnerabilitiesLog Correlation EngineWeb Clients
high