CVE-2007-6589: XSS
First published: Fri Dec 28 2007(Updated: )
The jar protocol handler in Mozilla Firefox before 2.0.0.10 and SeaMonkey before 1.1.7 does not update the origin domain when retrieving the inner URL parameter yields an HTTP redirect, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a jar: URI, a different vulnerability than CVE-2007-5947.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Mozilla Firefox | <=2.0.0.9 | |
| Mozilla SeaMonkey | <=1.1.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://blog.beford.org/?p=8
- http://www.mozilla.org/security/announce/2007/mfsa2007-37.html
- https://bugzilla.mozilla.org/show_bug.cgi?id=369814
- https://bugzilla.mozilla.org/show_bug.cgi?id=403331
- http://osvdb.org/43477
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00771742
- http://www.vupen.com/english/advisories/2008/0083
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6033
- agent/softwarecombine
- agent/references
- agent/type
- collector/nvd-historical
- agent/software-canonical-lookup-request
- collector/nvd-index
- agent/weakness
- agent/author
- agent/severity
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/tags
- agent/first-publish-date
- agent/event
- agent/source
- vendor/mozilla
- canonical/mozilla firefox
- version/mozilla firefox/2.0.0.9
- canonical/mozilla seamonkey
- version/mozilla seamonkey/1.1.6