4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.003 Low
EPSS
Percentile
71.0%
The jar protocol handler in Mozilla Firefox before 2.0.0.10 and SeaMonkey
before 1.1.7 does not update the origin domain when retrieving the inner
URL parameter yields an HTTP redirect, which allows remote attackers to
conduct cross-site scripting (XSS) attacks via a jar: URI, a different
vulnerability than CVE-2007-5947.
Author | Note |
---|---|
jdstrand | notified asac (asked if backported code from MFSA-37 fixes this on Dapper) per asac, dapper is fixed |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 8.04 | noarch | seamonkey | < 1.1.9+nobinonly-0ubuntu1 | UNKNOWN |
ubuntu | 8.10 | noarch | seamonkey | < 1.1.9+nobinonly-0ubuntu1 | UNKNOWN |
ubuntu | 7.10 | noarch | xulrunner | < 1.8.1.18+nobinonly.b308.cvs20090331t155113-0ubuntu0.7.10.1 | UNKNOWN |
ubuntu | 8.04 | noarch | xulrunner | < 1.8.1.13+nobinonly-0ubuntu1 | UNKNOWN |
ubuntu | 8.10 | noarch | xulrunner | < 1.8.1.13+nobinonly-0ubuntu1 | UNKNOWN |