CVE-2006-6077
published 2006-11-24CVE-2006-6077: The (1) Password Manager in Mozilla Firefox 2.0, and 1.5.0.8 and earlier; and the (2) Passcard Manager in Netscape 8.1.2 and possibly other versions, do not…
PriorityP422medium5CVSS 2.0
AVNACLAuNCPINAN
EPSS
1.96%
77.8th percentile
The (1) Password Manager in Mozilla Firefox 2.0, and 1.5.0.8 and earlier; and the (2) Passcard Manager in Netscape 8.1.2 and possibly other versions, do not properly verify that an ACTION URL in a FORM element containing a password INPUT element matches the web site for which the user stored a password, which allows remote attackers to obtain passwords via a password INPUT element on a different web page located on the web site intended for this password.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | safari | — | — |
| mozilla | firefox | <= 1.5.0.8 | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| netscape | navigator | — | — |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vendor_redhat5.0MEDIUM
vendor_ubuntu5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Firefox regression
vendor_ubuntu·2007-03-02·CVSS 5.0
[MEDIUM] Firefox regression
Title: Firefox regression
Summary: Firefox regression
USN-428-1 fixed vulnerabilities in Firefox 1.5. However, changes to
library paths caused applications depending on libnss3 to fail to start
up. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Several flaws have been found that could be used to perform Cross-site
scripting attacks. A malicious web site could exploit these to modify
the contents or steal confidential data (such as passwords) from other
opened web pages. (CVE-2006-6077, CVE-2007-0780, CVE-2007-0800,
CVE-2007-0981, CVE-2007-0995, CVE-2007-0996)
The SSLv2 protocol support in the NSS library did not sufficiently
check the validity of public keys presented with a SSL certificate. A
malicious SSL web site using SSLv2 could pot
Ubuntu
Firefox vulnerabilities
vendor_ubuntu·2007-03-01·CVSS 5.0
CVE-2007-1092 [MEDIUM] Firefox vulnerabilities
Title: Firefox vulnerabilities
Summary: Firefox vulnerabilities
Several flaws have been found that could be used to perform Cross-site
scripting attacks. A malicious web site could exploit these to modify
the contents or steal confidential data (such as passwords) from other
opened web pages. (CVE-2006-6077, CVE-2007-0780, CVE-2007-0800,
CVE-2007-0981, CVE-2007-0995, CVE-2007-0996)
The SSLv2 protocol support in the NSS library did not sufficiently
check the validity of public keys presented with a SSL certificate. A
malicious SSL web site using SSLv2 could potentially exploit this to
execute arbitrary code with the user's privileges. (CVE-2007-0008)
The SSLv2 protocol support in the NSS library did not sufficiently
verify the validity of client master keys presented in an SSL client
ce
Red Hat
security flaw
vendor_redhat·2007-02-23·CVSS 5.0
CVE-2006-6077 [MEDIUM] security flaw
security flaw
The (1) Password Manager in Mozilla Firefox 2.0, and 1.5.0.8 and earlier; and the (2) Passcard Manager in Netscape 8.1.2 and possibly other versions, do not properly verify that an ACTION URL in a FORM element containing a password INPUT element matches the web site for which the user stored a password, which allows remote attackers to obtain passwords via a password INPUT element on a different web page located on the web site intended for this password.
GHSA
GHSA-5j29-gg9r-g9gc: The (1) Password Manager in Mozilla Firefox 2
ghsa_unreviewed·2022-05-03
CVE-2006-6077 [MEDIUM] GHSA-5j29-gg9r-g9gc: The (1) Password Manager in Mozilla Firefox 2
The (1) Password Manager in Mozilla Firefox 2.0, and 1.5.0.8 and earlier; and the (2) Passcard Manager in Netscape 8.1.2 and possibly other versions, do not properly verify that an ACTION URL in a FORM element containing a password INPUT element matches the web site for which the user stored a password, which allows remote attackers to obtain passwords via a password INPUT element on a different web page located on the web site intended for this password.
GHSA
GHSA-vm94-3jpr-ph6q: The AutoFill feature in Apple Safari 2
ghsa_unreviewed·2022-05-01·CVSS 5.0
CVE-2006-6238 [MEDIUM] GHSA-vm94-3jpr-ph6q: The AutoFill feature in Apple Safari 2
The AutoFill feature in Apple Safari 2.0.4 does not properly verify that all automatically populated form fields are visible to the user, which allows remote attackers to obtain sensitive information, such as usernames and passwords, via input fields of zero width, a variant of CVE-2006-6077.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2006-6077 security flaw
bugzilla·2018-08-16·CVSS 5.0
CVE-2006-6077 [MEDIUM] CVE-2006-6077 security flaw
CVE-2006-6077 security flaw
Flaw bug created to hold information about an old flaw we knew something about. For more details see the MITRE CVE description.
Discussion:
MITRE description:
The (1) Password Manager in Mozilla Firefox 2.0, and 1.5.0.8 and earlier; and the (2) Passcard Manager in Netscape 8.1.2 and possibly other versions, do not properly verify that an ACTION URL in a FORM element containing a password INPUT element matches the web site for which the user stored a password, which allows remote attackers to obtain passwords via a password INPUT element on a different web page located on the web site intended for this password.
Bugzilla
CVE-2007-0775 Multiple Thunderbird flaws (CVE-2007-0777, CVE-2007-0995, CVE-2007-0996, CVE-2006-6077, CVE-2007-0778, CVE-2007-0779, CVE-2007-0780, CVE-2007-0800, CVE-2007-0008, CVE-2007-0009, CVE-2007
bugzilla·2007-03-01·CVSS 5.0
CVE-2007-0775 [MEDIUM] CVE-2007-0775 Multiple Thunderbird flaws (CVE-2007-0777, CVE-2007-0995, CVE-2007-0996, CVE-2006-6077, CVE-2007-0778, CVE-2007-0779, CVE-2007-0780, CVE-2007-0800, CVE-2007-0008, CVE-2007-0009, CVE-2007
CVE-2007-0775 Multiple Thunderbird flaws (CVE-2007-0777, CVE-2007-0995, CVE-2007-0996, CVE-2006-6077, CVE-2007-0778, CVE-2007-0779, CVE-2007-0780, CVE-2007-0800, CVE-2007-0008, CVE-2007-0009, CVE-2007-0981, CVE-2007-1282)
+++ This bug was initially created as a clone of Bug #230542 +++
The Mozilla project is releasing Thunderbird 1.5.0.10 to fix several flaws:
mfsa2007-01
impact=moderate,source=mozilla,reported=20070222,public=20070223
CVE-2007-0775
Jesse Ruderman, Martijn Wargers and Olli Pettay reported crashes in the
layout engine
CVE-2007-0777
Brian Crowder, Igor Bukanov, Johnny Stenback, moz_bug_r_a4 and shutdown
reported potential memory corruption in the JavaScript engine
mfsa2007-02
impact=moderate,source=mozilla,reported=20070222,public=20070223
CVE-2007-0995
The Mozilla pa
Bugzilla
CVE-2007-0775 Multiple Thunderbird flaws (CVE-2007-0777, CVE-2007-0995, CVE-2007-0996, CVE-2006-6077, CVE-2007-0778, CVE-2007-0779, CVE-2007-0780, CVE-2007-0800, CVE-2007-0008, CVE-2007-0009, CVE-2007
bugzilla·2007-03-01·CVSS 5.0
CVE-2007-0775 [MEDIUM] CVE-2007-0775 Multiple Thunderbird flaws (CVE-2007-0777, CVE-2007-0995, CVE-2007-0996, CVE-2006-6077, CVE-2007-0778, CVE-2007-0779, CVE-2007-0780, CVE-2007-0800, CVE-2007-0008, CVE-2007-0009, CVE-2007
