CVE-2008-2933 — Improper Input Validation in Mozilla Firefox

CWE-20 — Improper Input Validation CWE-94 — Code Injection11 documents5 sources

Severity

7.5HIGHNVD

NVD2.6

EPSS

6.2%

top 9.14%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox

Timeline

PublishedJul 17

Latest updateMay 1

Description

Mozilla Firefox before 2.0.0.16, and 3.x before 3.0.1, interprets '|' (pipe) characters in a command-line URI as requests to open multiple tabs, which allows remote attackers to access chrome:i URIs, or read arbitrary local files via manipulations involving a series of URIs that is not entirely handled by a vector application, as exploited in conjunction with CVE-2008-2540. NOTE: this issue exists because of an insufficient fix for CVE-2005-2267.

CVSS vector

AV:N/AC:H/C:P/I:N/A:NExploitability: 4.9 | Impact: 2.9

Affected Packages1 packages

▶NVDmozilla/firefox2.0.0.15+62

🔴Vulnerability Details

GHSA

GHSA-jrjj-g3cm-58m8: Mozilla Firefox 3↗2022-05-01

▶

GHSA

GHSA-9wm7-g493-2j99: Mozilla Firefox before 2↗2022-05-01

▶

📋Vendor Advisories

Ubuntu

Devhelp, Epiphany, Midbrowser and Yelp update↗2008-08-04

▶

Ubuntu

Firefox and xulrunner vulnerabilities↗2008-07-28

▶

Ubuntu

Firefox vulnerabilities↗2008-07-17

▶

Red Hat

Firefox command line URL launches multi-tabs↗2008-07-15

▶

Red Hat

security flaw↗2008-07-15

▶

💬Community

Bugzilla

CVE-2008-3198 security flaw↗2018-08-16

▶

Bugzilla

CVE-2008-2933 Firefox command line URL launches multi-tabs↗2008-07-09

▶