CVE-2008-2801

critical

Description

Mozilla Firefox before 2.0.0.15 and SeaMonkey before 1.1.10 do not properly implement JAR signing, which allows remote attackers to execute arbitrary code via (1) injection of JavaScript into documents within a JAR archive or (2) a JAR archive that uses relative URLs to JavaScript files.

References

https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00295.html

https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00288.html

https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00207.html

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11810

https://issues.rpath.com/browse/RPL-2646

https://bugzilla.mozilla.org/show_bug.cgi?id=424426

https://bugzilla.mozilla.org/show_bug.cgi?id=424188

https://bugzilla.mozilla.org/show_bug.cgi?id=418996

http://www.vupen.com/english/advisories/2009/0977

http://www.vupen.com/english/advisories/2008/1993/references

http://www.ubuntu.com/usn/usn-619-1

http://www.securitytracker.com/id?1020419

http://www.securityfocus.com/bid/30038

http://www.securityfocus.com/archive/1/494080/100/0/threaded

http://www.redhat.com/support/errata/RHSA-2008-0569.html

http://www.redhat.com/support/errata/RHSA-2008-0549.html

http://www.redhat.com/support/errata/RHSA-2008-0547.html

http://www.mozilla.org/security/announce/2008/mfsa2008-23.html

http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.15

http://www.mandriva.com/security/advisories?name=MDVSA-2008:136

http://www.debian.org/security/2009/dsa-1697

http://www.debian.org/security/2008/dsa-1615

http://www.debian.org/security/2008/dsa-1607

http://wiki.rpath.com/Advisories:rPSA-2008-0216

http://sunsolve.sun.com/search/document.do?assetkey=1-26-256408-1

http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.384911

http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.383152

http://security.gentoo.org/glsa/glsa-200808-03.xml

http://secunia.com/advisories/34501

http://secunia.com/advisories/33433

http://secunia.com/advisories/31377

http://secunia.com/advisories/31195

http://secunia.com/advisories/31183

http://secunia.com/advisories/31076

http://secunia.com/advisories/31069

http://secunia.com/advisories/31023

http://secunia.com/advisories/31021

http://secunia.com/advisories/31008

http://secunia.com/advisories/31005

http://secunia.com/advisories/30949

http://secunia.com/advisories/30911

http://secunia.com/advisories/30903

http://secunia.com/advisories/30898

http://secunia.com/advisories/30878

http://rhn.redhat.com/errata/RHSA-2008-0616.html

http://lists.opensuse.org/opensuse-security-announce/2008-07/msg00004.html

Details

Source: Mitre, NVD

Published: 2008-07-07

Updated: 2018-10-11

Risk Information

CVSS v2

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Severity: High

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical