Published: 22/04/2009 Updated: 10/10/2018

CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6

VMScore: 435

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Mozilla Firefox prior to 3.0.9 and SeaMonkey 1.1.17 do not block javascript: URIs in Refresh headers in HTTP responses, which allows remote malicious users to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header or (2) specifying the content of a Refresh header. NOTE: it was later reported that Firefox 3.6 a1 pre and Mozilla 1.7.x and previous versions are also affected.

Vulnerable Product	Search on Vulmon	Subscribe to Product
mozilla firefox
mozilla firefox 0.1
mozilla firefox 0.6
mozilla firefox 0.6.1
mozilla firefox 0.7.1
mozilla firefox 1.0
mozilla firefox 1.0.5
mozilla firefox 1.0.4
mozilla firefox 1.5.0.3
mozilla firefox 1.5.0.11
mozilla firefox 1.5.6
mozilla firefox 1.5.5
mozilla firefox 1.5.3
mozilla firefox 1.5
mozilla firefox 2.0
mozilla firefox 2.0.0.1
mozilla firefox 2.0.0.11
mozilla firefox 2.0.0.19
mozilla firefox 2.0.0.3
mozilla firefox 2.0.0.2
mozilla firefox 2.0.0.6
mozilla firefox 2.0.0.5
mozilla firefox 3.0.6
mozilla firefox 3.0.4
mozilla firefox 3.0beta5
mozilla seamonkey
mozilla firefox 0.2
mozilla firefox 0.3
mozilla firefox 0.9
mozilla firefox 0.9.3
mozilla firefox 1.0.1
mozilla firefox 1.0.8
mozilla firefox 1.5.0.4
mozilla firefox 1.5.0.10
mozilla firefox 1.5.2
mozilla firefox 1.5.0.8
mozilla firefox 2.0.0.12
mozilla firefox 2.0.0.21
mozilla firefox 0.10
mozilla firefox 0.10.1
mozilla firefox 0.8
mozilla firefox 0.9.1
mozilla firefox 0.9_rc
mozilla firefox 1.0.6
mozilla firefox 1.0.7
mozilla firefox 1.5.0.12
mozilla firefox 1.5.0.1
mozilla firefox 1.5.4
mozilla firefox 1.5.1
mozilla firefox 1.8
mozilla firefox 1.5.8
mozilla firefox 2.0.0.14
mozilla firefox 2.0.0.18
mozilla firefox 2.0.0.16
mozilla firefox 2.0.0.4
mozilla firefox 2.0.0.8
mozilla firefox 2.0.0.15
mozilla firefox 2.0.0.9
mozilla firefox 3.0.1
mozilla firefox 3.0.5
mozilla firefox 3.0
mozilla firefox 3.0.3
mozilla firefox 3.0.7
mozilla firefox 0.4
mozilla firefox 0.5
mozilla firefox 0.7
mozilla firefox 0.9.2
mozilla firefox 1.0.3
mozilla firefox 1.0.2
mozilla firefox 1.5.0.5
mozilla firefox 1.5.0.2
mozilla firefox 1.5.0.6
mozilla firefox 1.5.7
mozilla firefox 1.5.0.9
mozilla firefox 1.5.0.7
mozilla firefox 2.0.0.10
mozilla firefox 2.0.0.13
mozilla firefox 2.0.0.20
mozilla firefox 2.0.0.17
mozilla firefox 2.0.0.7
mozilla firefox 2.0_8
mozilla firefox 3.0.2

Several flaws were discovered in the browser engine If a user were tricked into viewing a malicious website, a remote attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program (CVE-2009-1302, CVE-2009-1303, CVE-2009-1304, CVE-2009-1305) ...

Synopsis Critical: seamonkey security update Type/Severity Security Advisory: Critical Topic Updated seamonkey packages that fix several security issues are nowavailable for Red Hat Enterprise Linux 21, 3, and 4This update has been rated as having critical security impact by the RedHat Security Response T ...

Synopsis Critical: firefox security update Type/Severity Security Advisory: Critical Topic Updated firefox packages that fix several security issues are now availablefor Red Hat Enterprise Linux 4 and 5This update has been rated as having critical security impact by the RedHat Security Response Team ...

Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications, such as the Iceweasel web browser The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-0652 Moxie Marlinspike discovered that Unicode box drawing characters inside of internationalised domai ...

Mozilla Foundation Security Advisory 2009-22 Firefox allows Refresh header to redirect to javascript: URIs Announced April 21, 2009 Reporter Michael Impact Moderate Products Firefox Fixed in ...

source: wwwsecurityfocuscom/bid/34656/info The Mozilla Foundation has released multiple security advisories specifying various vulnerabilities in Firefox, Thunderbird, and SeaMonkey Attackers can exploit these issues to bypass same-origin restrictions, obtain potentially sensitive information, and execute arbitrary script code with elev ...

CWE-16 https://bugzilla.mozilla.org/show_bug.cgi?id=475636 http://www.mozilla.org/security/announce/2009/mfsa2009-22.html http://secunia.com/advisories/34894 http://secunia.com/advisories/34758 https://www.redhat.com/archives/fedora-package-announce/2009-April/msg00683.html http://www.securitytracker.com/id?1022096 http://secunia.com/advisories/34843 http://www.securityfocus.com/bid/34656 http://secunia.com/advisories/34844 http://www.redhat.com/support/errata/RHSA-2009-0436.html http://rhn.redhat.com/errata/RHSA-2009-0437.html http://www.vupen.com/english/advisories/2009/1125 http://lists.opensuse.org/opensuse-security-announce/2009-05/msg00000.html http://www.mandriva.com/security/advisories?name=MDVSA-2009:111 http://secunia.com/advisories/35065 http://ha.ckers.org/blog/20070309/firefox-header-redirection-javascript-execution/http://websecurity.com.ua/3275/http://sunsolve.sun.com/search/document.do?assetkey=1-66-264308-1 http://websecurity.com.ua/3386/https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9818 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6731 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6131 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6064 https://usn.ubuntu.com/764-1/http://www.securityfocus.com/archive/1/504723/100/0/threaded http://www.securityfocus.com/archive/1/504718/100/0/threaded https://usn.ubuntu.com/764-1/https://nvd.nist.gov https://www.exploit-db.com/exploits/32942/

CVE-2009-1312

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Exploits

References

Vulmon Search

About

Products

Connect