CVE-2007-4041 — Improper Neutralization of Escape, Meta, or Control Sequences in Mozilla Firefox

CWE-150 — Improper Neutralization of Escape, Meta, or Control Sequences CWE-78 — OS Command Injection5 documents3 sources

Severity

9.3CRITICALNVD

NVD6.8

EPSS

10.9%

top 6.59%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Microsoft Internet Explorer Mozilla Firefox Mozilla Seamonkey +1 more

Timeline

PublishedJul 27

Latest updateMay 1

Description

Multiple argument injection vulnerabilities in Mozilla Firefox 2.0.0.5 and 3.0alpha allow remote attackers to execute arbitrary commands via a NULL byte (%00) and shell metacharacters in a (1) mailto, (2) nntp, (3) news, (4) snews, or (5) telnet URI, a similar issue to CVE-2007-3670.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages4 packages

▶NVDmozilla/firefox2.0.0.5, 3.0+1

▶NVDmozilla/seamonkey1.1.3

▶NVDmozilla/thunderbird2.0.0.5

▶NVDmicrosoft/internet_explorer7

🔴Vulnerability Details

GHSA

GHSA-fq6c-fr6q-6pmq: Mozilla Firefox before 2↗2022-05-01

▶

GHSA

GHSA-7mf2-w637-f57x: Multiple argument injection vulnerabilities in Mozilla Firefox 2↗2022-05-01

▶

📋Vendor Advisories

Red Hat

Mozilla: Unescaped URIs passed to external programs↗2008-07-30

▶