Executive Summary
| Informations | |||
|---|---|---|---|
| Name | CVE-2009-1312 | First vendor Publication | 2009-04-22 |
| Vendor | Cve | Last vendor Modification | 2018-10-10 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:M/Au:N/C:N/I:P/A:N) | |||
|---|---|---|---|
| Cvss Base Score | 4.3 | Attack Range | Network |
| Cvss Impact Score | 2.9 | Attack Complexity | Medium |
| Cvss Expoit Score | 8.6 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| Mozilla Firefox before 3.0.9 and SeaMonkey 1.1.17 do not block javascript: URIs in Refresh headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header or (2) specifying the content of a Refresh header. NOTE: it was later reported that Firefox 3.6 a1 pre and Mozilla 1.7.x and earlier are also affected. |
Original Source
| Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1312 |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 100 % | CWE-16 | Configuration |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:13435 | |||
| Oval ID: | oval:org.mitre.oval:def:13435 | ||
| Title: | DSA-1797-1 xulrunner -- several | ||
| Description: | Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications, such as the Iceweasel web browser. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-0652 Moxie Marlinspike discovered that Unicode box drawing characters inside of internationalised domain names could be used for phishing attacks. CVE-2009-1302 Olli Pettay, Martijn Wargers, Mats Palmgren, Oleg Romashin, Jesse Ruderman and Gary Kwong reported crashes in the in the layout engine, which might allow the execution of arbitrary code. CVE-2009-1303 Olli Pettay, Martijn Wargers, Mats Palmgren, Oleg Romashin, Jesse Ruderman and Gary Kwong reported crashes in the in the layout engine, which might allow the execution of arbitrary code. CVE-2009-1304 Igor Bukanov and Bob Clary discovered crashes in the Javascript engine, which might allow the execution of arbitrary code. CVE-2009-1305 Igor Bukanov and Bob Clary discovered crashes in the Javascript engine, which might allow the execution of arbitrary code. CVE-2009-1306 Daniel Veditz discovered that the Content-Disposition: header is ignored within the jar: URI scheme. CVE-2009-1307 Gregory Fleischer discovered that the same-origin policy for Flash files is inproperly enforced for files loaded through the view-source scheme, which may result in bypass of cross-domain policy restrictions. CVE-2009-1308 Cefn Hoile discovered that sites, which allow the embedding of third-party stylesheets are vulnerable to cross-site scripting attacks through XBL bindings. CVE-2009-1309 "moz_bug_r_a4" discovered bypasses of the same-origin policy in the XMLHttpRequest Javascript API and the XPCNativeWrapper. CVE-2009-1311 Paolo Amadini discovered that incorrect handling of POST data when saving a web site with an embedded frame may lead to information disclosure. CVE-2009-1312 It was discovered that Iceweasel allows Refresh: headers to redirect to Javascript URIs, resulting in cross-site scripting. For the stable distribution, these problems have been fixed in version 1.9.0.9-0lenny2. As indicated in the Etch release notes, security support for the Mozilla products in the oldstable distribution needed to be stopped before the end of the regular Etch security maintenance life cycle. You are strongly encouraged to upgrade to stable or switch to a still supported browser. For the unstable distribution, these problems have been fixed in version 1.9.0.9-1. We recommend that you upgrade your xulrunner packages. | ||
| Family: | unix | Class: | patch |
