CVE-2009-2654

MEDIUM

Description

Mozilla Firefox before 3.0.13, and 3.5.x before 3.5.2, allows remote attackers to spoof the address bar, and possibly conduct phishing attacks, via a crafted web page that calls window.open with an invalid character in the URL, makes document.write calls to the resulting object, and then calls the stop method during the loading of the error page.

References

http://blog.mozilla.com/security/2009/07/28/url-bar-spoofing-vulnerability/

http://es.geocities.com/jplopezy/firefoxspoofing.html

http://osvdb.org/56717

http://secunia.com/advisories/36001

http://secunia.com/advisories/36126

http://secunia.com/advisories/36141

http://secunia.com/advisories/36435

http://secunia.com/advisories/36669

http://secunia.com/advisories/36670

http://sunsolve.sun.com/search/document.do?assetkey=1-66-266148-1

http://www.debian.org/security/2009/dsa-1873

http://www.mozilla.org/security/announce/2009/mfsa2009-44.html

http://www.redhat.com/support/errata/RHSA-2009-1430.html

http://www.redhat.com/support/errata/RHSA-2009-1431.html

http://www.redhat.com/support/errata/RHSA-2009-1432.html

http://www.securityfocus.com/archive/1/505242/30/0/threaded

http://www.securityfocus.com/archive/1/505265

http://www.securityfocus.com/bid/35803

http://www.securitytracker.com/id?1022603

http://www.vupen.com/english/advisories/2009/2006

http://www.vupen.com/english/advisories/2009/2142

https://bugzilla.mozilla.org/show_bug.cgi?id=451898

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9686

https://usn.ubuntu.com/811-1/

https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00198.html

https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00261.html

Details

Source: MITRE

Published: 2009-08-03

Updated: 2018-10-03

Type: CWE-20

Risk Information

CVSS v2.0

Base Score: 5.8

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:P

Impact Score: 4.9

Exploitability Score: 8.6

Severity: MEDIUM