CVE-2007-0775 Multiple Thunderbird flaws (CVE-2007-0777, CVE-2007-0995, CVE-2007-0996, CVE-2006-6077, CVE-2007-0778, CVE-2007-0779, CVE-2007-0780, CVE-2007-0800, CVE-2007-0008, CVE-2007-0009, CVE-2007-0981, CVE-2007-1092)
+++ This bug was initially created as a clone of Bug #229802 +++
The Mozilla project is releasing Thunderbird 1.5.0.10 to fix several flaws:
mfsa2007-01
impact=moderate,source=mozilla,reported=20070222,public=20070223
CVE-2007-0775
Jesse Ruderman, Martijn Wargers and Olli Pettay reported crashes in the
layout engine
CVE-2007-0777
Brian Crowder, Igor Bukanov, Johnny Stenback, moz_bug_r_a4 and shutdown
reported potential memory corruption in the JavaScript engine
mfsa2007-02
impact=moderate,source=mozilla,reported=20070222,public=20070223
CVE-2007-0995
The Mozilla pa
Bugzilla
CVE-2007-0775 Multiple Firefox flaws (CVE-2007-0777, CVE-2007-0994, CVE-2007-0995, CVE-2007-0996, CVE-2006-6077, CVE-2007-0778, CVE-2007-0779, CVE-2007-0780, CVE-2007-0800, CVE-2007-0008, CVE-2007-000
bugzilla·2007-02-26·CVSS 5.0
CVE-2007-0775 [MEDIUM] CVE-2007-0775 Multiple Firefox flaws (CVE-2007-0777, CVE-2007-0994, CVE-2007-0995, CVE-2007-0996, CVE-2006-6077, CVE-2007-0778, CVE-2007-0779, CVE-2007-0780, CVE-2007-0800, CVE-2007-0008, CVE-2007-000
CVE-2007-0775 Multiple Firefox flaws (CVE-2007-0777, CVE-2007-0994, CVE-2007-0995, CVE-2007-0996, CVE-2006-6077, CVE-2007-0778, CVE-2007-0779, CVE-2007-0780, CVE-2007-0800, CVE-2007-0008, CVE-2007-0009, CVE-2007-0981)
+++ This bug was initially created as a clone of Bug #229802 +++
The Mozilla project is releasing Firefox 1.5.0.10 to fix several flaws:
mfsa2007-01
impact=critical,source=mozilla,reported=20070222,public=20070223
CVE-2007-0775
Jesse Ruderman, Martijn Wargers and Olli Pettay reported crashes in the
layout engine
CVE-2007-0777
Brian Crowder, Igor Bukanov, Johnny Stenback, moz_bug_r_a4 and shutdown
reported potential memory corruption in the JavaScript engine
mfsa2007-02
impact=moderate,source=mozilla,reported=20070222,public=20070223
CVE-2007-0995
The Mozilla parser for
Bugzilla
CVE-2007-0775 Multiple Seamonkey flaws (CVE-2007-0777, CVE-2007-0995, CVE-2007-0996, CVE-2006-6077, CVE-2007-0778, CVE-2007-0779, CVE-2007-0780, CVE-2007-0800, CVE-2007-0008, CVE-2007-0009, CVE-2007-0
bugzilla·2007-02-23·CVSS 5.0
CVE-2007-0775 [MEDIUM] CVE-2007-0775 Multiple Seamonkey flaws (CVE-2007-0777, CVE-2007-0995, CVE-2007-0996, CVE-2006-6077, CVE-2007-0778, CVE-2007-0779, CVE-2007-0780, CVE-2007-0800, CVE-2007-0008, CVE-2007-0009, CVE-2007-0
CVE-2007-0775 Multiple Seamonkey flaws (CVE-2007-0777, CVE-2007-0995, CVE-2007-0996, CVE-2006-6077, CVE-2007-0778, CVE-2007-0779, CVE-2007-0780, CVE-2007-0800, CVE-2007-0008, CVE-2007-0009, CVE-2007-0981)
+++ This bug was initially created as a clone of Bug #229802 +++
The Mozilla project is releasing Seamonkey 1.0.8 to fix several flaws:
mfsa2007-01
impact=critical,source=mozilla,reported=20070222,public=20070223
CVE-2007-0775
Jesse Ruderman, Martijn Wargers and Olli Pettay reported crashes in the
layout engine
CVE-2007-0777
Brian Crowder, Igor Bukanov, Johnny Stenback, moz_bug_r_a4 and shutdown
reported potential memory corruption in the JavaScript engine
