CVE-2009-2654

high

Description

Mozilla Firefox before 3.0.13, and 3.5.x before 3.5.2, allows remote attackers to spoof the address bar, and possibly conduct phishing attacks, via a crafted web page that calls window.open with an invalid character in the URL, makes document.write calls to the resulting object, and then calls the stop method during the loading of the error page.

References

https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00261.html

https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00198.html

https://usn.ubuntu.com/811-1/

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9686

https://bugzilla.mozilla.org/show_bug.cgi?id=451898

http://www.vupen.com/english/advisories/2009/2142

http://www.vupen.com/english/advisories/2009/2006

http://www.securitytracker.com/id?1022603

http://www.securityfocus.com/archive/1/505265

http://www.redhat.com/support/errata/RHSA-2009-1432.html

http://www.redhat.com/support/errata/RHSA-2009-1431.html

http://www.redhat.com/support/errata/RHSA-2009-1430.html

http://www.mozilla.org/security/announce/2009/mfsa2009-44.html

http://www.debian.org/security/2009/dsa-1873

http://sunsolve.sun.com/search/document.do?assetkey=1-66-266148-1

http://secunia.com/advisories/36670

http://secunia.com/advisories/36669

http://secunia.com/advisories/36435

http://secunia.com/advisories/36141

http://secunia.com/advisories/36126

http://secunia.com/advisories/36001

http://osvdb.org/56717

http://es.geocities.com/jplopezy/firefoxspoofing.html

http://blog.mozilla.com/security/2009/07/28/url-bar-spoofing-vulnerability/

Details

Source: Mitre, NVD

Published: 2009-08-03

Risk Information

CVSS v2

Base Score: 5.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 7.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

Severity: High