National Vulnerability Database (NVD) National Vulnerability Database (CVE-2008-5506)

National Cyber-Alert System

Vulnerability Summary for CVE-2008-5506

Original release date:12/17/2008

Last revised:05/23/2009

Source: US-CERT/NIST

Overview

Mozilla Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 allows remote attackers to bypass the same origin policy by causing the browser to issue an XMLHttpRequest to an attacker-controlled resource that uses a 302 redirect to a resource in a different domain, then reading content from the response, aka "response disclosure."

Impact

CVSS Severity (version 2.0):

CVSS v2 Base Score:6.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:P) (legend)

Impact Subscore: 6.4

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type:Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

External Source: MISC

Name: https://bugzilla.mozilla.org/show_bug.cgi?id=458248

Hyperlink:https://bugzilla.mozilla.org/show_bug.cgi?id=458248

External Source: XF

Name: mozilla-xmlhttprequest-302-info-disclosure(47412)

Hyperlink:http://xforce.iss.net/xforce/xfdb/47412

External Source: VUPEN

Name: ADV-2009-0977

Hyperlink:http://www.vupen.com/english/advisories/2009/0977

External Source: UBUNTU

Name: USN-690-3

Hyperlink:http://www.ubuntulinux.org/support/documentation/usn/usn-690-3

External Source: UBUNTU

Name: USN-690-1

Hyperlink:http://www.ubuntulinux.org/support/documentation/usn/usn-690-1

External Source: UBUNTU

Name: USN-690-2

Hyperlink:http://www.ubuntu.com/usn/usn-690-2

External Source: SECTRACK

Name: 1021427

Hyperlink:http://www.securitytracker.com/id?1021427

External Source: BID

Name: 32882

Hyperlink:http://www.securityfocus.com/bid/32882

External Source: REDHAT

Name: RHSA-2009:0002

Hyperlink:http://www.redhat.com/support/errata/RHSA-2009-0002.html

External Source: REDHAT

Name: RHSA-2008:1037

Hyperlink:http://www.redhat.com/support/errata/RHSA-2008-1037.html

External Source: REDHAT

Name: RHSA-2008:1036

Hyperlink:http://www.redhat.com/support/errata/RHSA-2008-1036.html

External Source: CONFIRM

Name: http://www.mozilla.org/security/announce/2008/mfsa2008-64.html

Type: Advisory

Hyperlink:http://www.mozilla.org/security/announce/2008/mfsa2008-64.html

External Source: MANDRIVA

Name: MDVSA-2009:012

Hyperlink:http://www.mandriva.com/security/advisories?name=MDVSA-2009:012

External Source: MANDRIVA

Name: MDVSA-2008:245

Hyperlink:http://www.mandriva.com/security/advisories?name=MDVSA-2008:245

External Source: MANDRIVA

Name: MDVSA-2008:244

Hyperlink:http://www.mandriva.com/security/advisories?name=MDVSA-2008:244

External Source: DEBIAN

Name: DSA-1707

Hyperlink:http://www.debian.org/security/2009/dsa-1707

External Source: DEBIAN

Name: DSA-1704

Hyperlink:http://www.debian.org/security/2009/dsa-1704

External Source: DEBIAN

Name: DSA-1697

Hyperlink:http://www.debian.org/security/2009/dsa-1697

External Source: DEBIAN

Name: DSA-1696

Hyperlink:http://www.debian.org/security/2009/dsa-1696

External Source: SUNALERT

Name: 258748

Hyperlink:http://sunsolve.sun.com/search/document.do?assetkey=1-26-258748-1

External Source: SUNALERT

Name: 256408

Hyperlink:http://sunsolve.sun.com/search/document.do?assetkey=1-26-256408-1

External Source: SECUNIA

Name: 35080

Hyperlink:http://secunia.com/advisories/35080

External Source: SECUNIA

Name: 34501

Hyperlink:http://secunia.com/advisories/34501

External Source: SECUNIA

Name: 33547

Hyperlink:http://secunia.com/advisories/33547

