CVE-2008-2808

Current Description

Mozilla Firefox before 2.0.0.15 and SeaMonkey before 1.1.10 do not properly escape HTML in file:// URLs in directory listings, which allows remote attackers to conduct cross-site scripting (XSS) attacks or have unspecified other impact via a crafted filename.

Basic Data

PublishedJuly 07, 2008
Last ModifiedOctober 11, 2018
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-79
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityMEDIUM
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactNONE
CVSS 2 - Availability ImpactNONE
CVSS 2 - Base Score4.3
SeverityMEDIUM
Exploitability Score8.6
Impact Score2.9
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

No data provided.

Configurations

  • AND
    • OR - Configuration 1
      Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
      2.3OSRedhatAdvanced Workstation For The Itanium Processor2.1*******
      2.3OSRedhatDesktop3.0*******
      2.3OSRedhatDesktop4.0*******
      2.3OSRedhatEnterprise Linux5_server*******
      2.3OSRedhatEnterprise Linuxas_2.1*******
      2.3OSRedhatEnterprise Linuxas_3*******
      2.3OSRedhatEnterprise Linuxas_4*******
      2.3OSRedhatEnterprise Linuxes_2.1*******
      2.3OSRedhatEnterprise Linuxes_3*******
      2.3OSRedhatEnterprise Linuxes_4*******
      2.3OSRedhatEnterprise Linuxws_2.1*******
      2.3OSRedhatEnterprise Linuxws_3*******
      2.3OSRedhatEnterprise Linuxws_4*******
      2.3OSRedhatEnterprise Linux Desktop5_client*******
      2.3OSRedhatEnterprise Linux Desktop Workstation5_client*******
      2.3OSRedhatFedora8*******
      2.3OSUbuntuUbuntu Linux6.06*lts_amd64*****
      2.3OSUbuntuUbuntu Linux6.06*lts_i386*****
      2.3OSUbuntuUbuntu Linux6.06*lts_powerpc*****
      2.3OSUbuntuUbuntu Linux6.06*lts_sparc*****
      2.3OSUbuntuUbuntu Linux7.04*amd64*****
      2.3OSUbuntuUbuntu Linux7.04*i386*****
      2.3OSUbuntuUbuntu Linux7.04*powerpc*****
      2.3OSUbuntuUbuntu Linux7.04*sparc*****
      2.3OSUbuntuUbuntu Linux7.10*amd64*****
      2.3OSUbuntuUbuntu Linux7.10*i386*****
      2.3OSUbuntuUbuntu Linux7.10*lpia*****
      2.3OSUbuntuUbuntu Linux7.10*powerpc*****
      2.3OSUbuntuUbuntu Linux7.10*sparc*****
    • OR Running on/with:
      Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
      2.3ApplicationMozillaFirefox2.0*******
      2.3ApplicationMozillaFirefox2.0beta_1******
      2.3ApplicationMozillaFirefox2.0rc2******
      2.3ApplicationMozillaFirefox2.0rc3******
      2.3ApplicationMozillaFirefox2.0.0.2*******
      2.3ApplicationMozillaFirefox2.0.0.3*******
      2.3ApplicationMozillaFirefox2.0.0.11*******
      2.3ApplicationMozillaFirefox2.0.0.12*******
      2.3ApplicationMozillaFirefox2.0.0.13*******
      2.3ApplicationMozillaFirefox2.0.0.14*******
      2.3ApplicationMozillaFirefox2.0_.1*******
      2.3ApplicationMozillaFirefox2.0_.4*******
      2.3ApplicationMozillaFirefox2.0_.5*******
      2.3ApplicationMozillaFirefox2.0_.6*******
      2.3ApplicationMozillaFirefox2.0_.9*******
      2.3ApplicationMozillaFirefox2.0_.10*******
      2.3ApplicationMozillaFirefox2.0_8*******
      2.3ApplicationMozillaSeamonkey1.1beta******
      2.3ApplicationMozillaSeamonkey1.1.1*******
      2.3ApplicationMozillaSeamonkey1.1.2*******
      2.3ApplicationMozillaSeamonkey1.1.3*******
      2.3ApplicationMozillaSeamonkey1.1.4*******
      2.3ApplicationMozillaSeamonkey1.1.5*******
      2.3ApplicationMozillaSeamonkey1.1.6*******
      2.3ApplicationMozillaSeamonkey1.1.7*******
      2.3ApplicationMozillaSeamonkey1.1.8*******
      2.3ApplicationMozillaSeamonkey1.1.9*******
      2.3ApplicationMozillaThunderbird2.0_.4*******
      2.3ApplicationMozillaThunderbird2.0_.5*******
      2.3ApplicationMozillaThunderbird2.0_.6*******
      2.3ApplicationMozillaThunderbird2.0_.9*******
      2.3ApplicationMozillaThunderbird2.0_.12*******
      2.3ApplicationMozillaThunderbird2.0_.13*******
      2.3ApplicationMozillaThunderbird2.0_.14*******
      2.3ApplicationMozillaThunderbird2.0_8*******

