CVE-2009-2472

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

Mozilla Firefox before 3.0.12 does not always use XPCCrossOriginWrapper when required during object construction, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via a crafted document, related to a "cross origin wrapper bypass."

References

https://bugzilla.mozilla.org/show_bug.cgi?id=479288

http://www.securityfocus.com/bid/35758

https://bugzilla.mozilla.org/show_bug.cgi?id=481434

http://www.mozilla.org/security/announce/2009/mfsa2009-40.html

http://www.vupen.com/english/advisories/2009/1972

http://secunia.com/advisories/35914

https://bugzilla.mozilla.org/show_bug.cgi?id=497102

http://rhn.redhat.com/errata/RHSA-2009-1162.html

http://secunia.com/advisories/35944

https://www.redhat.com/archives/fedora-package-announce/2009-July/msg01032.html

http://sunsolve.sun.com/search/document.do?assetkey=1-26-265068-1

http://www.vupen.com/english/advisories/2009/2152

http://secunia.com/advisories/36145

http://lists.opensuse.org/opensuse-security-announce/2009-08/msg00002.html

http://lists.opensuse.org/opensuse-security-announce/2009-07/msg00005.html

http://secunia.com/advisories/36005

http://sunsolve.sun.com/search/document.do?assetkey=1-77-1020800.1-1

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9497

Details

Source: MITRE

Published: 2009-07-22

Updated: 2021-07-29

Type: CWE-79

Risk Information

CVSS v2

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

Tenable Plugins

View all (18 total)

IDNameProductFamilySeverity
67893Oracle Linux 4 / 5 : firefox (ELSA-2009-1162)NessusOracle Linux Local Security Checks
critical
63402GLSA-201301-01 : Mozilla Products: Multiple vulnerabilities (BEAST)NessusGentoo Local Security Checks
critical
62808Scientific Linux Security Update : firefox on SL4.x i386/x86_64NessusScientific Linux Local Security Checks
critical
60619Scientific Linux Security Update : firefox on SL5.x i386/x86_64NessusScientific Linux Local Security Checks
critical
60618Scientific Linux Security Update : firefox on SL4.x i386/x86_64NessusScientific Linux Local Security Checks
critical
44705Debian DSA-1840-1 : xulrunner - several vulnerabilitiesNessusDebian Local Security Checks
critical
43769CentOS 5 : firefox (CESA-2009:1162)NessusCentOS Local Security Checks
critical
41983openSUSE 10 Security Update : MozillaFirefox (MozillaFirefox-6379)NessusSuSE Local Security Checks
critical
41357SuSE 11 Security Update : MozillaFirefox (SAT Patch Number 1134)NessusSuSE Local Security Checks
critical
40438Mandriva Linux Security Advisory : firefox (MDVSA-2009:182)NessusMandriva Local Security Checks
critical
800767Firefox < 3.0.12 Multiple VulnerabilitiesLog Correlation EngineWeb Clients
high
5101Mozilla Firefox < 3.0.12 Multiple VulnerabilitiesNessus Network MonitorWeb Clients
medium
40404openSUSE Security Update : MozillaFirefox (MozillaFirefox-1135)NessusSuSE Local Security Checks
critical
40403openSUSE Security Update : MozillaFirefox (MozillaFirefox-1135)NessusSuSE Local Security Checks
critical
40358Fedora 10 : Miro-2.0.5-2.fc10 / blam-1.8.5-12.fc10 / devhelp-0.22-10.fc10 / epiphany-2.24.3-8.fc10 / etc (2009-7961)NessusFedora Local Security Checks
critical
40348Ubuntu 8.04 LTS / 8.10 / 9.04 : firefox-3.0, xulrunner-1.9 vulnerabilities (USN-798-1)NessusUbuntu Local Security Checks
critical
40351Firefox < 3.0.12 Multiple VulnerabilitiesNessusWindows
high
40340RHEL 4 / 5 : firefox (RHSA-2009:1162)NessusRed Hat Local Security Checks
critical