CVE-2007-4041
published 2007-07-27CVE-2007-4041: Multiple argument injection vulnerabilities in Mozilla Firefox 2.0.0.5 and 3.0alpha allow remote attackers to execute arbitrary commands via a NULL byte (%00)…
PriorityP342medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EPSS
19.66%
97.1th percentile
Multiple argument injection vulnerabilities in Mozilla Firefox 2.0.0.5 and 3.0alpha allow remote attackers to execute arbitrary commands via a NULL byte (%00) and shell metacharacters in a (1) mailto, (2) nntp, (3) news, (4) snews, or (5) telnet URI, a similar issue to CVE-2007-3670.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | seamonkey | — | — |
| mozilla | thunderbird | — | — |
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vendor_redhat9.3CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-fq6c-fr6q-6pmq: Mozilla Firefox before 2
ghsa_unreviewed·2022-05-01·CVSS 6.8
CVE-2007-3845 [MEDIUM] GHSA-fq6c-fr6q-6pmq: Mozilla Firefox before 2
Mozilla Firefox before 2.0.0.6, Thunderbird before 1.5.0.13 and 2.x before 2.0.0.6, and SeaMonkey before 1.1.4 allow remote attackers to execute arbitrary commands via certain vectors associated with launching "a file handling program based on the file extension at the end of the URI," a variant of CVE-2007-4041. NOTE: the vendor states that "it is still possible to launch a filetype handler based on extension rather than the registered protocol handler."
GHSA
GHSA-7mf2-w637-f57x: Multiple argument injection vulnerabilities in Mozilla Firefox 2
ghsa_unreviewed·2022-05-01·CVSS 4.3
CVE-2007-4041 [MEDIUM] CWE-78 GHSA-7mf2-w637-f57x: Multiple argument injection vulnerabilities in Mozilla Firefox 2
Multiple argument injection vulnerabilities in Mozilla Firefox 2.0.0.5 and 3.0alpha allow remote attackers to execute arbitrary commands via a NULL byte (%00) and shell metacharacters in a (1) mailto, (2) nntp, (3) news, (4) snews, or (5) telnet URI, a similar issue to CVE-2007-3670.
Red Hat
Mozilla: Unescaped URIs passed to external programs
vendor_redhat·2008-07-30·CVSS 9.3
CVE-2007-3845 [CRITICAL] CWE-150 Mozilla: Unescaped URIs passed to external programs
Mozilla: Unescaped URIs passed to external programs
Mozilla Firefox before 2.0.0.6, Thunderbird before 1.5.0.13 and 2.x before 2.0.0.6, and SeaMonkey before 1.1.4 allow remote attackers to execute arbitrary commands via certain vectors associated with launching "a file handling program based on the file extension at the end of the URI," a variant of CVE-2007-4041. NOTE: the vendor states that "it is still possible to launch a filetype handler based on extension rather than the registered protocol handler."
The Mozilla Foundation Security Advisory describes this flaw as:
Jesper Johansson pointed out that Mozilla did not percent-encode spaces and double-quotes in URIs handed off to external programs for handling, which can cause the receiving program to mistakenly interpret a single URI as
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://www.kb.cert.org/vuls/id/783400http://www.securityfocus.com/bid/25053http://xs-sniper.com/blog/2007/07/24/remote-command-execution-in-firefox-2005/http://xs-sniper.com/blog/remote-command-exec-firefox-2005/https://bugzilla.mozilla.org/show_bug.cgi?id=389106https://bugzilla.mozilla.org/show_bug.cgi?id=389580http://www.kb.cert.org/vuls/id/783400http://www.securityfocus.com/bid/25053http://xs-sniper.com/blog/2007/07/24/remote-command-execution-in-firefox-2005/http://xs-sniper.com/blog/remote-command-exec-firefox-2005/https://bugzilla.mozilla.org/show_bug.cgi?id=389106https://bugzilla.mozilla.org/show_bug.cgi?id=389580
2007-07-27
Published