CVE-2009-3987

medium

Description

The GeckoActiveXObject function in Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey before 2.0.1, generates different exception messages depending on whether the referenced COM object is listed in the registry, which allows remote attackers to obtain potentially sensitive information about installed software by making multiple calls that specify the ProgID values of different COM objects.

References

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7958

https://exchange.xforce.ibmcloud.com/vulnerabilities/54798

https://bugzilla.redhat.com/show_bug.cgi?id=546729

https://bugzilla.mozilla.org/show_bug.cgi?id=503451

http://www.vupen.com/english/advisories/2009/3547

http://www.securityfocus.com/bid/37360

http://www.securityfocus.com/bid/37349

http://www.mozilla.org/security/announce/2009/mfsa2009-71.html

http://securitytracker.com/id?1023347

http://securitytracker.com/id?1023346

http://secunia.com/advisories/37785

http://secunia.com/advisories/37699

Details

Source: Mitre, NVD

Published: 2009-12-17

Updated: 2025-04-09

Risk Information

CVSS v2

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N

Severity: High

CVSS v3

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Severity: Medium

EPSS

EPSS: 0.00812