CVE-2008-1238Improper Authentication in Mozilla Firefox

CWE-287Improper Authentication6 documents6 sources
Severity
5.0MEDIUMNVD
EPSS
5.4%
top 9.82%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mozilla FirefoxMozilla Seamonkey
Timeline
PublishedMar 27
Latest updateMay 1

Description

Mozilla Firefox before 2.0.0.13 and SeaMonkey before 1.1.9, when generating the HTTP Referer header, does not list the entire URL when it contains Basic Authentication credentials without a username, which makes it easier for remote attackers to bypass application protection mechanisms that rely on Referer headers, such as with some Cross-Site Request Forgery (CSRF) mechanisms.

CVSS vector

AV:N/AC:L/C:N/I:P/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages2 packages

NVDmozilla/firefox2.0.0.12

🔴Vulnerability Details

1
GHSA
GHSA-q345-fgmq-3pf3: Mozilla Firefox before 22022-05-01

💥Exploits & PoCs

1
Exploit-DB
Apple Mac OSX xnu 1228.x - 'vfssysctl' Local Kernel Denial of Service (PoC)2009-03-23

📋Vendor Advisories

2
Ubuntu
Firefox vulnerabilities2008-03-26
Red Hat
Referrer spoofing bug2008-03-25

💬Community

1
Bugzilla
CVE-2008-1238 Referrer spoofing bug2008-03-24
CVE-2008-1238 — Improper Authentication in Mozilla | cvebase