Executive Summary
Informations | |||
---|---|---|---|
Name | CVE-2007-5338 | First vendor Publication | 2007-10-21 |
Vendor | Cve | Last vendor Modification | 2018-10-15 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 9.3 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Mozilla Firefox before 2.0.0.8 and SeaMonkey before 1.1.5 allow remote attackers to execute arbitrary Javascript with user privileges by using the Script object to modify XPCNativeWrappers in a way that causes the script to be executed when a chrome action is performed. |
Original Source
Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5338 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
50 % | CWE-264 | Permissions, Privileges, and Access Controls |
50 % | CWE-16 | Configuration |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:10965 | |||
Oval ID: | oval:org.mitre.oval:def:10965 | ||
Title: | Mozilla Firefox before 2.0.0.8 and SeaMonkey before 1.1.5 allow remote attackers to execute arbitrary Javascript with user privileges by using the Script object to modify XPCNativeWrappers in a way that causes the script to be executed when a chrome action is performed. | ||
Description: | Mozilla Firefox before 2.0.0.8 and SeaMonkey before 1.1.5 allow remote attackers to execute arbitrary Javascript with user privileges by using the Script object to modify XPCNativeWrappers in a way that causes the script to be executed when a chrome action is performed. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2007-5338 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:17494 | |||
Oval ID: | oval:org.mitre.oval:def:17494 | ||
Title: | USN-536-1 -- mozilla-thunderbird, thunderbird vulnerabilities | ||
Description: | Various flaws were discovered in the layout and JavaScript engines. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-536-1 CVE-2007-5339 CVE-2007-5340 CVE-2006-2894 CVE-2007-3511 CVE-2007-1095 CVE-2007-2292 CVE-2007-5334 CVE-2007-5337 CVE-2007-5338 | Version: | 7 |
Platform(s): | Ubuntu 6.06 Ubuntu 6.10 Ubuntu 7.04 Ubuntu 7.10 | Product(s): | mozilla-thunderbird thunderbird |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:18655 | |||
Oval ID: | oval:org.mitre.oval:def:18655 | ||
Title: | DSA-1574-1 icedove - several vulnerabilities | ||
Description: | Several remote vulnerabilities have been discovered in the Icedove mail client, an unbranded version of the Thunderbird client. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1574-1 CVE-2008-1233 CVE-2008-1234 CVE-2008-1235 CVE-2008-1236 CVE-2008-1237 CVE-2007-3738 CVE-2007-5338 | Version: | 7 |
Platform(s): | Debian GNU/Linux 4.0 | Product(s): | icedove |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:18729 | |||
Oval ID: | oval:org.mitre.oval:def:18729 | ||
Title: | DSA-1534-1 iceape | ||
Description: | Several remote vulnerabilities have been discovered in the Iceape internet suite, an unbranded version of the Seamonkey Internet Suite. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1534-1 CVE-2007-4879 CVE-2008-1233 CVE-2008-1234 CVE-2008-1235 CVE-2008-1236 CVE-2008-1237 CVE-2008-1238 CVE-2008-1240 CVE-2008-1241 CVE-2007-3738 CVE-2007-5338 | Version: | 7 |
Platform(s): | Debian GNU/Linux 4.0 | Product(s): | iceape |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:18755 | |||
Oval ID: | oval:org.mitre.oval:def:18755 | ||
Title: | DSA-1532-1 xulrunner | ||
Description: | Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1532-1 CVE-2007-4879 CVE-2008-1233 CVE-2008-1234 CVE-2008-1235 CVE-2008-1236 CVE-2008-1237 CVE-2008-1238 CVE-2008-1240 CVE-2008-1241 CVE-2007-3738 CVE-2007-5338 | Version: | 7 |
Platform(s): | Debian GNU/Linux 4.0 | Product(s): | xulrunner |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:19906 | |||
