CVE-2008-5506
First published: Wed Dec 17 2008(Updated: )
Mozilla Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 allows remote attackers to bypass the same origin policy by causing the browser to issue an XMLHttpRequest to an attacker-controlled resource that uses a 302 redirect to a resource in a different domain, then reading content from the response, aka "response disclosure."
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Mozilla Firefox | >=2.0<2.0.0.19 | |
| Mozilla Firefox | >=3.0<3.0.5 | |
| Mozilla SeaMonkey | >=1.0<1.1.14 | |
| Mozilla Thunderbird | >=2.0<2.0.0.19 | |
| Ubuntu Linux | =6.06 | |
| Ubuntu Linux | =7.10 | |
| Ubuntu Linux | =8.04 | |
| Ubuntu Linux | =8.10 | |
| Debian GNU/Linux | =4.0 | |
| Debian GNU/Linux | =5.0 | |
| Mozilla Firefox and Thunderbird | >=2.0<2.0.0.19 | |
| Mozilla Firefox and Thunderbird | >=3.0<3.0.5 | |
| Mozilla Firefox and Thunderbird | >=2.0<2.0.0.19 | |
| Ubuntu | =6.06 | |
| Ubuntu | =7.10 | |
| Ubuntu | =8.04 | |
| Ubuntu | =8.10 | |
| Debian | =5.0 | |
| Debian | =4.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://secunia.com/advisories/33184
- http://secunia.com/advisories/33188
- http://secunia.com/advisories/33189
- http://secunia.com/advisories/33203
- http://secunia.com/advisories/33204
- http://secunia.com/advisories/33205
- http://secunia.com/advisories/33216
- http://secunia.com/advisories/33231
- http://secunia.com/advisories/33232
- http://secunia.com/advisories/33408
- http://secunia.com/advisories/33415
- http://secunia.com/advisories/33421
- http://secunia.com/advisories/33433
- http://secunia.com/advisories/33434
- http://secunia.com/advisories/33523
- http://secunia.com/advisories/33547
- http://secunia.com/advisories/34501
- http://secunia.com/advisories/35080
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-256408-1
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-258748-1
- http://www.debian.org/security/2009/dsa-1696
- http://www.debian.org/security/2009/dsa-1697
- http://www.debian.org/security/2009/dsa-1704
- http://www.debian.org/security/2009/dsa-1707
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:244
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:245
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:012
- http://www.mozilla.org/security/announce/2008/mfsa2008-64.html
- http://www.redhat.com/support/errata/RHSA-2008-1036.html
- http://www.redhat.com/support/errata/RHSA-2008-1037.html
- http://www.redhat.com/support/errata/RHSA-2009-0002.html
- http://www.securityfocus.com/bid/32882
- http://www.securitytracker.com/id?1021427
- http://www.ubuntu.com/usn/usn-690-2
- http://www.ubuntu.com/usn/usn-701-1
- http://www.ubuntu.com/usn/usn-701-2
- http://www.vupen.com/english/advisories/2009/0977
- https://bugzilla.mozilla.org/show_bug.cgi?id=458248
- https://exchange.xforce.ibmcloud.com/vulnerabilities/47412
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10512
- https://usn.ubuntu.com/690-1/
- https://usn.ubuntu.com/690-3/
Frequently Asked Questions
What is the severity of CVE-2008-5506?
CVE-2008-5506 is classified as a high severity vulnerability due to its potential to allow attackers to bypass the same origin policy.
How do I fix CVE-2008-5506?
To fix CVE-2008-5506, users should update their Mozilla Firefox, Thunderbird, or SeaMonkey to the latest versions available.
Which software versions are affected by CVE-2008-5506?
CVE-2008-5506 affects Mozilla Firefox versions prior to 3.0.5, Thunderbird versions prior to 2.0.0.19, and SeaMonkey versions prior to 1.1.14.
What is the attack vector for CVE-2008-5506?
CVE-2008-5506 can be exploited by remote attackers via a crafted XMLHttpRequest that leverages 302 redirects.
What are the potential impacts of CVE-2008-5506?
Exploitation of CVE-2008-5506 can lead to unauthorized access and data leakage due to bypassing the same origin policy.
- agent/references
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- agent/weakness
- agent/author
- agent/severity
- agent/description
- agent/event
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- collector/nvd-historical
- vendor/mozilla
- canonical/mozilla firefox
- version/mozilla firefox/2.0
- version/mozilla firefox/3.0
- canonical/mozilla seamonkey
- version/mozilla seamonkey/1.0
- canonical/mozilla thunderbird
- version/mozilla thunderbird/2.0
- vendor/canonical
- canonical/ubuntu linux
- version/ubuntu linux/6.06
- version/ubuntu linux/7.10
- version/ubuntu linux/8.04
- version/ubuntu linux/8.10
- vendor/debian
- canonical/debian gnu/linux
- version/debian gnu/linux/4.0
- version/debian gnu/linux/5.0
- canonical/mozilla firefox and thunderbird
- version/mozilla firefox and thunderbird/2.0
- version/mozilla firefox and thunderbird/3.0
- canonical/ubuntu
- version/ubuntu/6.06
- version/ubuntu/7.10
- version/ubuntu/8.04
- version/ubuntu/8.10
- canonical/debian
- version/debian/5.0
- version/debian/4.0