Published: 14/11/2007 Updated: 15/10/2018

CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6

VMScore: 383

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

The jar protocol handler in Mozilla Firefox prior to 2.0.0.10 and SeaMonkey prior to 1.1.7 retrieves the inner URL regardless of its MIME type, and considers HTML documents within a jar archive to have the same origin as the inner URL, which allows remote malicious users to conduct cross-site scripting (XSS) attacks via a jar: URI.

Vulnerable Product	Search on Vulmon	Subscribe to Product
mozilla firefox 2.0.0.4
mozilla firefox 2.0.0.5
mozilla seamonkey 1.1.3
mozilla seamonkey 1.1.2
mozilla firefox 2.0.0.6
mozilla firefox 2.0.0.7
mozilla firefox 2.0.0.8
mozilla seamonkey 1.1.1
mozilla firefox 2.0.0.1
mozilla firefox
mozilla seamonkey
mozilla firefox 2.0.0.2
mozilla firefox 2.0.0.3
mozilla seamonkey 1.1.5
mozilla seamonkey 1.1.4

USN-546-1 fixed vulnerabilities in Firefox The upstream update included a faulty patch which caused the drawImage method of the canvas element to fail This update fixes the problem ...

It was discovered that Firefox incorrectly associated redirected sites as the origin of “jar:” contents A malicious web site could exploit this to modify or steal confidential data (such as passwords) from other web sites (CVE-2007-5947) ...

Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2007-5947 Jesse Ruderman and Petko D Petkov discovered that the URI handler for JAR archives allows cross-site scripting CVE-2007-5959 Se ...

Several remote vulnerabilities have been discovered in the Iceweasel web browser, an unbranded version of the Firefox browser The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2007-5947 Jesse Ruderman and Petko D Petkov discovered that the URI handler for JAR archives allows cross-site scripting CVE ...

Mozilla Foundation Security Advisory 2007-37 jar: URI scheme XSS hazard Announced November 26, 2007 Reporter Jesse Ruderman, Petko D Petkov, befordorg Impact High Products Firefox, SeaMonkey Fixed in ...

CWE-79 http://www.gnucitizen.org/blog/web-mayhem-firefoxs-jar-protocol-issues https://bugzilla.mozilla.org/show_bug.cgi?id=369814 http://www.kb.cert.org/vuls/id/715737 http://www.securityfocus.com/bid/26385 http://secunia.com/advisories/27605 http://www.mozilla.org/security/announce/2007/mfsa2007-37.html http://www.debian.org/security/2007/dsa-1424 http://www.debian.org/security/2007/dsa-1425 http://www.redhat.com/support/errata/RHSA-2007-1082.html http://www.redhat.com/support/errata/RHSA-2007-1084.html http://lists.opensuse.org/opensuse-security-announce/2007-12/msg00004.html http://www.ubuntu.com/usn/usn-546-2 http://www.securitytracker.com/id?1018928 http://secunia.com/advisories/27793 http://secunia.com/advisories/27796 http://secunia.com/advisories/27797 http://secunia.com/advisories/27816 http://secunia.com/advisories/27944 http://secunia.com/advisories/27957 http://secunia.com/advisories/28001 http://bugs.gentoo.org/show_bug.cgi?id=198965 http://bugs.gentoo.org/show_bug.cgi?id=200909 https://issues.rpath.com/browse/RPL-1984 http://wiki.rpath.com/wiki/Advisories:rPSA-2007-0260 http://security.gentoo.org/glsa/glsa-200712-21.xml http://www.mandriva.com/security/advisories?name=MDKSA-2007:246 http://www.redhat.com/support/errata/RHSA-2007-1083.html http://secunia.com/advisories/28016 http://secunia.com/advisories/27955 http://secunia.com/advisories/28171 http://secunia.com/advisories/28277 http://browser.netscape.com/releasenotes/http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.374833 http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.365006 http://secunia.com/advisories/27800 http://secunia.com/advisories/27838 http://secunia.com/advisories/27845 http://secunia.com/advisories/28398 https://www.redhat.com/archives/fedora-package-announce/2007-November/msg01011.html https://www.redhat.com/archives/fedora-package-announce/2007-December/msg00168.html https://www.redhat.com/archives/fedora-package-announce/2007-December/msg00135.html https://www.redhat.com/archives/fedora-package-announce/2007-December/msg00115.html http://secunia.com/advisories/27855 http://secunia.com/advisories/27979 http://sunsolve.sun.com/search/document.do?assetkey=1-26-231441-1 http://wiki.rpath.com/Advisories:rPSA-2008-0093 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0093 https://issues.rpath.com/browse/RPL-1995 http://secunia.com/advisories/29164 http://sunsolve.sun.com/search/document.do?assetkey=1-77-1018977.1-1 http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00771742 http://www.vupen.com/english/advisories/2007/3818 http://www.vupen.com/english/advisories/2007/4002 http://www.vupen.com/english/advisories/2008/0083 http://www.vupen.com/english/advisories/2007/4018 http://www.vupen.com/english/advisories/2008/0643 https://exchange.xforce.ibmcloud.com/vulnerabilities/38356 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9873 https://usn.ubuntu.com/546-1/http://www.securityfocus.com/archive/1/488971/100/0/threaded http://www.securityfocus.com/archive/1/488002/100/0/threaded https://nvd.nist.gov https://usn.ubuntu.com/546-2/https://www.kb.cert.org/vuls/id/715737

Get Started

CVE-2007-5947

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect