Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2007-3844 — Cross-site Scripting in Mozilla Firefox

8 documents6 sources

Severity

4.3MEDIUMNVD

EPSS

21.7%

top 4.25%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Mozilla Firefox Mozilla Seamonkey Mozilla Thunderbird

Timeline

PublishedAug 8

Latest updateMay 1

Description

Mozilla Firefox 2.0.0.5, Thunderbird 2.0.0.5 and before 1.5.0.13, and SeaMonkey 1.1.3 allows remote attackers to conduct cross-site scripting (XSS) attacks with chrome privileges via an addon that inserts a (1) javascript: or (2) data: link into an about:blank document loaded by chrome via (a) the window.open function or (b) a content.location assignment, aka "Cross Context Scripting." NOTE: this issue is caused by a CVE-2007-3089 regression.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages3 packages

▶NVDmozilla/firefox2.0.0.5

▶NVDmozilla/seamonkey1.1.3

▶NVDmozilla/thunderbird2.0.0.5

Patches

Patch: secunia.com ↗Patch: securitytracker.com ↗Patch: www.mozilla.org ↗

🔴Vulnerability Details

GHSA

GHSA-6p6h-7mm4-6mhv: Mozilla Firefox 2↗2022-05-01

▶

💥Exploits & PoCs

Exploit-DB

Mozilla Firefox/Thunderbird/SeaMonkey - Chrome-Loaded About:Blank Script Execution↗2007-07-31

▶

📋Vendor Advisories

Ubuntu

Thunderbird vulnerabilities↗2007-08-25

▶

Ubuntu

Firefox vulnerabilities↗2007-08-01

▶

Red Hat

about: blank windows↗2007-07-31

▶

💬Community

Bugzilla

Mozilla products security update (CVE-2007-1095, CVE-2007-2292, CVE-2007-3511, CVE-2007-3844, CVE-2007-5334, CVE-2007-5337, CVE-2007-5338, CVE-2007-5339, CVE-2007-5340)↗2007-10-16

▶

Bugzilla

CVE-2007-3844 Privilege escalation through chrome-loaded about:blank windows↗2007-08-02

▶