External Source: SECUNIA

Name: 33523

Hyperlink:http://secunia.com/advisories/33523

External Source: SECUNIA

Name: 33434

Hyperlink:http://secunia.com/advisories/33434

External Source: SECUNIA

Name: 33433

Hyperlink:http://secunia.com/advisories/33433

External Source: SECUNIA

Name: 33421

Hyperlink:http://secunia.com/advisories/33421

External Source: SECUNIA

Name: 33232

Hyperlink:http://secunia.com/advisories/33232

External Source: SECUNIA

Name: 33231

Hyperlink:http://secunia.com/advisories/33231

External Source: SECUNIA

Name: 33216

Hyperlink:http://secunia.com/advisories/33216

External Source: SECUNIA

Name: 33205

Hyperlink:http://secunia.com/advisories/33205

External Source: SECUNIA

Name: 33204

Hyperlink:http://secunia.com/advisories/33204

External Source: SECUNIA

Name: 33203

Hyperlink:http://secunia.com/advisories/33203

External Source: SECUNIA

Name: 33189

Hyperlink:http://secunia.com/advisories/33189

External Source: SECUNIA

Name: 33188

Hyperlink:http://secunia.com/advisories/33188

External Source: SECUNIA

Name: 33184

Hyperlink:http://secunia.com/advisories/33184

Vulnerable software and versions

Configuration 1

* cpe:/a:mozilla:firefox:3.0

* cpe:/a:mozilla:firefox:3.0.1

* cpe:/a:mozilla:firefox:3.0.2

* cpe:/a:mozilla:firefox:3.0.3

* cpe:/a:mozilla:firefox:2.0.0.17

* cpe:/a:mozilla:firefox:2.0.0.16

* cpe:/a:mozilla:firefox:2.0.0.15

* cpe:/a:mozilla:firefox:2.0.0.14

* cpe:/a:mozilla:firefox:2.0.0.13

* cpe:/a:mozilla:firefox:2.0.0.12

* cpe:/a:mozilla:firefox:2.0.0.11

* cpe:/a:mozilla:firefox:2.0.0.10

* cpe:/a:mozilla:firefox:2.0.0.9

* cpe:/a:mozilla:firefox:2.0.0.8

* cpe:/a:mozilla:firefox:2.0.0.7

* cpe:/a:mozilla:firefox:2.0.0.6

* cpe:/a:mozilla:firefox:2.0.0.5

* cpe:/a:mozilla:firefox:2.0.0.4

* cpe:/a:mozilla:firefox:2.0.0.3

* cpe:/a:mozilla:firefox:2.0.0.2

* cpe:/a:mozilla:firefox:2.0.0.1

* cpe:/a:mozilla:firefox:2.0

* cpe:/a:mozilla:thunderbird:2.0.0.17

* cpe:/a:mozilla:thunderbird:2.0.0.16

* cpe:/a:mozilla:thunderbird:2.0.0.14

* cpe:/a:mozilla:thunderbird:2.0.0.12

* cpe:/a:mozilla:thunderbird:2.0.0.9

* cpe:/a:mozilla:thunderbird:2.0.0.6

* cpe:/a:mozilla:thunderbird:2.0.0.5

* cpe:/a:mozilla:thunderbird:2.0.0.4

* cpe:/a:mozilla:thunderbird:2.0.0.0

* cpe:/a:mozilla:seamonkey:1.0

* cpe:/a:mozilla:seamonkey:1.0.1

* cpe:/a:mozilla:seamonkey:1.0.2

* cpe:/a:mozilla:seamonkey:1.0.3

* cpe:/a:mozilla:seamonkey:1.0.5

* cpe:/a:mozilla:seamonkey:1.0.6

* cpe:/a:mozilla:seamonkey:1.0.7

* cpe:/a:mozilla:seamonkey:1.0.8

* cpe:/a:mozilla:seamonkey:1.0.9

* cpe:/a:mozilla:seamonkey:1.1:alpha

* cpe:/a:mozilla:seamonkey:1.1:beta

* cpe:/a:mozilla:seamonkey:1.1

* cpe:/a:mozilla:seamonkey:1.1.1

* cpe:/a:mozilla:seamonkey:1.1.2

* cpe:/a:mozilla:seamonkey:1.1.3

* cpe:/a:mozilla:seamonkey:1.1.4

* cpe:/a:mozilla:seamonkey:1.1.5

* cpe:/a:mozilla:seamonkey:1.1.6

* cpe:/a:mozilla:seamonkey:1.1.7

* cpe:/a:mozilla:seamonkey:1.1.8

* cpe:/a:mozilla:seamonkey:1.1.9

* cpe:/a:mozilla:seamonkey:1.1.10

* cpe:/a:mozilla:seamonkey:1.1.11

* cpe:/a:mozilla:seamonkey:1.1.12

* cpe:/a:mozilla:firefox:3.0.4 and previous versions

* cpe:/a:mozilla:firefox:2.0.0.18 and previous versions

* cpe:/a:mozilla:thunderbird:2.0.0.18 and previous versions

* cpe:/a:mozilla:seamonkey:1.1.13 and previous versions

* Denotes Vulnerable Software

Technical Details

Vulnerability Type (View All)

Permissions, Privileges, and Access Control (CWE-264)

CVE Standard Vulnerability Entry:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5506