ID CVE-2009-1306
Summary The jar: URI implementation in Mozilla Firefox before 3.0.9, Thunderbird, and SeaMonkey does not follow the Content-Disposition header of the inner URI, which allows remote attackers to conduct cross-site scripting (XSS) attacks and possibly other attacks via an uploaded .jar file with a "Content-Disposition: attachment" designation.
References
Vulnerable Configurations
  • cpe:2.3:a:mozilla:firefox:0.1:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:0.2:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:0.3:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:0.4:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:0.5:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:0.6:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:0.6.1:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:0.6.1:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:0.7:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:0.7.1:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:0.7.1:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:0.8:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:0.9:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:0.9:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:0.9:rc:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:0.9:rc:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:0.9.1:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:0.9.1:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:0.9.2:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:0.9.2:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:0.9.3:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:0.9.3:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:0.9_rc:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:0.9_rc:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:0.10:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:0.10:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:0.10.1:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:0.10.1:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:1.0:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:1.0:preview_release:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:1.0:preview_release:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:1.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:1.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:1.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:1.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:1.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:1.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:1.0.4:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:1.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:1.0.5:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:1.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:1.0.6:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:1.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:1.0.6:*:linux:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:1.0.6:*:linux:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:1.0.7:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:1.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:1.0.8:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:1.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:1.5:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:1.5:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:1.5:beta1:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:1.5:beta1:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:1.5:beta2:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:1.5:beta2:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:1.5.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:1.5.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:1.5.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:1.5.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:1.5.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:1.5.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:1.5.0.4:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:1.5.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:1.5.0.5:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:1.5.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:1.5.0.6:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:1.5.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:1.5.0.7:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:1.5.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:1.5.0.8:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:1.5.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:1.5.0.9:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:1.5.0.9:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:1.5.0.10:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:1.5.0.10:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:1.5.0.11:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:1.5.0.11:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:1.5.0.12:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:1.5.0.12:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:1.5.1:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:1.5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:1.5.2:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:1.5.2:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:1.5.3:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:1.5.3:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:1.5.4:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:1.5.4:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:1.5.5:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:1.5.5:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:1.5.6:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:1.5.6:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:1.5.7:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:1.5.7:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:1.5.8:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:1.5.8:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:1.8:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:1.8:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:2.0:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:2.0:beta1:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:2.0:beta1:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:2.0:beta_1:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:2.0:beta_1:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:2.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:2.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:2.0:rc3:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:2.0:rc3:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:2.0.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:2.0.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:2.0.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:2.0.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:2.0.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:2.0.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:2.0.0.4:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:2.0.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:2.0.0.5:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:2.0.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:2.0.0.6:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:2.0.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:2.0.0.7:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:2.0.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:2.0.0.8:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:2.0.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:2.0.0.9:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:2.0.0.9:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:2.0.0.10:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:2.0.0.10:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:2.0.0.11:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:2.0.0.11:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:2.0.0.12:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:2.0.0.12:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:2.0.0.13:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:2.0.0.13:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:2.0.0.14:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:2.0.0.14:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:2.0.0.15:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:2.0.0.15:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:2.0.0.16:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:2.0.0.16:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:2.0.0.17:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:2.0.0.17:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:2.0.0.18:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:2.0.0.18:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:2.0.0.19:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:2.0.0.19:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:2.0.0.20:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:2.0.0.20:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:2.0.0.21:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:2.0.0.21:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:2.0_.1:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:2.0_.1:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:2.0_.4:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:2.0_.4:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:2.0_.5:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:2.0_.5:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:2.0_.6:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:2.0_.6:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:2.0_.7:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:2.0_.7:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:2.0_.9:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:2.0_.9:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:2.0_.10:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:2.0_.10:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:2.0_8:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:2.0_8:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:3.0:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:3.0:alpha:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:3.0:alpha:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:3.0:beta2:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:3.0:beta2:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:3.0:beta5:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:3.0:beta5:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:3.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:3.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:3.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:3.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:3.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:3.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:3.0.4:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:3.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:3.0.5:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:3.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:3.0.6:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:3.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:3.0.7:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:3.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:-:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:-:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:1.0:-:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:1.0:-:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:1.4.1:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:1.4.1:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:1.5:-:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:1.5:-:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:3.0:-:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:3.0:-:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:3.0.8:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:3.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:3.0beta5:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:3.0beta5:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:seamonkey:*:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:seamonkey:*:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
CVSS
Base: 4.3 (as of 03-10-2018 - 21:59)
Impact:
Exploitability:
CWE CWE-16
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
cvss-vector via4 AV:N/AC:M/Au:N/C:N/I:P/A:N
oval via4
  • accepted 2013-04-29T04:02:16.756-04:00
    class vulnerability
    contributors
    • name Aharon Chernin
      organization SCAP.com, LLC
    • name Dragos Prisaca
      organization G2, Inc.
