Lucene search

K
mozillaMozilla FoundationMFSA2008-23
HistoryJul 01, 2008 - 12:00 a.m.

Signed JAR tampering — Mozilla

2008-07-0100:00:00
Mozilla Foundation
www.mozilla.org
11

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.401 Medium

EPSS

Percentile

97.3%

Security researchers Collin Jackson and Adam Barth reported a series of vulnerabilities which allow JavaScript to be injected into the context of signed JARs and executed under the context of the JAR’s signer. This could allow an attacker to run JavaScript in a victim’s browser with the privileges of a different website, provided the attacker possesses a JAR signed by the other website.

Affected configurations

Vulners
Node
mozillafirefoxRange<2.0.0.15
OR
mozillafirefoxRange<3
OR
mozillaseamonkeyRange<1.1.10
CPENameOperatorVersion
firefoxlt2.0.0.15
firefoxlt3
seamonkeylt1.1.10

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.401 Medium

EPSS

Percentile

97.3%