CVE-2009-3376

2009-10-2914:30:00

CWE-16

[email protected]

web.nvd.nist.gov

cve-2009-3376

mozilla firefox

seamonkey

unicode

vulnerability

security issue

9 High

AI Score

Confidence

High

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.014 Low

EPSS

Percentile

86.3%

JSON

Mozilla Firefox before 3.0.15 and 3.5.x before 3.5.4, and SeaMonkey before 2.0, does not properly handle a right-to-left override (aka RLO or U+202E) Unicode character in a download filename, which allows remote attackers to spoof file extensions via a crafted filename, as demonstrated by displaying a non-executable extension for an executable file.

CPENameOperatorVersion
mozilla:seamonkeymozilla seamonkeyeq1.1.10
mozilla:seamonkeymozilla seamonkeyeq1.0.3
mozilla:firefoxmozilla firefoxeq3.5.3
mozilla:seamonkeymozilla seamonkeyeq1.1.8
mozilla:firefoxmozilla firefoxeq3.0.7
mozilla:seamonkeymozilla seamonkeyeq1.0.1
mozilla:seamonkeymozilla seamonkeyeq1.1.7
mozilla:firefoxmozilla firefoxeq3.0.9
mozilla:seamonkeymozilla seamonkeyeq1.0.6
mozilla:seamonkeymozilla seamonkeyeq1.0.9

CPE	Name	Operator	Version
mozilla:seamonkey	mozilla seamonkey	eq	1.1.10
mozilla:seamonkey	mozilla seamonkey	eq	1.0.3
mozilla:firefox	mozilla firefox	eq	3.5.3
mozilla:seamonkey	mozilla seamonkey	eq	1.1.8
mozilla:firefox	mozilla firefox	eq	3.0.7
mozilla:seamonkey	mozilla seamonkey	eq	1.0.1
mozilla:seamonkey	mozilla seamonkey	eq	1.1.7
mozilla:firefox	mozilla firefox	eq	3.0.9
mozilla:seamonkey	mozilla seamonkey	eq	1.0.6
mozilla:seamonkey	mozilla seamonkey	eq	1.0.9