CVE-2009-1307

critical

Description

The view-source: URI implementation in Mozilla Firefox before 3.0.9, Thunderbird, and SeaMonkey does not properly implement the Same Origin Policy, which allows remote attackers to (1) bypass crossdomain.xml restrictions and connect to arbitrary web sites via a Flash file; (2) read, create, or modify Local Shared Objects via a Flash file; or (3) bypass unspecified restrictions and render content via vectors involving a jar: URI.

References

https://www.redhat.com/archives/fedora-package-announce/2009-July/msg00504.html

https://www.redhat.com/archives/fedora-package-announce/2009-July/msg00444.html

https://www.redhat.com/archives/fedora-package-announce/2009-April/msg00683.html

https://usn.ubuntu.com/764-1/

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7008

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6266

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6154

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5933

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10972

https://bugzilla.mozilla.org/show_bug.cgi?id=481342

http://www.vupen.com/english/advisories/2009/1125

http://www.ubuntu.com/usn/usn-782-1

http://www.slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.454275

http://www.securitytracker.com/id?1022093

http://www.securityfocus.com/bid/34656

http://www.redhat.com/support/errata/RHSA-2009-1126.html

http://www.redhat.com/support/errata/RHSA-2009-1125.html

http://www.redhat.com/support/errata/RHSA-2009-0436.html

http://www.mozilla.org/security/announce/2009/mfsa2009-17.html

http://www.mandriva.com/security/advisories?name=MDVSA-2009:141

http://www.mandriva.com/security/advisories?name=MDVSA-2009:111

http://www.debian.org/security/2009/dsa-1830

http://www.debian.org/security/2009/dsa-1797

http://sunsolve.sun.com/search/document.do?assetkey=1-66-264308-1

http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.425408

http://secunia.com/advisories/35882

http://secunia.com/advisories/35602

http://secunia.com/advisories/35561

http://secunia.com/advisories/35536

http://secunia.com/advisories/35065

http://secunia.com/advisories/35042

http://secunia.com/advisories/34894

http://secunia.com/advisories/34844

http://secunia.com/advisories/34843

http://secunia.com/advisories/34780

http://secunia.com/advisories/34758

http://rhn.redhat.com/errata/RHSA-2009-0437.html

http://lists.opensuse.org/opensuse-security-announce/2009-05/msg00000.html

Details

Source: Mitre, NVD

Published: 2009-04-22

Updated: 2024-11-21

Risk Information

CVSS v2

Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Severity: Critical