| Reference(s): | DSA-1797-1 CVE-2009-0652 CVE-2009-1302 CVE-2009-1303 CVE-2009-1304 CVE-2009-1305 CVE-2009-1306 CVE-2009-1307 CVE-2009-1308 CVE-2009-1309 CVE-2009-1311 CVE-2009-1312 | Version: | 5 |
| Platform(s): | Debian GNU/Linux 5.0 | Product(s): | xulrunner |
| Definition Synopsis: | |||
| |||
| Definition Id: oval:org.mitre.oval:def:21861 | |||
| Oval ID: | oval:org.mitre.oval:def:21861 | ||
| Title: | ELSA-2009:0436: firefox security update (Critical) | ||
| Description: | Mozilla Firefox before 3.0.9 and SeaMonkey 1.1.17 do not block javascript: URIs in Refresh headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header or (2) specifying the content of a Refresh header. NOTE: it was later reported that Firefox 3.6 a1 pre and Mozilla 1.7.x and earlier are also affected. | ||
| Family: | unix | Class: | patch |
| Reference(s): | ELSA-2009:0436-02 CVE-2009-0652 CVE-2009-1302 CVE-2009-1303 CVE-2009-1304 CVE-2009-1305 CVE-2009-1306 CVE-2009-1307 CVE-2009-1308 CVE-2009-1309 CVE-2009-1310 CVE-2009-1311 CVE-2009-1312 | Version: | 53 |
| Platform(s): | Oracle Linux 5 | Product(s): | firefox xulrunner |
| Definition Synopsis: | |||
| Definition Id: oval:org.mitre.oval:def:29267 | |||
| Oval ID: | oval:org.mitre.oval:def:29267 | ||
| Title: | RHSA-2009:0436 -- firefox security update (Critical) | ||
| Description: | Updated firefox packages that fix several security issues are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having critical security impact by the Red Hat Security Response Team. Mozilla Firefox is an open source Web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code as the user running Firefox. (CVE-2009-1302, CVE-2009-1303, CVE-2009-1304, CVE-2009-1305) | ||
| Family: | unix | Class: | patch |
| Reference(s): | RHSA-2009:0436 CESA-2009:0436-CentOS 5 CVE-2009-0652 CVE-2009-1302 CVE-2009-1303 CVE-2009-1304 CVE-2009-1305 CVE-2009-1306 CVE-2009-1307 CVE-2009-1308 CVE-2009-1309 CVE-2009-1310 CVE-2009-1311 CVE-2009-1312 | Version: | 3 |
| Platform(s): | Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 CentOS Linux 5 | Product(s): | firefox xulrunner |
| Definition Synopsis: | |||
| |||
| Definition Id: oval:org.mitre.oval:def:6064 | |||
| Oval ID: | oval:org.mitre.oval:def:6064 | ||
| Title: | Mozilla Firefox XSS Vulnerability | ||
| Description: | Mozilla Firefox before 3.0.9 and SeaMonkey 1.1.17 do not block javascript: URIs in Refresh headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header or (2) specifying the content of a Refresh header. NOTE: it was later reported that Firefox 3.6 a1 pre and Mozilla 1.7.x and earlier are also affected. | ||
| Family: | windows | Class: | vulnerability |
| Reference(s): | CVE-2009-1312 | Version: | 3 |
| Platform(s): | Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista | Product(s): | Mozilla Firefox |
| Definition Synopsis: | |||
| |||
| Definition Id: oval:org.mitre.oval:def:6131 | |||
| Oval ID: | oval:org.mitre.oval:def:6131 | ||
| Title: | Mozilla Seamonkey XSS Vulnerability | ||
| Description: | Mozilla Firefox before 3.0.9 and SeaMonkey 1.1.17 do not block javascript: URIs in Refresh headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header or (2) specifying the content of a Refresh header. NOTE: it was later reported that Firefox 3.6 a1 pre and Mozilla 1.7.x and earlier are also affected. | ||
| Family: | windows | Class: | vulnerability |
| Reference(s): | CVE-2009-1312 | Version: | 2 |
| Platform(s): | Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista | Product(s): | Mozilla Seamonkey |
| Definition Synopsis: | |||
| |||
| Definition Id: oval:org.mitre.oval:def:6731 | |||
| Oval ID: | oval:org.mitre.oval:def:6731 | ||
| Title: | Mozilla Firefox and Seamonkey XSS Vulnerability | ||