mfsa2007-02
impact=moderate,source=mozilla,reported=20070222,public=20070223
CVE-2007-0995
The Mozilla parser formerly ignored
Bugzilla
CVE-2007-0775 Multiple Firefox flaws (CVE-2007-0777, CVE-2007-0995, CVE-2007-0996, CVE-2006-6077, CVE-2007-0778, CVE-2007-0779, CVE-2007-0780, CVE-2007-0800, CVE-2007-0008, CVE-2007-0009, CVE-2007-098
bugzilla·2007-02-23·CVSS 5.0
CVE-2007-0775 [MEDIUM] CVE-2007-0775 Multiple Firefox flaws (CVE-2007-0777, CVE-2007-0995, CVE-2007-0996, CVE-2006-6077, CVE-2007-0778, CVE-2007-0779, CVE-2007-0780, CVE-2007-0800, CVE-2007-0008, CVE-2007-0009, CVE-2007-098
CVE-2007-0775 Multiple Firefox flaws (CVE-2007-0777, CVE-2007-0995, CVE-2007-0996, CVE-2006-6077, CVE-2007-0778, CVE-2007-0779, CVE-2007-0780, CVE-2007-0800, CVE-2007-0008, CVE-2007-0009, CVE-2007-0981)
The Mozilla project is releasing Firefox 1.5.0.10 to fix several flaws:
mfsa2007-01
impact=critical,source=mozilla,reported=20070222,public=20070223
CVE-2007-0775
Jesse Ruderman, Martijn Wargers and Olli Pettay reported crashes in the
layout engine
CVE-2007-0777
Brian Crowder, Igor Bukanov, Johnny Stenback, moz_bug_r_a4 and shutdown
reported potential memory corruption in the JavaScript engine
mfsa2007-02
impact=moderate,source=mozilla,reported=20070222,public=20070223
CVE-2007-0995
The Mozilla parser formerly ignored invalid trailing characters in HTML tag
attribute names. This could
ftp://patches.sgi.com/support/free/security/advisories/20070202-01-P.ascftp://patches.sgi.com/support/free/security/advisories/20070301-01-P.aschttp://fedoranews.org/cms/node/2713http://fedoranews.org/cms/node/2728http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00771742http://lists.suse.com/archive/suse-security-announce/2007-Mar/0001.htmlhttp://rhn.redhat.com/errata/RHSA-2007-0077.htmlhttp://secunia.com/advisories/23046http://secunia.com/advisories/23108http://secunia.com/advisories/24205http://secunia.com/advisories/24238http://secunia.com/advisories/24287http://secunia.com/advisories/24290http://secunia.com/advisories/24293http://secunia.com/advisories/24320http://secunia.com/advisories/24328http://secunia.com/advisories/24333http://secunia.com/advisories/24342http://secunia.com/advisories/24343http://secunia.com/advisories/24384http://secunia.com/advisories/24393http://secunia.com/advisories/24395http://secunia.com/advisories/24437http://secunia.com/advisories/24457http://secunia.com/advisories/24650http://secunia.com/advisories/25588http://security.gentoo.org/glsa/glsa-200703-04.xmlhttp://securitytracker.com/id?1017271http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.338131http://www.debian.org/security/2007/dsa-1336http://www.gentoo.org/security/en/glsa/glsa-200703-08.xmlhttp://www.info-svc.com/news/11-21-2006/http://www.info-svc.com/news/11-21-2006/rcsr1/http://www.mandriva.com/security/advisories?name=MDKSA-2007:050http://www.mozilla.org/security/announce/2007/mfsa2007-02.htmlhttp://www.novell.com/linux/security/advisories/2007_22_mozilla.htmlhttp://www.redhat.com/support/errata/RHSA-2007-0078.htmlhttp://www.redhat.com/support/errata/RHSA-2007-0079.htmlhttp://www.redhat.com/support/errata/RHSA-2007-0097.htmlhttp://www.redhat.com/support/errata/RHSA-2007-0108.htmlhttp://www.securityfocus.com/archive/1/452382/100/0/threadedhttp://www.securityfocus.com/archive/1/452431/100/0/threadedhttp://www.securityfocus.com/archive/1/452440/100/0/threadedhttp://www.securityfocus.com/archive/1/452463/100/0/threadedhttp://www.securityfocus.com/archive/1/454982/100/0/threadedhttp://www.securityfocus.com/archive/1/455073/100/0/threadedhttp://www.securityfocus.com/archive/1/455148/100/0/threadedhttp://www.securityfocus.com/archive/1/461336/100/0/threadedhttp://www.securityfocus.com/archive/1/461809/100/0/threadedhttp://www.securityfocus.com/bid/21240http://www.securityfocus.com/bid/22694http://www.ubuntu.com/usn/usn-428-1http://www.vupen.com/english/advisories/2006/4662http://www.vupen.com/english/advisories/2007/0718https://bugzilla.mozilla.org/show_bug.cgi?id=360493https://exchange.xforce.ibmcloud.com/vulnerabilities/30470https://issues.rpath.com/browse/RPL-1081https://issues.rpath.com/browse/RPL-1103https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10031ftp://patches.sgi.com/support/free/security/advisories/20070202-01-P.ascftp://patches.sgi.com/support/free/security/advisories/20070301-01-P.aschttp://fedoranews.org/cms/node/2713http://fedoranews.org/cms/node/2728http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00771742http://lists.suse.com/archive/suse-security-announce/2007-Mar/0001.htmlhttp://rhn.redhat.com/errata/RHSA-2007-0077.htmlhttp://secunia.com/advisories/23046http://secunia.com/advisories/23108http://secunia.com/advisories/24205http://secunia.com/advisories/24238http://secunia.com/advisories/24287http://secunia.com/advisories/24290http://secunia.com/advisories/24293http://secunia.com/advisories/24320http://secunia.com/advisories/24328http://secunia.com/advisories/24333http://secunia.com/advisories/24342http://secunia.com/advisories/24343http://secunia.com/advisories/24384http://secunia.com/advisories/24393http://secunia.com/advisories/24395http://secunia.com/advisories/24437http://secunia.com/advisories/24457http://secunia.com/advisories/24650http://secunia.com/advisories/25588http://security.gentoo.org/glsa/glsa-200703-04.xmlhttp://securitytracker.com/id?1017271http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.338131http://www.debian.org/security/2007/dsa-1336http://www.gentoo.org/security/en/glsa/glsa-200703-08.xmlhttp://www.info-svc.com/news/11-21-2006/http://www.info-svc.com/news/11-21-2006/rcsr1/http://www.mandriva.com/security/advisories?name=MDKSA-2007:050http://www.mozilla.org/security/announce/2007/mfsa2007-02.htmlhttp://www.novell.com/linux/security/advisories/2007_22_mozilla.htmlhttp://www.redhat.com/support/errata/RHSA-2007-0078.htmlhttp://www.redhat.com/support/errata/RHSA-2007-0079.htmlhttp://www.redhat.com/support/errata/RHSA-2007-0097.htmlhttp://www.redhat.com/support/errata/RHSA-2007-0108.htmlhttp://www.securityfocus.com/archive/1/452382/100/0/threaded
+ 18 more references
2006-11-24
Published