CVE-2009-2065

2009-06-1500:00:00

ubuntu.com

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.002 Low

EPSS

Percentile

54.8%

JSON

Mozilla Firefox 3.0.10, and possibly other versions, detects http content
in https web pages only when the top-level frame uses https, which allows
man-in-the-middle attackers to execute arbitrary web script, in an https
site’s context, by modifying an http page to include an https iframe that
references a script file on an http site, related to
“HTTP-Intended-but-HTTPS-Loadable (HPIHSL) pages.”

Notes

Author	Note
jdstrand	CVEs in Firefox are tracked in the xulrunner source packages. The mapping of xulrunner sources to firefox is: xulrunner (1.8.0): firefox (1.5) - Ubuntu 6.06 LTS xulrunner (1.8.1): firefox (2.0) - Ubuntu 6.10 - 8.04 LTS xulrunner-1.9: firefox-3.0 xulrunner-1.9.1: firefox-3.5 Ubuntu 6.06 LTS and 10.04 LTS uses the embedded xulrunner and not the system xulrunner-1.9.2, so it is tracked in the firefox source package.
mdeslaur	as of 2011-04-11, no details. Marking as ignored.

Author

Note

jdstrand

CVEs in Firefox are tracked in the xulrunner source packages. The mapping of xulrunner sources to firefox is: xulrunner (1.8.0): firefox (1.5) - Ubuntu 6.06 LTS xulrunner (1.8.1): firefox (2.0) - Ubuntu 6.10 - 8.04 LTS xulrunner-1.9: firefox-3.0 xulrunner-1.9.1: firefox-3.5 Ubuntu 6.06 LTS and 10.04 LTS uses the embedded xulrunner and not the system xulrunner-1.9.2, so it is tracked in the firefox source package.

mdeslaur

as of 2011-04-11, no details. Marking as ignored.