CVE-2009-3987

HIGH

Description

The GeckoActiveXObject function in Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey before 2.0.1, generates different exception messages depending on whether the referenced COM object is listed in the registry, which allows remote attackers to obtain potentially sensitive information about installed software by making multiple calls that specify the ProgID values of different COM objects.

References

http://secunia.com/advisories/37699

http://secunia.com/advisories/37785

http://securitytracker.com/id?1023346

http://securitytracker.com/id?1023347

http://www.mozilla.org/security/announce/2009/mfsa2009-71.html

http://www.securityfocus.com/bid/37349

http://www.securityfocus.com/bid/37360

http://www.vupen.com/english/advisories/2009/3547

https://bugzilla.mozilla.org/show_bug.cgi?id=503451

https://bugzilla.redhat.com/show_bug.cgi?id=546729

https://exchange.xforce.ibmcloud.com/vulnerabilities/54798

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7958

Details

Source: MITRE

Published: 2009-12-17

Updated: 2017-09-19

Type: CWE-200

Risk Information

CVSS v2.0

Base Score: 7.8

Vector: (AV:N/AC:L/Au:N/C:C/I:N/A:N)

Impact Score: 6.9

Exploitability Score: 10

Severity: HIGH