CVE-2008-4065 — Cross-site Scripting in Mozilla Firefox

CWE-79 — Cross-site Scripting9 documents6 sources

Severity

4.3MEDIUMNVD

EPSS

1.3%

top 19.96%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Seamonkey Mozilla Thunderbird +2 more

Timeline

PublishedSep 24

Latest updateMay 2

Description

Mozilla Firefox before 2.0.0.17 and 3.x before 3.0.2, Thunderbird before 2.0.0.17, and SeaMonkey before 1.1.12 allow remote attackers to bypass cross-site scripting (XSS) protection mechanisms and conduct XSS attacks via byte order mark (BOM) characters that are removed from JavaScript code before execution, aka "Stripped BOM characters bug."

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages3 packages

▶NVDmozilla/firefox3.0 — 3.0.2+1

▶NVDmozilla/seamonkey< 1.1.12

▶NVDmozilla/thunderbird< 2.0.0.17

Also affects: Debian Linux 4.0, Ubuntu Linux 6.06, 7.04, 7.10, 8.04

🔴Vulnerability Details

GHSA

GHSA-xppm-mp6m-c6fw: Mozilla Firefox before 2↗2022-05-02

▶

CVEList

CVE-2008-4065: Mozilla Firefox before 2↗2008-09-24

▶

📋Vendor Advisories

Ubuntu

Thunderbird vulnerabilities↗2008-09-26

▶

Ubuntu

Firefox and xulrunner regression↗2008-09-25

▶

Ubuntu

Firefox vulnerabilities↗2008-09-24

▶

Ubuntu

Firefox and xulrunner vulnerabilities↗2008-09-24

▶

Red Hat

Mozilla BOM characters stripped from JavaScript before execution↗2008-09-23

▶

💬Community

Bugzilla

CVE-2008-4065 Mozilla BOM characters stripped from JavaScript before execution↗2008-09-22

▶