Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2008-0418 — Path Traversal in Mozilla Firefox

CWE-22 — Path Traversal8 documents6 sources

Severity

4.3MEDIUMNVD

EPSS

38.7%

top 2.74%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Mozilla Firefox Mozilla Seamonkey Mozilla Thunderbird

Timeline

PublishedFeb 8

Latest updateMay 1

Description

Directory traversal vulnerability in Mozilla Firefox before 2.0.0.12, Thunderbird before 2.0.0.12, and SeaMonkey before 1.1.8, when using "flat" addons, allows remote attackers to read arbitrary Javascript, image, and stylesheet files via the chrome: URI scheme, as demonstrated by stealing session information from sessionstore.js.

CVSS vector

AV:N/AC:M/C:P/I:N/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages3 packages

▶NVDmozilla/firefox2.0.0.11

▶NVDmozilla/seamonkey1.1.7

▶NVDmozilla/thunderbird2.0.0.11

🔴Vulnerability Details

GHSA

GHSA-2rxc-55rq-5r4c: Directory traversal vulnerability in Mozilla Firefox before 2↗2022-05-01

▶

💥Exploits & PoCs

Exploit-DB

Mozilla Firefox 2.0 - 'chrome://' URI JavaScript File Request Information Disclosure↗2008-01-19

▶

📋Vendor Advisories

Ubuntu

Thunderbird regression↗2008-03-06

▶

Ubuntu

Thunderbird vulnerabilities↗2008-02-29

▶

Ubuntu

Firefox vulnerabilities↗2008-02-08

▶

Red Hat

chrome: directory traversal↗2008-02-07

▶

💬Community

Bugzilla

CVE-2008-0418 Mozilla chrome: directory traversal↗2008-02-06

▶