xulrunner - several vulnerabilities

2007-12-0800:00:00

Google

osv.dev

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.936 High

EPSS

Percentile

98.7%

JSON

Several remote vulnerabilities have been discovered in Xulrunner, a
runtime environment for XUL applications. The Common Vulnerabilities
and Exposures project identifies the following problems:

CVE-2007-5947
Jesse Ruderman and Petko D. Petkov discovered that the URI handler
for JAR archives allows cross-site scripting.
CVE-2007-5959
Several crashes in the layout engine were discovered, which might
allow the execution of arbitrary code.
CVE-2007-5960
Gregory Fleischer discovered a race condition in the handling of
the window.location property, which might lead to cross-site
request forgery.

The oldstable distribution (sarge) doesn’t contain xulrunner.

For the stable distribution (etch) these problems have been fixed in
version 1.8.0.14~pre071019c-0etch1.

For the unstable distribution (sid) these problems have been fixed in
version 1.8.1.11-1.

We recommend that you upgrade your xulrunner packages.

CPENameOperatorVersion
xulrunnereq1.8.0.11-2
xulrunnereq1.8.0.11-3
xulrunnereq1.8.0.11-4
xulrunnereq1.8.0.11-4.1
xulrunnereq1.8.0.12-0etch1
xulrunnereq1.8.0.13~pre070720-0etch1
xulrunnereq1.8.0.13~pre070720-0etch2
xulrunnereq1.8.0.13~pre070720-0etch3
xulrunnereq1.8.0.13~pre070720-0etch3+lenny1
xulrunnereq1.8.0.14~pre071019b-0etch1

Name	Operator	Version
xulrunner	eq	1.8.0.11-2
xulrunner	eq	1.8.0.11-3
xulrunner	eq	1.8.0.11-4
xulrunner	eq	1.8.0.11-4.1
xulrunner	eq	1.8.0.12-0etch1
xulrunner	eq	1.8.0.13~pre070720-0etch1
xulrunner	eq	1.8.0.13~pre070720-0etch2
xulrunner	eq	1.8.0.13~pre070720-0etch3
xulrunner	eq	1.8.0.13~pre070720-0etch3+lenny1
xulrunner	eq	1.8.0.14~pre071019b-0etch1