CVE-2009-3014: XSS
First published: Mon Aug 31 2009(Updated: )
Mozilla Firefox 3.0.13 and earlier, 3.5, 3.6 a1 pre, and 3.7 a1 pre; SeaMonkey 1.1.17; and Mozilla 1.7.x and earlier do not properly handle javascript: URIs in HTML links within 302 error documents sent from web servers, which allows user-assisted remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Location HTTP response header or (2) specifying the content of a Location HTTP response header.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Mozilla Firefox | =1.4.2 | |
| Mozilla Firefox | =0.9.5 | |
| Mozilla Firefox | =1.0-rc3 | |
| Firefox | =3.0.7 | |
| Mozilla Firefox | =0.9.35 | |
| Firefox | =3.0.9 | |
| Mozilla Firefox | =0.9.3 | |
| Mozilla Firefox | =1.0.1 | |
| Mozilla Firefox | <=1.7 | |
| Firefox | =3.0.8 | |
| Mozilla Firefox | =0.9.48 | |
| Mozilla SeaMonkey | =1.1.17 | |
| Mozilla Firefox | =1.2.1 | |
| Mozilla Firefox | =1.5-rc2 | |
| Mozilla Firefox | =1.0-rc1 | |
| Firefox | =3.5 | |
| Firefox | =3.0.4 | |
| Mozilla Firefox | =1.2-alpha | |
| Firefox | =3.7-a1_pre | |
| Firefox | <=3.0.13 | |
| Firefox | =3.0.5 | |
| Mozilla Firefox | =0.9.7 | |
| Mozilla Firefox | =1.1-beta | |
| Mozilla Firefox | =1.0-rc2 | |
| Firefox | =3.6-a1_pre | |
| Mozilla Firefox | =1.6-beta | |
| Mozilla Firefox | =0.9.2.1 | |
| Mozilla Firefox | =1.4.1 | |
| Mozilla Firefox | =1.4-beta | |
| Mozilla Firefox | =1.2 | |
| Mozilla Firefox | =0.9.2 | |
| Firefox | =3.0.10 | |
| Mozilla Firefox | =1.5-alpha | |
| Mozilla Firefox | =1.4.4 | |
| Mozilla Firefox | =1.5-rc1 | |
| Mozilla Firefox | =1.3 | |
| Mozilla Firefox | =1.2-beta | |
| Firefox | =3.0.12 | |
| Firefox | =3.0.3 | |
| Mozilla Firefox | =1.0 | |
| Mozilla Firefox | =0.9.8 | |
| Mozilla Firefox | =1.4 | |
| Mozilla Firefox | =1.5 | |
| Firefox | =3.0.6 | |
| Mozilla Firefox | =0.9.4 | |
| Firefox | =3.0.1 | |
| Mozilla Firefox | =1.4-alpha | |
| Mozilla Firefox | =0.9.6 | |
| Firefox | =3.0.2 | |
| Mozilla Firefox | =1.5.1 | |
| Mozilla Firefox | =1.1 | |
| Mozilla Firefox | =1.1-alpha | |
| Mozilla Firefox | =0.9.4.1 | |
| Mozilla Firefox | =0.8 | |
| Mozilla Firefox | =1.0.2 | |
| Mozilla Firefox | =1.3.1 | |
| Mozilla Firefox | =1.6-alpha | |
| Mozilla Firefox | =0.9.9 | |
| Mozilla Firefox | =1.6 | |
| Firefox | =3.0.11 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2009-3014?
CVE-2009-3014 has a medium severity level as it allows for possible cross-site scripting attacks.
How do I fix CVE-2009-3014?
To mitigate CVE-2009-3014, users should update to the latest version of Mozilla Firefox or SeaMonkey that addresses this vulnerability.
Which versions are affected by CVE-2009-3014?
CVE-2009-3014 affects Mozilla Firefox versions 3.0.13 and earlier, 3.5, 3.6 a1 pre, and 3.7 a1 pre along with SeaMonkey 1.1.17 and earlier versions of Mozilla 1.7.x.
What type of attacks can exploit CVE-2009-3014?
CVE-2009-3014 can be exploited for cross-site scripting (XSS) attacks if users are tricked into navigating to a malicious link.
Are there any workarounds for CVE-2009-3014 until a fix is applied?
As a workaround for CVE-2009-3014, users should avoid clicking on suspicious links or Javascript: URIs in unknown emails or web pages.
- agent/type
- agent/references
- agent/author
- agent/severity
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/source
- agent/weakness
- agent/softwarecombine
- agent/tags
- collector/nvd-historical
- agent/software-canonical-lookup-request
- collector/nvd-index
- vendor/mozilla
- canonical/mozilla firefox
- version/mozilla firefox/1.4.2
- version/mozilla firefox/0.9.5
- version/mozilla firefox/1.0-rc3
- canonical/firefox
- version/firefox/3.0.7
- version/mozilla firefox/0.9.35
- version/firefox/3.0.9
- version/mozilla firefox/0.9.3
- version/mozilla firefox/1.0.1
- version/mozilla firefox/1.7
- version/firefox/3.0.8
- version/mozilla firefox/0.9.48
- canonical/mozilla seamonkey
- version/mozilla seamonkey/1.1.17
- version/mozilla firefox/1.2.1
- version/mozilla firefox/1.5-rc2
- version/mozilla firefox/1.0-rc1
- version/firefox/3.5
- version/firefox/3.0.4
- version/mozilla firefox/1.2-alpha
- version/firefox/3.7-a1_pre
- version/firefox/3.0.13
- version/firefox/3.0.5
- version/mozilla firefox/0.9.7
- version/mozilla firefox/1.1-beta
- version/mozilla firefox/1.0-rc2
- version/firefox/3.6-a1_pre
- version/mozilla firefox/1.6-beta
- version/mozilla firefox/0.9.2.1
- version/mozilla firefox/1.4.1
- version/mozilla firefox/1.4-beta
- version/mozilla firefox/1.2
- version/mozilla firefox/0.9.2
- version/firefox/3.0.10
- version/mozilla firefox/1.5-alpha
- version/mozilla firefox/1.4.4
- version/mozilla firefox/1.5-rc1
- version/mozilla firefox/1.3
- version/mozilla firefox/1.2-beta
- version/firefox/3.0.12
- version/firefox/3.0.3
- version/mozilla firefox/1.0
- version/mozilla firefox/0.9.8
- version/mozilla firefox/1.4
- version/mozilla firefox/1.5
- version/firefox/3.0.6
- version/mozilla firefox/0.9.4
- version/firefox/3.0.1
- version/mozilla firefox/1.4-alpha
- version/mozilla firefox/0.9.6
- version/firefox/3.0.2
- version/mozilla firefox/1.5.1
- version/mozilla firefox/1.1
- version/mozilla firefox/1.1-alpha
- version/mozilla firefox/0.9.4.1
- version/mozilla firefox/0.8
- version/mozilla firefox/1.0.2
- version/mozilla firefox/1.3.1
- version/mozilla firefox/1.6-alpha
- version/mozilla firefox/0.9.9
- version/mozilla firefox/1.6
- version/firefox/3.0.11