Oval ID: | oval:org.mitre.oval:def:19906 | ||
Title: | DSA-1534-2 iceape - regression | ||
Description: | Several remote vulnerabilities have been discovered in the Iceape internet suite, an unbranded version of the Seamonkey Internet Suite. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1534-2 CVE-2007-4879 CVE-2008-1233 CVE-2008-1234 CVE-2008-1235 CVE-2008-1236 CVE-2008-1237 CVE-2008-1238 CVE-2008-1240 CVE-2008-1241 CVE-2007-3738 CVE-2007-5338 | Version: | 5 |
Platform(s): | Debian GNU/Linux 4.0 | Product(s): | iceape |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:20297 | |||
Oval ID: | oval:org.mitre.oval:def:20297 | ||
Title: | DSA-1535-1 iceweasel | ||
Description: | Several remote vulnerabilities have been discovered in the Iceweasel web browser, an unbranded version of the Firefox browser. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1535-1 CVE-2007-4879 CVE-2008-1233 CVE-2008-1234 CVE-2008-1235 CVE-2008-1236 CVE-2008-1237 CVE-2008-1238 CVE-2008-1240 CVE-2008-1241 CVE-2007-3738 CVE-2007-5338 | Version: | 5 |
Platform(s): | Debian GNU/Linux 4.0 | Product(s): | iceweasel |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:7395 | |||
Oval ID: | oval:org.mitre.oval:def:7395 | ||
Title: | DSA-1535 iceweasel -- several vulnerabilities | ||
Description: | Several remote vulnerabilities have been discovered in the Iceweasel web browser, an unbranded version of the Firefox browser. The Common Vulnerabilities and Exposures project identifies the following problems: Peter Brodersen and Alexander Klink discovered that the autoselection of SSL client certificates could lead to users being tracked, resulting in a loss of privacy. moz_bug_r_a4 discovered that variants of CVE-2007-3738 and CVE-2007-5338 allow the execution of arbitrary code through XPCNativeWrapper. moz_bug_r_a4 discovered that insecure handling of event handlers could lead to cross-site scripting. Boris Zbarsky, Johnny Stenback and moz_bug_r_a4 discovered that incorrect principal handling could lead to cross-site scripting and the execution of arbitrary code. Tom Ferris, Seth Spitzer, Martin Wargers, John Daggett and Mats Palmgren discovered crashes in the layout engine, which might allow the execution of arbitrary code. georgi, tgirmann and Igor Bukanov discovered crashes in the Javascript engine, which might allow the execution of arbitrary code. Gregory Fleischer discovered that HTTP Referrer headers were handled incorrectly in combination with URLs containing Basic Authentication credentials with empty usernames, resulting in potential Cross-Site Request Forgery attacks. Gregory Fleischer discovered that web content fetched through the jar: protocol can use Java to connect to arbitrary ports. This is only an issue in combination with the non-free Java plugin. Chris Thomas discovered that background tabs could generate XUL popups overlaying the current tab, resulting in potential spoofing attacks. The Mozilla products from the old stable distribution (sarge) are no longer supported. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1535 CVE-2007-4879 CVE-2008-1233 CVE-2008-1234 CVE-2008-1235 CVE-2008-1236 CVE-2008-1237 CVE-2008-1238 CVE-2008-1240 CVE-2008-1241 CVE-2007-3738 CVE-2007-5338 | Version: | 3 |
Platform(s): | Debian GNU/Linux 4.0 | Product(s): | iceweasel |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:7869 | |||
Oval ID: | oval:org.mitre.oval:def:7869 | ||
Title: | DSA-1534 iceape -- several vulnerabilities | ||