| Description: | Mozilla Firefox before 3.0.9 and SeaMonkey 1.1.17 do not block javascript: URIs in Refresh headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header or (2) specifying the content of a Refresh header. NOTE: it was later reported that Firefox 3.6 a1 pre and Mozilla 1.7.x and earlier are also affected. | ||
| Family: | windows | Class: | vulnerability |
| Reference(s): | CVE-2009-1312 | Version: | 10 |
| Platform(s): | Microsoft Windows Server 2003 Microsoft Windows Vista Microsoft Windows 7 Microsoft Windows 8 Microsoft Windows 8.1 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Server 2012 Microsoft Windows Server 2012 R2 | Product(s): | Mozilla Seamonkey Mozilla Firefox |
| Definition Synopsis: | |||
| |||
| Definition Id: oval:org.mitre.oval:def:6920 | |||
| Oval ID: | oval:org.mitre.oval:def:6920 | ||
| Title: | DSA-1797 xulrunner -- several vulnerabilities | ||
| Description: | Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications, such as the Iceweasel web browser. The Common Vulnerabilities and Exposures project identifies the following problems: Moxie Marlinspike discovered that Unicode box drawing characters inside of internationalised domain names could be used for phishing attacks. Olli Pettay, Martijn Wargers, Mats Palmgren, Oleg Romashin, Jesse Ruderman and Gary Kwong reported crashes in the layout engine, which might allow the execution of arbitrary code. Olli Pettay, Martijn Wargers, Mats Palmgren, Oleg Romashin, Jesse Ruderman and Gary Kwong reported crashes in the layout engine, which might allow the execution of arbitrary code. Igor Bukanov and Bob Clary discovered crashes in the Javascript engine, which might allow the execution of arbitrary code. Igor Bukanov and Bob Clary discovered crashes in the Javascript engine, which might allow the execution of arbitrary code. Daniel Veditz discovered that the Content-Disposition: header is ignored within the jar: URI scheme. Gregory Fleischer discovered that the same-origin policy for Flash files is inproperly enforced for files loaded through the view-source scheme, which may result in bypass of cross-domain policy restrictions. Cefn Hoile discovered that sites, which allow the embedding of third-party stylesheets are vulnerable to cross-site scripting attacks through XBL bindings. "moz_bug_r_a4" discovered bypasses of the same-origin policy in the XMLHttpRequest Javascript API and the XPCNativeWrapper. Paolo Amadini discovered that incorrect handling of POST data when saving a web site with an embedded frame may lead to information disclosure. It was discovered that Iceweasel allows Refresh: headers to redirect to Javascript URIs, resulting in cross-site scripting. | ||
| Family: | unix | Class: | patch |
| Reference(s): | DSA-1797 CVE-2009-0652 CVE-2009-1302 CVE-2009-1303 CVE-2009-1304 CVE-2009-1305 CVE-2009-1306 CVE-2009-1307 CVE-2009-1308 CVE-2009-1309 CVE-2009-1311 CVE-2009-1312 | Version: | 3 |
| Platform(s): | Debian GNU/Linux 5.0 | Product(s): | xulrunner |
| Definition Synopsis: | |||
| |||
| Definition Id: oval:org.mitre.oval:def:9818 | |||
| Oval ID: | oval:org.mitre.oval:def:9818 | ||
| Title: | Mozilla Firefox before 3.0.9 and SeaMonkey 1.1.17 do not block javascript: URIs in Refresh headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header or (2) specifying the content of a Refresh header. NOTE: it was later reported that Firefox 3.6 a1 pre and Mozilla 1.7.x and earlier are also affected. | ||
| Description: | Mozilla Firefox before 3.0.9 and SeaMonkey 1.1.17 do not block javascript: URIs in Refresh headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header or (2) specifying the content of a Refresh header. NOTE: it was later reported that Firefox 3.6 a1 pre and Mozilla 1.7.x and earlier are also affected. | ||