    definition_extensions
    • comment The operating system installed on the system is Red Hat Enterprise Linux 3
      oval oval:org.mitre.oval:def:11782
    • comment CentOS Linux 3.x
      oval oval:org.mitre.oval:def:16651
    • comment The operating system installed on the system is Red Hat Enterprise Linux 4
      oval oval:org.mitre.oval:def:11831
    • comment CentOS Linux 4.x
      oval oval:org.mitre.oval:def:16636
    • comment Oracle Linux 4.x
      oval oval:org.mitre.oval:def:15990
    • comment The operating system installed on the system is Red Hat Enterprise Linux 5
      oval oval:org.mitre.oval:def:11414
    • comment The operating system installed on the system is CentOS Linux 5.x
      oval oval:org.mitre.oval:def:15802
    • comment Oracle Linux 5.x
      oval oval:org.mitre.oval:def:15459
    description The jar: URI implementation in Mozilla Firefox before 3.0.9, Thunderbird, and SeaMonkey does not follow the Content-Disposition header of the inner URI, which allows remote attackers to conduct cross-site scripting (XSS) attacks and possibly other attacks via an uploaded .jar file with a "Content-Disposition: attachment" designation.
    family unix
    id oval:org.mitre.oval:def:10150
    status accepted
    submitted 2010-07-09T03:56:16-04:00
    title The jar: URI implementation in Mozilla Firefox before 3.0.9, Thunderbird, and SeaMonkey does not follow the Content-Disposition header of the inner URI, which allows remote attackers to conduct cross-site scripting (XSS) attacks and possibly other attacks via an uploaded .jar file with a "Content-Disposition: attachment" designation.
    version 30
  • accepted 2009-07-06T04:00:33.604-04:00
    class vulnerability
    contributors
    • name Chandan S
      organization SecPod Technologies
    • name Brendan Miles
      organization The MITRE Corporation
    • name J. Daniel Brown
      organization DTCC
    • name Sergey Artykhov
      organization ALTX-SOFT
    • name Sergey Artykhov
      organization ALTX-SOFT
    definition_extensions
    • comment Microsoft Windows XP (x86) SP2 is installed
      oval oval:org.mitre.oval:def:754
    • comment Microsoft Windows XP (x86) SP3 is installed
      oval oval:org.mitre.oval:def:5631
    • comment Microsoft Windows Vista (32-bit) is installed
      oval oval:org.mitre.oval:def:1282
    • comment Microsoft Windows Vista (32-bit) Service Pack 1 is installed
      oval oval:org.mitre.oval:def:4873
    • comment Microsoft Windows Server 2003 SP1 (x86) is installed
      oval oval:org.mitre.oval:def:565
    • comment Microsoft Windows Server 2003 SP2 (x86) is installed
      oval oval:org.mitre.oval:def:1935
    description The jar: URI implementation in Mozilla Firefox before 3.0.9, Thunderbird, and SeaMonkey does not follow the Content-Disposition header of the inner URI, which allows remote attackers to conduct cross-site scripting (XSS) attacks and possibly other attacks via an uploaded .jar file with a "Content-Disposition: attachment" designation.
    family windows
    id oval:org.mitre.oval:def:6021
    status deprecated
    submitted 2009-04-30T09:45:11
    title Mozilla Firefox Cross Site Scripting Vulnerability
    version 26
  • accepted 2009-07-06T04:00:42.865-04:00
    class vulnerability
    contributors
    • name Chandan S
      organization SecPod Technologies
    • name Brendan Miles
      organization The MITRE Corporation
    • name J. Daniel Brown
      organization DTCC
    • name Shane Shaffer
      organization G2, Inc.
