CVE-2008-4582

2008-10-1520:08:00

CWE-264

[email protected]

web.nvd.nist.gov

mozilla

firefox

seamonkey

windows

cve-2008-4582

same origin policy

url shortcut

remote attack

8.8 High

AI Score

Confidence

High

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

0.004 Low

EPSS

Percentile

73.8%

JSON

Mozilla Firefox 3.0.1 through 3.0.3, Firefox 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13, when running on Windows, do not properly identify the context of Windows .url shortcut files, which allows user-assisted remote attackers to bypass the Same Origin Policy and obtain sensitive information via an HTML document that is directly accessible through a filesystem, as demonstrated by documents in (1) local folders, (2) Windows share folders, and (3) RAR archives, and as demonstrated by IFRAMEs referencing shortcuts that point to (a) about:cache?device=memory and (b) about:cache?device=disk, a variant of CVE-2008-2810.

CPENameOperatorVersion
debian:debian_linuxdebian debian linuxeq4.0
mozilla:firefoxmozilla firefoxeq3.0.1
mozilla:firefoxmozilla firefoxeq3.0.2
mozilla:firefoxmozilla firefoxeq3.0.3
mozilla:firefoxmozilla firefoxeq2.0
mozilla:firefoxmozilla firefoxeq2.0.0.1
mozilla:firefoxmozilla firefoxeq2.0.0.10
mozilla:firefoxmozilla firefoxeq2.0.0.11
mozilla:firefoxmozilla firefoxeq2.0.0.12
mozilla:firefoxmozilla firefoxeq2.0.0.13

CPE	Name	Operator	Version
debian:debian_linux	debian debian linux	eq	4.0
mozilla:firefox	mozilla firefox	eq	3.0.1
mozilla:firefox	mozilla firefox	eq	3.0.2
mozilla:firefox	mozilla firefox	eq	3.0.3
mozilla:firefox	mozilla firefox	eq	2.0
mozilla:firefox	mozilla firefox	eq	2.0.0.1
mozilla:firefox	mozilla firefox	eq	2.0.0.10
mozilla:firefox	mozilla firefox	eq	2.0.0.11
mozilla:firefox	mozilla firefox	eq	2.0.0.12
mozilla:firefox	mozilla firefox	eq	2.0.0.13