| Family: | unix | Class: | vulnerability |
| Reference(s): | CVE-2009-1312 | Version: | 5 |
| Platform(s): | Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
| Definition Synopsis: | |||
| |||
CPE : Common Platform Enumeration
OpenVAS Exploits
| Date | Description |
|---|---|
| 2011-08-09 | Name : CentOS Update for firefox CESA-2009:0436 centos4 i386 File : nvt/gb_CESA-2009_0436_firefox_centos4_i386.nasl |
| 2011-08-09 | Name : CentOS Update for firefox CESA-2009:0436 centos5 i386 File : nvt/gb_CESA-2009_0436_firefox_centos5_i386.nasl |
| 2011-08-09 | Name : CentOS Update for seamonkey CESA-2009:0437-02 centos2 i386 File : nvt/gb_CESA-2009_0437-02_seamonkey_centos2_i386.nasl |
| 2011-08-09 | Name : CentOS Update for seamonkey CESA-2009:0437 centos4 i386 File : nvt/gb_CESA-2009_0437_seamonkey_centos4_i386.nasl |
| 2009-10-11 | Name : SLES11: Security update for Mozilla File : nvt/sles11_mozilla-xulrunn.nasl |
| 2009-10-11 | Name : SLES11: Security update for MozillaFirefox File : nvt/sles11_MozillaFirefox1.nasl |
| 2009-06-05 | Name : Ubuntu USN-773-1 (pango1.0) File : nvt/ubuntu_773_1.nasl |
| 2009-06-05 | Name : Ubuntu USN-772-1 (mpfr) File : nvt/ubuntu_772_1.nasl |
| 2009-06-05 | Name : Ubuntu USN-771-1 (libmodplug) File : nvt/ubuntu_771_1.nasl |
| 2009-06-05 | Name : Ubuntu USN-765-1 (xulrunner-1.9) File : nvt/ubuntu_765_1.nasl |
| 2009-06-05 | Name : Mandrake Security Advisory MDVSA-2009:111 (firefox) File : nvt/mdksa_2009_111.nasl |
| 2009-06-05 | Name : Ubuntu USN-764-1 (xulrunner-1.9) File : nvt/ubuntu_764_1.nasl |
| 2009-06-05 | Name : Ubuntu USN-763-1 (xine-lib) File : nvt/ubuntu_763_1.nasl |
| 2009-05-25 | Name : CentOS Security Advisory CESA-2009:0437 (seamonkey) File : nvt/ovcesa2009_0437.nasl |
| 2009-05-20 | Name : SuSE Security Summary SUSE-SR:2009:010 File : nvt/suse_sr_2009_010.nasl |
| 2009-05-20 | Name : Mandrake Security Advisory MDVSA-2009:111-1 (firefox) File : nvt/mdksa_2009_111_1.nasl |
| 2009-05-11 | Name : Debian Security Advisory DSA 1797-1 (xulrunner) File : nvt/deb_1797_1.nasl |
| 2009-04-30 | Name : Mozilla Firefox Multiple Vulnerabilities Apr-09 (Linux) File : nvt/secpod_firefox_mult_vuln_apr09_lin.nasl |
| 2009-04-30 | Name : Mozilla Firefox Multiple Vulnerabilities Apr-09 (Win) File : nvt/secpod_firefox_mult_vuln_apr09_win.nasl |
| 2009-04-30 | Name : Mozilla Seamonkey Multiple Vulnerabilities Apr-09 (Linux) File : nvt/secpod_seamonkey_mult_vuln_apr09_lin.nasl |
| 2009-04-30 | Name : Mozilla Seamonkey Multiple Vulnerabilities Apr-09 (Win) File : nvt/secpod_seamonkey_mult_vuln_apr09_win.nasl |
| 2009-04-28 | Name : CentOS Security Advisory CESA-2009:0437-02 (seamonkey) File : nvt/ovcesa2009_0437_02.nasl |
| 2009-04-28 | Name : RedHat Security Advisory RHSA-2009:0436 File : nvt/RHSA_2009_0436.nasl |
| 2009-04-28 | Name : CentOS Security Advisory CESA-2009:0436 (firefox) File : nvt/ovcesa2009_0436.nasl |
| 2009-04-28 | Name : FreeBSD Ports: firefox File : nvt/freebsd_firefox38.nasl |
| 2009-04-28 | Name : Fedora Core 10 FEDORA-2009-3893 (epiphany) File : nvt/fcore_2009_3893.nasl |
| 2009-04-28 | Name : Fedora Core 9 FEDORA-2009-3875 (firefox) File : nvt/fcore_2009_3875.nasl |
| 2009-04-28 | Name : RedHat Security Advisory RHSA-2009:0437 File : nvt/RHSA_2009_0437.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 53952 | Mozilla Multiple Products Server Refresh Header XSS |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2009-0436.nasl - Type : ACT_GATHER_INFO |
| 2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2009-0437.nasl - Type : ACT_GATHER_INFO |
