CVE-2007-3656: Infoleak
First published: Tue Jul 10 2007(Updated: )
Mozilla Firefox before 1.8.0.13 and 1.8.1.x before 1.8.1.5 does not perform a security zone check when processing a wyciwyg URI, which allows remote attackers to obtain sensitive information, poison the browser cache, and possibly enable further attack vectors via (1) HTTP 302 redirect controls, (2) XMLHttpRequest, or (3) view-source URIs.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Firefox | =1.5.2 | |
| Firefox | =1.5.0.6 | |
| Firefox | =1.8 | |
| Firefox | =1.5.0.10 | |
| Firefox | =1.5.0.3 | |
| Firefox | =1.5.0.11 | |
| Firefox | =1.5.4 | |
| Firefox | =1.0.2 | |
| Firefox | =1.5 | |
| Firefox | =1.0.4 | |
| Firefox | =1.0.7 | |
| Firefox | =1.5.6 | |
| Firefox | =1.0 | |
| Firefox | =1.5.0.7 | |
| Firefox | =1.0.1 | |
| Firefox | =1.5.0.8 | |
| Firefox | =1.5.0.9 | |
| Firefox | =1.5.0.5 | |
| Firefox | =1.5.7 | |
| Firefox | =1.5.0.12 | |
| Firefox | =1.5.0.2 | |
| Firefox | =1.0.3 | |
| Firefox | =1.5.1 | |
| Firefox | =1.5.5 | |
| Firefox | =1.5.8 | |
| Firefox | =1.5.3 | |
| Firefox | =1.5.0.4 | |
| Firefox | =1.5.0.1 | |
| Firefox | =1.0.5 | |
| Firefox | =1.0.6 | |
| Firefox | =1.0.8 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lcamtuf.coredump.cx/ffcache/
- https://bugzilla.mozilla.org/show_bug.cgi?id=387333
- http://www.securityfocus.com/bid/24831
- http://www.mozilla.org/security/announce/2007/mfsa2007-24.html
- http://support.novell.com/techcenter/psdb/07d098f99c9fe6956523beae37f32fda.html
- http://www.debian.org/security/2007/dsa-1337
- http://www.debian.org/security/2007/dsa-1338
- http://www.debian.org/security/2007/dsa-1339
- http://www.gentoo.org/security/en/glsa/glsa-200708-09.xml
- http://www.mandriva.com/security/advisories?name=MDKSA-2007:152
- http://www.redhat.com/support/errata/RHSA-2007-0722.html
- http://www.redhat.com/support/errata/RHSA-2007-0724.html
- http://www.novell.com/linux/security/advisories/2007_49_mozilla.html
- http://www.ubuntu.com/usn/usn-490-1
- http://www.securitytracker.com/id?1018411
- http://secunia.com/advisories/25990
- http://secunia.com/advisories/26103
- http://secunia.com/advisories/26107
- http://secunia.com/advisories/25589
- http://secunia.com/advisories/26179
- http://secunia.com/advisories/26149
- http://secunia.com/advisories/26151
- http://secunia.com/advisories/26072
- http://secunia.com/advisories/26211
- http://secunia.com/advisories/26216
- http://secunia.com/advisories/26204
- http://secunia.com/advisories/26205
- http://secunia.com/advisories/26159
- http://secunia.com/advisories/26271
- http://secunia.com/advisories/26258
- http://secunia.com/advisories/26460
- http://securityreason.com/securityalert/2872
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-103177-1
- http://secunia.com/advisories/28135
- http://sunsolve.sun.com/search/document.do?assetkey=1-66-201516-1
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00771742
- http://www.vupen.com/english/advisories/2007/4256
- http://osvdb.org/38028
- https://exchange.xforce.ibmcloud.com/vulnerabilities/35298
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9105
- http://www.securityfocus.com/archive/1/474542/100/0/threaded
- http://www.securityfocus.com/archive/1/474226/100/0/threaded
- http://www.securityfocus.com/archive/1/473191/100/0/threaded
Frequently Asked Questions
What is the severity of CVE-2007-3656?
CVE-2007-3656 has a medium severity level due to the potential for sensitive information disclosure.
How do I fix CVE-2007-3656?
To fix CVE-2007-3656, upgrade Mozilla Firefox to version 1.8.0.13 or later.
What versions of Firefox are affected by CVE-2007-3656?
CVE-2007-3656 affects several versions of Firefox, including 1.0.x, 1.5.x, and 1.8.0.x before version 1.8.0.13.
Can CVE-2007-3656 allow for cache poisoning?
Yes, CVE-2007-3656 can potentially allow remote attackers to poison the browser cache.
What types of attacks are enabled by CVE-2007-3656?
CVE-2007-3656 may enable attacks such as HTTP 302 redirect controls, leading to further exploitation.
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- agent/references
- agent/author
- agent/severity
- agent/weakness
- agent/description
- agent/event
- agent/tags
- collector/nvd-historical
- agent/software-canonical-lookup-request
- collector/nvd-index
- agent/softwarecombine
- vendor/mozilla
- canonical/firefox
- version/firefox/1.5.2
- version/firefox/1.5.0.6
- version/firefox/1.8
- version/firefox/1.5.0.10
- version/firefox/1.5.0.3
- version/firefox/1.5.0.11
- version/firefox/1.5.4
- version/firefox/1.0.2
- version/firefox/1.5
- version/firefox/1.0.4
- version/firefox/1.0.7
- version/firefox/1.5.6
- version/firefox/1.0
- version/firefox/1.5.0.7
- version/firefox/1.0.1
- version/firefox/1.5.0.8
- version/firefox/1.5.0.9
- version/firefox/1.5.0.5
- version/firefox/1.5.7
- version/firefox/1.5.0.12
- version/firefox/1.5.0.2
- version/firefox/1.0.3
- version/firefox/1.5.1
- version/firefox/1.5.5
- version/firefox/1.5.8
- version/firefox/1.5.3
- version/firefox/1.5.0.4
- version/firefox/1.5.0.1
- version/firefox/1.0.5
- version/firefox/1.0.6
- version/firefox/1.0.8