CVE-2008-5508: Input Validation
First published: Wed Dec 17 2008(Updated: )
Mozilla Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 does not properly parse URLs with leading whitespace or control characters, which might allow remote attackers to misrepresent URLs and simplify phishing attacks.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Mozilla Firefox | >=2.0<2.0.0.19 | |
| Mozilla Firefox | >=3.0<3.0.5 | |
| Mozilla SeaMonkey | >=1.0<1.1.14 | |
| Mozilla Thunderbird | >=2.0<2.0.0.19 | |
| Ubuntu Linux | =6.06 | |
| Ubuntu Linux | =7.10 | |
| Ubuntu Linux | =8.04 | |
| Ubuntu Linux | =8.10 | |
| Debian GNU/Linux | =4.0 | |
| Debian GNU/Linux | =5.0 | |
| Mozilla Firefox and Thunderbird | >=2.0<2.0.0.19 | |
| Mozilla Firefox and Thunderbird | >=3.0<3.0.5 | |
| Mozilla Firefox and Thunderbird | >=2.0<2.0.0.19 | |
| Ubuntu | =6.06 | |
| Ubuntu | =7.10 | |
| Ubuntu | =8.04 | |
| Ubuntu | =8.10 | |
| Debian | =5.0 | |
| Debian | =4.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.mozilla.org/show_bug.cgi?id=425046
- https://bugzilla.mozilla.org/show_bug.cgi?id=460803
- http://www.mozilla.org/security/announce/2008/mfsa2008-66.html
- http://secunia.com/advisories/33231
- http://www.debian.org/security/2009/dsa-1697
- http://secunia.com/advisories/33433
- http://secunia.com/advisories/33523
- http://secunia.com/advisories/33204
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:012
- http://www.securitytracker.com/id?1021426
- http://secunia.com/advisories/33203
- http://secunia.com/advisories/33205
- http://www.redhat.com/support/errata/RHSA-2008-1036.html
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:245
- http://secunia.com/advisories/33184
- http://www.redhat.com/support/errata/RHSA-2008-1037.html
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:244
- http://www.securityfocus.com/bid/32882
- http://secunia.com/advisories/33216
- http://www.ubuntu.com/usn/usn-690-2
- http://secunia.com/advisories/33188
- http://secunia.com/advisories/33547
- http://secunia.com/advisories/33189
- http://www.debian.org/security/2009/dsa-1707
- http://www.debian.org/security/2009/dsa-1704
- http://secunia.com/advisories/33421
- http://secunia.com/advisories/33434
- http://www.redhat.com/support/errata/RHSA-2009-0002.html
- http://www.debian.org/security/2009/dsa-1696
- http://secunia.com/advisories/34501
- http://www.vupen.com/english/advisories/2009/0977
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-256408-1
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-258748-1
- http://secunia.com/advisories/35080
- http://www.ubuntu.com/usn/usn-701-2
- http://www.ubuntu.com/usn/usn-701-1
- http://secunia.com/advisories/33408
- http://secunia.com/advisories/33415
- https://exchange.xforce.ibmcloud.com/vulnerabilities/47414
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11040
- https://usn.ubuntu.com/690-1/
Frequently Asked Questions
What is the severity of CVE-2008-5508?
CVE-2008-5508 carries a moderate severity rating due to its potential to facilitate phishing attacks.
How do I fix CVE-2008-5508?
To fix CVE-2008-5508, update your Mozilla Firefox, Thunderbird, or SeaMonkey to the latest version.
Which versions are affected by CVE-2008-5508?
CVE-2008-5508 affects Firefox versions prior to 3.0.5, Thunderbird versions prior to 2.0.0.19, and SeaMonkey versions prior to 1.1.14.
What kind of attacks are possible with CVE-2008-5508?
CVE-2008-5508 allows remote attackers to misrepresent URLs, making it easier for them to conduct phishing attacks.
Is CVE-2008-5508 specific to certain operating systems?
CVE-2008-5508 can affect users on multiple operating systems, including various versions of Ubuntu and Debian with susceptible software.
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- agent/references
- agent/author
- agent/weakness
- agent/severity
- agent/description
- agent/event
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- collector/nvd-historical
- vendor/mozilla
- canonical/mozilla firefox
- version/mozilla firefox/2.0
- version/mozilla firefox/3.0
- canonical/mozilla seamonkey
- version/mozilla seamonkey/1.0
- canonical/mozilla thunderbird
- version/mozilla thunderbird/2.0
- vendor/canonical
- canonical/ubuntu linux
- version/ubuntu linux/6.06
- version/ubuntu linux/7.10
- version/ubuntu linux/8.04
- version/ubuntu linux/8.10
- vendor/debian
- canonical/debian gnu/linux
- version/debian gnu/linux/4.0
- version/debian gnu/linux/5.0
- canonical/mozilla firefox and thunderbird
- version/mozilla firefox and thunderbird/2.0
- version/mozilla firefox and thunderbird/3.0
- canonical/ubuntu
- version/ubuntu/6.06
- version/ubuntu/7.10
- version/ubuntu/8.04
- version/ubuntu/8.10
- canonical/debian
- version/debian/5.0
- version/debian/4.0