Vulnerable Software List

VendorProductVersions
Mozilla Firefox 2.0, 2.0.0.11, 2.0.0.12, 2.0.0.13, 2.0.0.14, 2.0.0.2, 2.0.0.3, 2.0_.1, 2.0_.10, 2.0_.4, 2.0_.5, 2.0_.6, 2.0_.9, 2.0_8
Mozilla Thunderbird 2.0_.12, 2.0_.13, 2.0_.14, 2.0_.4, 2.0_.5, 2.0_.6, 2.0_.9, 2.0_8
Mozilla Seamonkey 1.1, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.1.7, 1.1.8, 1.1.9

References

NameSourceURLTags
SUSE-SA:2008:034http://lists.opensuse.org/opensuse-security-announce/2008-07/msg00004.htmlSUSE
RHSA-2008:0616http://rhn.redhat.com/errata/RHSA-2008-0616.htmlREDHAT
30878http://secunia.com/advisories/30878SECUNIA
30898http://secunia.com/advisories/30898SECUNIA
30903http://secunia.com/advisories/30903SECUNIA
30911http://secunia.com/advisories/30911SECUNIAVendor Advisory
30949http://secunia.com/advisories/30949SECUNIA
31005http://secunia.com/advisories/31005SECUNIA
31008http://secunia.com/advisories/31008SECUNIA
31021http://secunia.com/advisories/31021SECUNIA
31023http://secunia.com/advisories/31023SECUNIA
31069http://secunia.com/advisories/31069SECUNIA
31076http://secunia.com/advisories/31076SECUNIA
31183http://secunia.com/advisories/31183SECUNIA
31195http://secunia.com/advisories/31195SECUNIA
31377http://secunia.com/advisories/31377SECUNIA
33433http://secunia.com/advisories/33433SECUNIA
34501http://secunia.com/advisories/34501SECUNIA
GLSA-200808-03http://security.gentoo.org/glsa/glsa-200808-03.xmlGENTOO
SSA:2008-191-03http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.383152SLACKWARE
SSA:2008-191http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.384911SLACKWARE
256408http://sunsolve.sun.com/search/document.do?assetkey=1-26-256408-1SUNALERT
http://wiki.rpath.com/Advisories:rPSA-2008-0216http://wiki.rpath.com/Advisories:rPSA-2008-0216CONFIRM
DSA-1607http://www.debian.org/security/2008/dsa-1607DEBIAN
DSA-1615http://www.debian.org/security/2008/dsa-1615DEBIAN
DSA-1697http://www.debian.org/security/2009/dsa-1697DEBIAN
MDVSA-2008:136http://www.mandriva.com/security/advisories?name=MDVSA-2008:136MANDRIVA
http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.15http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.15CONFIRM
http://www.mozilla.org/security/announce/2008/mfsa2008-30.htmlhttp://www.mozilla.org/security/announce/2008/mfsa2008-30.htmlCONFIRM
RHSA-2008:0547http://www.redhat.com/support/errata/RHSA-2008-0547.htmlREDHAT
RHSA-2008:0549http://www.redhat.com/support/errata/RHSA-2008-0549.htmlREDHAT
RHSA-2008:0569http://www.redhat.com/support/errata/RHSA-2008-0569.htmlREDHAT
20080708 rPSA-2008-0216-1 firefoxhttp://www.securityfocus.com/archive/1/494080/100/0/threadedBUGTRAQ
30038http://www.securityfocus.com/bid/30038BID
1020419http://www.securitytracker.com/id?1020419SECTRACK
USN-619-1http://www.ubuntu.com/usn/usn-619-1UBUNTU
ADV-2008-1993http://www.vupen.com/english/advisories/2008/1993/referencesVUPEN
ADV-2009-0977http://www.vupen.com/english/advisories/2009/0977VUPEN
https://bugzilla.mozilla.org/show_bug.cgi?id=411433https://bugzilla.mozilla.org/show_bug.cgi?id=411433CONFIRM
https://issues.rpath.com/browse/RPL-2646https://issues.rpath.com/browse/RPL-2646CONFIRM
oval:org.mitre.oval:def:9668https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9668OVAL
FEDORA-2008-6127https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00207.htmlFEDORA
FEDORA-2008-6193https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00288.htmlFEDORA
FEDORA-2008-6196https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00295.htmlFEDORA