    definition_extensions
    • comment Microsoft Windows XP (x86) SP2 is installed
      oval oval:org.mitre.oval:def:754
    • comment Microsoft Windows XP (x86) SP3 is installed
      oval oval:org.mitre.oval:def:5631
    • comment Microsoft Windows Vista (32-bit) is installed
      oval oval:org.mitre.oval:def:1282
    • comment Microsoft Windows Vista (32-bit) Service Pack 1 is installed
      oval oval:org.mitre.oval:def:4873
    • comment Microsoft Windows Server 2003 SP1 (x86) is installed
      oval oval:org.mitre.oval:def:565
    • comment Microsoft Windows Server 2003 SP2 (x86) is installed
      oval oval:org.mitre.oval:def:1935
    description The jar: URI implementation in Mozilla Firefox before 3.0.9, Thunderbird, and SeaMonkey does not follow the Content-Disposition header of the inner URI, which allows remote attackers to conduct cross-site scripting (XSS) attacks and possibly other attacks via an uploaded .jar file with a "Content-Disposition: attachment" designation.
    family windows
    id oval:org.mitre.oval:def:6194
    status deprecated
    submitted 2009-04-30T09:45:11
    title Mozilla Seamonkey Cross Site Scripting Vulnerability
    version 26
  • accepted 2009-07-06T04:00:57.523-04:00
    class vulnerability
    contributors
    • name Chandan S
      organization SecPod Technologies
    • name Brendan Miles
      organization The MITRE Corporation
    • name J. Daniel Brown
      organization DTCC
    • name Shane Shaffer
      organization G2, Inc.
    • name Richard Helbing
      organization baramundi software
    • name Evgeniy Pavlov
      organization ALTX-SOFT
    • name Evgeniy Pavlov
      organization ALTX-SOFT
    • name Evgeniy Pavlov
      organization ALTX-SOFT
    definition_extensions
    • comment Microsoft Windows XP (x86) SP2 is installed
      oval oval:org.mitre.oval:def:754
    • comment Microsoft Windows XP (x86) SP3 is installed
      oval oval:org.mitre.oval:def:5631
    • comment Microsoft Windows Vista (32-bit) is installed
      oval oval:org.mitre.oval:def:1282
    • comment Microsoft Windows Vista (32-bit) Service Pack 1 is installed
      oval oval:org.mitre.oval:def:4873
    • comment Microsoft Windows Server 2003 SP1 (x86) is installed
      oval oval:org.mitre.oval:def:565
    • comment Microsoft Windows Server 2003 SP2 (x86) is installed
      oval oval:org.mitre.oval:def:1935
    • comment Mozilla Thunderbird Mainline release is installed
      oval oval:org.mitre.oval:def:22093
    description The jar: URI implementation in Mozilla Firefox before 3.0.9, Thunderbird, and SeaMonkey does not follow the Content-Disposition header of the inner URI, which allows remote attackers to conduct cross-site scripting (XSS) attacks and possibly other attacks via an uploaded .jar file with a "Content-Disposition: attachment" designation.
    family windows
    id oval:org.mitre.oval:def:6312
    status deprecated
    submitted 2009-04-30T09:45:11
    title Mozilla Thunderbird Cross Site Scripting Vulnerability
    version 29
  • accepted 2014-10-06T04:04:15.983-04:00
    class vulnerability
    contributors
    • name J. Daniel Brown
      organization DTCC
    • name Sergey Artykhov
      organization ALTX-SOFT
    • name Sergey Artykhov
      organization ALTX-SOFT
    • name Shane Shaffer
      organization G2, Inc.