Description: | Several remote vulnerabilities have been discovered in the Iceape internet suite, an unbranded version of the Seamonkey Internet Suite. The Common Vulnerabilities and Exposures project identifies the following problems: Peter Brodersen and Alexander Klink discovered that the autoselection of SSL client certificates could lead to users being tracked, resulting in a loss of privacy. moz_bug_r_a4 discovered that variants of CVE-2007-3738 and CVE-2007-5338 allow the execution of arbitrary code through XPCNativeWrapper. moz_bug_r_a4 discovered that insecure handling of event handlers could lead to cross-site scripting. Boris Zbarsky, Johnny Stenback and moz_bug_r_a4 discovered that incorrect principal handling could lead to cross-site scripting and the execution of arbitrary code. Tom Ferris, Seth Spitzer, Martin Wargers, John Daggett and Mats Palmgren discovered crashes in the layout engine, which might allow the execution of arbitrary code. Georgi, Tgirmann and Igor Bukanov discovered crashes in the Javascript engine, which might allow the execution of arbitrary code. Gregory Fleischer discovered that HTTP Referrer headers were handled incorrectly in combination with URLs containing Basic Authentication credentials with empty usernames, resulting in potential Cross-Site Request Forgery attacks. Gregory Fleischer discovered that web content fetched through the jar: protocol can use Java to connect to arbitrary ports. This is only an issue in combination with the non-free Java plugin. Chris Thomas discovered that background tabs could generate XUL popups overlaying the current tab, resulting in potential spoofing attacks. The Mozilla products from the old stable distribution (sarge) are no longer supported. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1534 CVE-2007-4879 CVE-2008-1233 CVE-2008-1234 CVE-2008-1235 CVE-2008-1236 CVE-2008-1237 CVE-2008-1238 CVE-2008-1240 CVE-2008-1241 CVE-2007-3738 CVE-2007-5338 | Version: | 3 |
Platform(s): | Debian GNU/Linux 4.0 | Product(s): | iceape |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:7955 | |||
Oval ID: | oval:org.mitre.oval:def:7955 | ||
Title: | DSA-1532 xulrunner -- several vulnerabilities | ||
Description: | Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications. The Common Vulnerabilities and Exposures project identifies the following problems: Peter Brodersen and Alexander Klink discovered that the autoselection of SSL client certificates could lead to users being tracked, resulting in a loss of privacy. moz_bug_r_a4 discovered that variants of CVE-2007-3738 and CVE-2007-5338 allow the execution of arbitrary code through XPCNativeWrapper. moz_bug_r_a4 discovered that insecure handling of event handlers could lead to cross-site scripting. Boris Zbarsky, Johnny Stenback and moz_bug_r_a4 discovered that incorrect principal handling could lead to cross-site scripting and the execution of arbitrary code. Tom Ferris, Seth Spitzer, Martin Wargers, John Daggett and Mats Palmgren discovered crashes in the layout engine, which might allow the execution of arbitrary code. georgi, tgirmann and Igor Bukanov discovered crashes in the Javascript engine, which might allow the execution of arbitrary code. Gregory Fleischer discovered that HTTP Referrer headers were handled incorrectly in combination with URLs containing Basic Authentication credentials with empty usernames, resulting in potential Cross-Site Request Forgery attacks. Gregory Fleischer discovered that web content fetched through the jar: protocol can use Java to connect to arbitrary ports. This is only an issue in combination with the non-free Java plugin. Chris Thomas discovered that background tabs could generate XUL popups overlaying the current tab, resulting in potential spoofing attacks. The Mozilla products from the old stable distribution (sarge) are no longer supported. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1532 CVE-2007-4879 CVE-2008-1233 CVE-2008-1234 CVE-2008-1235 CVE-2008-1236 CVE-2008-1237 CVE-2008-1238 CVE-2008-1240 CVE-2008-1241 CVE-2007-3738 CVE-2007-5338 | Version: | 3 |
