CVE-2008-5024
First published: Thu Nov 13 2008(Updated: )
Mozilla Firefox 3.x before 3.0.4, Firefox 2.x before 2.0.0.18, Thunderbird 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 do not properly escape quote characters used for XML processing, which allows remote attackers to conduct XML injection attacks via the default namespace in an E4X document.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Firefox | >=2.0<2.0.0.18 | |
| Firefox | >=3.0<3.0.4 | |
| Mozilla SeaMonkey | >=1.0<1.1.13 | |
| Thunderbird | >=2.0<2.0.0.18 | |
| Debian Linux | =4.0 | |
| Ubuntu | =6.06 | |
| Ubuntu | =7.10 | |
| Ubuntu | =8.04 | |
| Ubuntu | =8.10 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00004.html
- http://secunia.com/advisories/32684
- http://secunia.com/advisories/32693
- http://secunia.com/advisories/32694
- http://secunia.com/advisories/32695
- http://secunia.com/advisories/32713
- http://secunia.com/advisories/32714
- http://secunia.com/advisories/32715
- http://secunia.com/advisories/32721
- http://secunia.com/advisories/32778
- http://secunia.com/advisories/32798
- http://secunia.com/advisories/32845
- http://secunia.com/advisories/32853
- http://secunia.com/advisories/33433
- http://secunia.com/advisories/33434
- http://secunia.com/advisories/34501
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-256408-1
- http://ubuntu.com/usn/usn-667-1
- http://www.debian.org/security/2008/dsa-1669
- http://www.debian.org/security/2008/dsa-1671
- http://www.debian.org/security/2009/dsa-1696
- http://www.debian.org/security/2009/dsa-1697
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:228
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:230
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:235
- http://www.mozilla.org/security/announce/2008/mfsa2008-58.html
- http://www.redhat.com/support/errata/RHSA-2008-0976.html
- http://www.redhat.com/support/errata/RHSA-2008-0977.html
- http://www.redhat.com/support/errata/RHSA-2008-0978.html
- http://www.securityfocus.com/bid/32281
- http://www.securitytracker.com/id?1021192
- http://www.us-cert.gov/cas/techalerts/TA08-319A.html
- http://www.vupen.com/english/advisories/2008/3146
- http://www.vupen.com/english/advisories/2009/0977
- https://bugzilla.mozilla.org/show_bug.cgi?id=453915
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9063
- https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00366.html
- https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00385.html
Frequently Asked Questions
What is the severity of CVE-2008-5024?
CVE-2008-5024 has been classified as a moderate severity vulnerability.
Which software versions are affected by CVE-2008-5024?
CVE-2008-5024 affects Mozilla Firefox versions prior to 3.0.4 and 2.0.0.18, Thunderbird versions prior to 2.0.0.18, and SeaMonkey versions prior to 1.1.13.
How do I fix CVE-2008-5024?
To fix CVE-2008-5024, update your affected software to the latest version that resolves this vulnerability.
What type of attack does CVE-2008-5024 allow?
CVE-2008-5024 allows remote attackers to conduct XML injection attacks via improperly escaped quote characters.
Is there a workaround for CVE-2008-5024 if updates cannot be applied?
There are no specific workarounds mentioned for CVE-2008-5024, but using updated software is the best mitigation.
- agent/references
- agent/type
- agent/weakness
- agent/author
- agent/severity
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/first-publish-date
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-historical
- agent/software-canonical-lookup-request
- collector/nvd-index
- vendor/mozilla
- canonical/firefox
- version/firefox/2.0
- version/firefox/3.0
- canonical/mozilla seamonkey
- version/mozilla seamonkey/1.0
- canonical/thunderbird
- version/thunderbird/2.0
- vendor/debian
- canonical/debian linux
- version/debian linux/4.0
- vendor/canonical
- canonical/ubuntu
- version/ubuntu/6.06
- version/ubuntu/7.10
- version/ubuntu/8.04
- version/ubuntu/8.10