Description

Mozilla Firefox before 3.5.12 and 3.6.x before 3.6.9, Thunderbird before 3.0.7 and 3.1.x before 3.1.3, and SeaMonkey before 2.0.7 do not properly restrict read access to the statusText property of XMLHttpRequest objects, which allows remote attackers to discover the existence of intranet web servers via cross-origin requests.

References

http://blogs.sun.com/security/entry/multiple_vulnerabilities_in_mozilla_firefox

http://lists.fedoraproject.org/pipermail/package-announce/2010-September/047282.html

http://lists.opensuse.org/opensuse-security-announce/2010-10/msg00002.html

http://secunia.com/advisories/42867

http://support.avaya.com/css/P8/documents/100112690

http://www.mandriva.com/security/advisories?name=MDVSA-2010:173

http://www.mozilla.org/security/announce/2010/mfsa2010-63.html

http://www.securityfocus.com/bid/43104

http://www.vupen.com/english/advisories/2010/2323

http://www.vupen.com/english/advisories/2011/0061

https://bugzilla.mozilla.org/show_bug.cgi?id=552090

https://exchange.xforce.ibmcloud.com/vulnerabilities/61662

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11684

Details

Risk Information

CVSS v2