Platform(s): | Debian GNU/Linux 4.0 | Product(s): | xulrunner |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2009-10-10 | Name : SLES9: Security update for Mozilla File : nvt/sles9p5018527.nasl |
2009-04-09 | Name : Mandriva Update for mozilla-firefox MDKSA-2007:202 (mozilla-firefox) File : nvt/gb_mandriva_MDKSA_2007_202.nasl |
2009-03-23 | Name : Ubuntu Update for mozilla-thunderbird, thunderbird vulnerabilities USN-536-1 File : nvt/gb_ubuntu_USN_536_1.nasl |
2009-03-23 | Name : Ubuntu Update for firefox vulnerabilities USN-535-1 File : nvt/gb_ubuntu_USN_535_1.nasl |
2009-02-27 | Name : Fedora Update for seamonkey FEDORA-2007-2795 File : nvt/gb_fedora_2007_2795_seamonkey_fc8.nasl |
2009-02-27 | Name : Fedora Update for thunderbird FEDORA-2007-3431 File : nvt/gb_fedora_2007_3431_thunderbird_fc7.nasl |
2009-02-27 | Name : Fedora Update for thunderbird FEDORA-2007-3414 File : nvt/gb_fedora_2007_3414_thunderbird_fc8.nasl |
2009-02-27 | Name : Fedora Update for firefox FEDORA-2007-2664 File : nvt/gb_fedora_2007_2664_firefox_fc7.nasl |
2009-02-27 | Name : Fedora Update for seamonkey FEDORA-2007-2601 File : nvt/gb_fedora_2007_2601_seamonkey_fc7.nasl |
2009-01-28 | Name : SuSE Update for MozillaFirefox,mozilla,seamonkey SUSE-SA:2007:057 File : nvt/gb_suse_2007_057.nasl |
2008-09-24 | Name : Gentoo Security Advisory GLSA 200711-14 (firefox seamonkey xulrunner) File : nvt/glsa_200711_14.nasl |
2008-09-24 | Name : Gentoo Security Advisory GLSA 200711-24 (mozilla-thunderbird mozilla-thunderb... File : nvt/glsa_200711_24.nasl |
2008-05-27 | Name : Debian Security Advisory DSA 1574-1 (icedove) File : nvt/deb_1574_1.nasl |
2008-04-30 | Name : Debian Security Advisory DSA 1534-2 (iceape) File : nvt/deb_1534_2.nasl |
2008-04-07 | Name : Debian Security Advisory DSA 1535-1 (iceweasel) File : nvt/deb_1535_1.nasl |
2008-04-07 | Name : Debian Security Advisory DSA 1534-1 (iceape) File : nvt/deb_1534_1.nasl |
2008-04-07 | Name : Debian Security Advisory DSA 1532-1 (xulrunner) File : nvt/deb_1532_1.nasl |
2008-01-17 | Name : Debian Security Advisory DSA 1392-1 (xulrunner) File : nvt/deb_1392_1.nasl |
2008-01-17 | Name : Debian Security Advisory DSA 1401-1 (iceape) File : nvt/deb_1401_1.nasl |
2008-01-17 | Name : Debian Security Advisory DSA 1396-1 (icedove) File : nvt/deb_1396_1.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
38033 | Mozilla Multiple Products Script Object XPCNativeWrappers Pollution |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2013-07-12 | Name : The remote Oracle Linux host is missing a security update. File : oraclelinux_ELSA-2007-0981.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2007-0980.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2007-0979.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20071019_firefox_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20071019_seamonkey_on_SL4_x.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing a security update. File : sl_20071019_thunderbird_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2007-202.nasl - Type : ACT_GATHER_INFO |
2008-05-13 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1574.nasl - Type : ACT_GATHER_INFO |
2008-04-11 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1535.nasl - Type : ACT_GATHER_INFO |
2008-03-31 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1532.nasl - Type : ACT_GATHER_INFO |
2008-03-31 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1534.nasl - Type : ACT_GATHER_INFO |
2007-12-13 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_MozillaFirefox-4570.nasl - Type : ACT_GATHER_INFO |
