CVE-2007-2870: XSS
First published: Fri Jun 01 2007(Updated: )
Mozilla Firefox 1.5.x before 1.5.0.12 and 2.x before 2.0.0.4, and SeaMonkey 1.0.9 and 1.1.2, allows remote attackers to bypass the same-origin policy and conduct cross-site scripting (XSS) and other attacks by using the addEventListener method to add an event listener for a site, which is executed in the context of that site.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Firefox | =1.5.0.6 | |
| Mozilla SeaMonkey | =1.0.9 | |
| Firefox | =2.0.0.2 | |
| Firefox | =1.5.0.10 | |
| Firefox | =1.5.0.3 | |
| Firefox | =1.5.0.11 | |
| Firefox | =1.5 | |
| Mozilla SeaMonkey | =1.1.2 | |
| Firefox | =1.5.0.7 | |
| Firefox | =2.0 | |
| Firefox | =1.5.0.8 | |
| Firefox | =2.0.0.3 | |
| Firefox | =1.5.0.9 | |
| Firefox | =1.5.0.5 | |
| Firefox | =1.5.0.2 | |
| Firefox | =2.0.0.1 | |
| Firefox | =1.5.0.4 | |
| Firefox | =1.5.0.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.mozilla.org/security/announce/2007/mfsa2007-16.html
- https://issues.rpath.com/browse/RPL-1424
- http://www.debian.org/security/2007/dsa-1300
- http://www.debian.org/security/2007/dsa-1306
- http://www.debian.org/security/2007/dsa-1308
- http://security.gentoo.org/glsa/glsa-200706-06.xml
- http://www.mandriva.com/security/advisories?name=MDKSA-2007:120
- http://www.mandriva.com/security/advisories?name=MDKSA-2007:126
- http://www.redhat.com/support/errata/RHSA-2007-0400.html
- http://www.redhat.com/support/errata/RHSA-2007-0402.html
- http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.571857
- http://www.novell.com/linux/security/advisories/2007_36_mozilla.html
- http://www.ubuntu.com/usn/usn-468-1
- http://www.us-cert.gov/cas/techalerts/TA07-151A.html
- http://www.securityfocus.com/bid/24242
- http://www.securitytracker.com/id?1018160
- http://www.securitytracker.com/id?1018161
- http://secunia.com/advisories/25476
- http://secunia.com/advisories/25533
- http://secunia.com/advisories/25559
- http://secunia.com/advisories/25635
- http://secunia.com/advisories/25647
- http://secunia.com/advisories/25685
- http://secunia.com/advisories/25534
- http://secunia.com/advisories/25469
- http://secunia.com/advisories/25488
- http://secunia.com/advisories/25490
- http://secunia.com/advisories/25491
- http://secunia.com/advisories/25750
- http://secunia.com/advisories/25858
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00771742
- http://www.vupen.com/english/advisories/2007/1994
- http://osvdb.org/35136
- https://exchange.xforce.ibmcloud.com/vulnerabilities/34614
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9547
- http://www.securityfocus.com/archive/1/470172/100/200/threaded
Frequently Asked Questions
What is the severity of CVE-2007-2870?
CVE-2007-2870 is considered a high severity vulnerability due to its ability to bypass the same-origin policy.
How do I fix CVE-2007-2870?
To mitigate CVE-2007-2870, users should upgrade to Firefox version 1.5.0.12 or 2.0.0.4, or the equivalent version of SeaMonkey.
What versions are affected by CVE-2007-2870?
CVE-2007-2870 affects Mozilla Firefox versions 1.5.x prior to 1.5.0.12 and 2.x prior to 2.0.0.4, as well as SeaMonkey versions 1.0.9 and 1.1.2.
What type of attacks can be conducted using CVE-2007-2870?
CVE-2007-2870 allows remote attackers to conduct cross-site scripting (XSS) and other related attacks.
What is the cause of CVE-2007-2870?
CVE-2007-2870 is caused by the misuse of the addEventListener method that enables scripts from different origins to interact.
- agent/references
- agent/type
- agent/author
- agent/severity
- agent/weakness
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/first-publish-date
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-historical
- agent/software-canonical-lookup-request
- collector/nvd-index
- vendor/mozilla
- canonical/firefox
- version/firefox/1.5.0.6
- canonical/mozilla seamonkey
- version/mozilla seamonkey/1.0.9
- version/firefox/2.0.0.2
- version/firefox/1.5.0.10
- version/firefox/1.5.0.3
- version/firefox/1.5.0.11
- version/firefox/1.5
- version/mozilla seamonkey/1.1.2
- version/firefox/1.5.0.7
- version/firefox/2.0
- version/firefox/1.5.0.8
- version/firefox/2.0.0.3
- version/firefox/1.5.0.9
- version/firefox/1.5.0.5
- version/firefox/1.5.0.2
- version/firefox/2.0.0.1
- version/firefox/1.5.0.4
- version/firefox/1.5.0.1