    • name Maria Kedovskaya
      organization ALTX-SOFT
    • name Maria Mikhno
      organization ALTX-SOFT
    • name Richard Helbing
      organization baramundi software
    • name Evgeniy Pavlov
      organization ALTX-SOFT
    • name Evgeniy Pavlov
      organization ALTX-SOFT
    • name Evgeniy Pavlov
      organization ALTX-SOFT
    definition_extensions
    • comment Mozilla Thunderbird Mainline release is installed
      oval oval:org.mitre.oval:def:22093
    • comment Mozilla Seamonkey is installed
      oval oval:org.mitre.oval:def:6372
    • comment Mozilla Firefox Mainline release is installed
      oval oval:org.mitre.oval:def:22259
    description The jar: URI implementation in Mozilla Firefox before 3.0.9, Thunderbird, and SeaMonkey does not follow the Content-Disposition header of the inner URI, which allows remote attackers to conduct cross-site scripting (XSS) attacks and possibly other attacks via an uploaded .jar file with a "Content-Disposition: attachment" designation.
    family windows
    id oval:org.mitre.oval:def:6710
    status accepted
    submitted 2009-12-26T17:00:00.000-05:00
    title Mozilla Thunderbird, Firefox and Seamonkey Cross Site Scripting Vulnerability
    version 33
redhat via4
advisories
  • rhsa
    id RHSA-2009:0436
  • rhsa
    id RHSA-2009:0437
  • rhsa
    id RHSA-2009:1125
  • rhsa
    id RHSA-2009:1126
rpms
  • firefox-0:3.0.9-1.el4
  • firefox-0:3.0.9-1.el5
  • firefox-debuginfo-0:3.0.9-1.el4
  • firefox-debuginfo-0:3.0.9-1.el5
  • xulrunner-0:1.9.0.9-1.el5
  • xulrunner-debuginfo-0:1.9.0.9-1.el5
  • xulrunner-devel-0:1.9.0.9-1.el5
  • xulrunner-devel-unstable-0:1.9.0.9-1.el5
  • seamonkey-0:1.0.9-0.33.el2
  • seamonkey-0:1.0.9-0.37.el3
  • seamonkey-0:1.0.9-41.el4
  • seamonkey-chat-0:1.0.9-0.33.el2
  • seamonkey-chat-0:1.0.9-0.37.el3
  • seamonkey-chat-0:1.0.9-41.el4
  • seamonkey-debuginfo-0:1.0.9-0.37.el3
  • seamonkey-debuginfo-0:1.0.9-41.el4
  • seamonkey-devel-0:1.0.9-0.33.el2
  • seamonkey-devel-0:1.0.9-0.37.el3
  • seamonkey-devel-0:1.0.9-41.el4
  • seamonkey-dom-inspector-0:1.0.9-0.33.el2
  • seamonkey-dom-inspector-0:1.0.9-0.37.el3
  • seamonkey-dom-inspector-0:1.0.9-41.el4
  • seamonkey-js-debugger-0:1.0.9-0.33.el2
  • seamonkey-js-debugger-0:1.0.9-0.37.el3
  • seamonkey-js-debugger-0:1.0.9-41.el4
  • seamonkey-mail-0:1.0.9-0.33.el2
  • seamonkey-mail-0:1.0.9-0.37.el3
  • seamonkey-mail-0:1.0.9-41.el4
  • seamonkey-nspr-0:1.0.9-0.33.el2
  • seamonkey-nspr-0:1.0.9-0.37.el3
  • seamonkey-nspr-devel-0:1.0.9-0.33.el2
  • seamonkey-nspr-devel-0:1.0.9-0.37.el3
  • seamonkey-nss-0:1.0.9-0.33.el2
  • seamonkey-nss-0:1.0.9-0.37.el3
  • seamonkey-nss-devel-0:1.0.9-0.33.el2
  • seamonkey-nss-devel-0:1.0.9-0.37.el3
  • thunderbird-0:1.5.0.12-23.el4
  • thunderbird-debuginfo-0:1.5.0.12-23.el4
  • thunderbird-0:2.0.0.22-2.el5_3
  • thunderbird-debuginfo-0:2.0.0.22-2.el5_3
refmap via4
bid 34656
confirm
debian DSA-1797
fedora FEDORA-2009-3875
mandriva
  • MDVSA-2009:111
  • MDVSA-2009:141
sectrack 1022095
secunia
  • 34758
  • 34780
  • 34843
  • 34844
  • 34894
  • 35042
  • 35065
  • 35536
sunalert 264308
suse SUSE-SR:2009:010
ubuntu
  • USN-764-1
  • USN-782-1
vupen ADV-2009-1125
Last major update 03-10-2018 - 21:59
Published 22-04-2009 - 18:30
Last modified 03-10-2018 - 21:59
Back to Top