6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.002 Low
EPSS
Percentile
54.8%
Mozilla Firefox 3.0.10, and possibly other versions, detects http content
in https web pages only when the top-level frame uses https, which allows
man-in-the-middle attackers to execute arbitrary web script, in an https
siteโs context, by modifying an http page to include an https iframe that
references a script file on an http site, related to
โHTTP-Intended-but-HTTPS-Loadable (HPIHSL) pages.โ
Author | Note |
---|---|
jdstrand | CVEs in Firefox are tracked in the xulrunner source packages. The mapping of xulrunner sources to firefox is: xulrunner (1.8.0): firefox (1.5) - Ubuntu 6.06 LTS xulrunner (1.8.1): firefox (2.0) - Ubuntu 6.10 - 8.04 LTS xulrunner-1.9: firefox-3.0 xulrunner-1.9.1: firefox-3.5 Ubuntu 6.06 LTS and 10.04 LTS uses the embedded xulrunner and not the system xulrunner-1.9.2, so it is tracked in the firefox source package. |
mdeslaur | as of 2011-04-11, no details. Marking as ignored. |