| 2013-01-08 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201301-01.nasl - Type : ACT_GATHER_INFO |
| 2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20090421_firefox_on_SL4_x.nasl - Type : ACT_GATHER_INFO |
| 2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20090421_seamonkey_on_SL3_x.nasl - Type : ACT_GATHER_INFO |
| 2010-01-06 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2009-0436.nasl - Type : ACT_GATHER_INFO |
| 2009-09-24 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_mozilla-xulrunner190-090427.nasl - Type : ACT_GATHER_INFO |
| 2009-09-24 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_MozillaFirefox-090427.nasl - Type : ACT_GATHER_INFO |
| 2009-07-21 | Name : The remote openSUSE host is missing a security update. File : suse_11_1_mozilla-xulrunner190-090427.nasl - Type : ACT_GATHER_INFO |
| 2009-07-21 | Name : The remote openSUSE host is missing a security update. File : suse_11_1_MozillaFirefox-090427.nasl - Type : ACT_GATHER_INFO |
| 2009-07-21 | Name : The remote openSUSE host is missing a security update. File : suse_11_0_mozilla-xulrunner190-090427.nasl - Type : ACT_GATHER_INFO |
| 2009-07-21 | Name : The remote openSUSE host is missing a security update. File : suse_11_0_MozillaFirefox-090427.nasl - Type : ACT_GATHER_INFO |
| 2009-05-26 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2009-0437.nasl - Type : ACT_GATHER_INFO |
| 2009-05-13 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2009-111.nasl - Type : ACT_GATHER_INFO |
| 2009-05-11 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1797.nasl - Type : ACT_GATHER_INFO |
| 2009-04-29 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-765-1.nasl - Type : ACT_GATHER_INFO |
| 2009-04-27 | Name : The remote Fedora host is missing one or more security updates. File : fedora_2009-3893.nasl - Type : ACT_GATHER_INFO |
| 2009-04-23 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-764-1.nasl - Type : ACT_GATHER_INFO |
| 2009-04-23 | Name : The remote Fedora host is missing one or more security updates. File : fedora_2009-3875.nasl - Type : ACT_GATHER_INFO |
| 2009-04-22 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2009-0437.nasl - Type : ACT_GATHER_INFO |
| 2009-04-22 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2009-0436.nasl - Type : ACT_GATHER_INFO |
| 2009-04-22 | Name : The remote Windows host contains a web browser that is affected by multiple v... File : mozilla_firefox_309.nasl - Type : ACT_GATHER_INFO |
| 2009-04-22 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_3b18e2372f1511de96720030843d3802.nasl - Type : ACT_GATHER_INFO |
Sources (Detail)
Alert History
| Date | Informations |
|---|---|
| 2024-02-10 01:10:23 |
|
| 2024-02-02 01:10:54 |
|
| 2024-02-01 12:03:04 |
|
| 2023-09-05 12:10:12 |
|
| 2023-09-05 01:02:55 |
|
| 2023-09-02 12:10:18 |
|
| 2023-09-02 01:02:56 |
|
| 2023-08-12 12:12:02 |
|
| 2023-08-12 01:02:56 |
|
| 2023-08-11 12:10:20 |
|
| 2023-08-11 01:03:02 |
|
| 2023-08-06 12:09:55 |
|
| 2023-08-06 01:02:57 |
|
| 2023-08-04 12:10:01 |
|
| 2023-08-04 01:03:00 |
|
| 2023-07-14 12:09:58 |
|
| 2023-07-14 01:02:57 |
|
| 2023-03-29 01:11:28 |
|
| 2023-03-28 12:03:03 |
|
| 2022-10-11 12:08:53 |
|
| 2022-10-11 01:02:46 |
|
| 2021-05-04 12:09:25 |
|
| 2021-04-22 01:09:46 |
|
| 2020-10-14 01:04:30 |
|
| 2020-10-03 01:04:29 |
|
| 2020-05-29 01:04:06 |
|
| 2020-05-23 01:40:18 |
|
| 2020-05-23 00:23:39 |
|
| 2018-10-11 00:19:35 |
|
| 2018-10-04 00:19:35 |
|
| 2017-11-22 12:02:59 |
|
| 2017-09-29 09:24:10 |
|
| 2016-04-27 09:40:32 |
|
| 2016-04-26 18:45:43 |
|
| 2014-02-17 10:49:43 |
|
| 2013-05-10 23:49:00 |
|