2007-11-16 | Name : The remote Fedora host is missing a security update. File : fedora_2007-3414.nasl - Type : ACT_GATHER_INFO |
2007-11-16 | Name : The remote Fedora host is missing a security update. File : fedora_2007-3431.nasl - Type : ACT_GATHER_INFO |
2007-11-14 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200711-14.nasl - Type : ACT_GATHER_INFO |
2007-11-10 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-536-1.nasl - Type : ACT_GATHER_INFO |
2007-11-10 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-535-1.nasl - Type : ACT_GATHER_INFO |
2007-11-07 | Name : The remote Fedora host is missing a security update. File : fedora_2007-2795.nasl - Type : ACT_GATHER_INFO |
2007-11-06 | Name : The remote Fedora host is missing a security update. File : fedora_2007-2664.nasl - Type : ACT_GATHER_INFO |
2007-11-06 | Name : The remote Fedora host is missing a security update. File : fedora_2007-2601.nasl - Type : ACT_GATHER_INFO |
2007-11-06 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1401.nasl - Type : ACT_GATHER_INFO |
2007-10-30 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1396.nasl - Type : ACT_GATHER_INFO |
2007-10-26 | Name : The remote openSUSE host is missing a security update. File : suse_seamonkey-4596.nasl - Type : ACT_GATHER_INFO |
2007-10-25 | Name : The remote openSUSE host is missing a security update. File : suse_seamonkey-4594.nasl - Type : ACT_GATHER_INFO |
2007-10-25 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2007-0980.nasl - Type : ACT_GATHER_INFO |
2007-10-25 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2007-0981.nasl - Type : ACT_GATHER_INFO |
2007-10-25 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2007-0980.nasl - Type : ACT_GATHER_INFO |
2007-10-25 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2007-0979.nasl - Type : ACT_GATHER_INFO |
2007-10-25 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1392.nasl - Type : ACT_GATHER_INFO |
2007-10-25 | Name : The remote CentOS host is missing a security update. File : centos_RHSA-2007-0981.nasl - Type : ACT_GATHER_INFO |
2007-10-25 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2007-0979.nasl - Type : ACT_GATHER_INFO |
2007-10-24 | Name : A web browser on the remote host is prone to multiple flaws. File : seamonkey_115.nasl - Type : ACT_GATHER_INFO |
2007-10-24 | Name : The remote openSUSE host is missing a security update. File : suse_MozillaFirefox-4572.nasl - Type : ACT_GATHER_INFO |
2007-10-24 | Name : The remote openSUSE host is missing a security update. File : suse_MozillaFirefox-4574.nasl - Type : ACT_GATHER_INFO |
2007-10-19 | Name : The remote Windows host contains a web browser that is affected by multiple v... File : mozilla_firefox_2008.nasl - Type : ACT_GATHER_INFO |
Sources (Detail)
Alert History
Date | Informations |
---|---|
2024-02-10 01:07:08 |
|
2024-02-02 01:07:28 |
|
2024-02-01 12:02:26 |
|
2023-09-05 12:06:58 |
|
2023-09-05 01:02:18 |
|
2023-09-02 12:07:05 |
|
2023-09-02 01:02:18 |
|
2023-08-12 12:08:14 |
|
2023-08-12 01:02:18 |
|
2023-08-11 12:07:08 |
|
2023-08-11 01:02:23 |
|
2023-08-06 12:06:49 |
|
2023-08-06 01:02:19 |
|
2023-08-04 12:06:54 |
|
2023-08-04 01:02:22 |
|
2023-07-14 12:06:53 |
|
2023-07-14 01:02:20 |
|
2023-03-29 01:07:42 |
|
2023-03-28 12:02:25 |
|
2022-10-11 12:06:06 |
|
2022-10-11 01:02:10 |
|
2021-05-04 12:06:30 |
|
2021-04-22 01:07:02 |
|
2020-10-14 01:03:10 |
|
2020-10-03 01:03:08 |
|
2020-05-29 01:02:54 |
|
2020-05-23 01:38:51 |
|
2020-05-23 00:20:34 |
|
2018-10-16 00:19:17 |
|
2018-10-04 00:19:30 |
|
2017-11-22 12:02:25 |
|
2017-11-21 12:01:58 |
|
2017-09-29 09:23:14 |
|
2017-07-29 12:02:35 |
|
2016-06-28 16:58:51 |
|
2016-04-26 16:41:12 |
|
2014-02-17 10:42:03 |
|
2013-05-11 10:38:38 |
|