CVE-2008-5012 — Sensitive Information Exposure in Mozilla Firefox

CWE-200 — Sensitive Information Exposure7 documents6 sources

Severity

5.0MEDIUMNVD

EPSS

6.0%

top 9.33%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Seamonkey Mozilla Thunderbird

Timeline

PublishedNov 13

Latest updateMay 17

Description

Mozilla Firefox 2.x before 2.0.0.18, Thunderbird 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 do not properly change the source URI when processing a canvas element and an HTTP redirect, which allows remote attackers to bypass the same origin policy and access arbitrary images that are not directly accessible to the attacker. NOTE: this issue can be leveraged to enumerate software on the client by performing redirections related to moz-icon.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages3 packages

▶NVDmozilla/firefox2.0.0.17+56

▶NVDmozilla/seamonkey1.1.12+23

▶NVDmozilla/thunderbird2.0.0.17+47

🔴Vulnerability Details

GHSA

GHSA-hfvm-r385-4pvq: Mozilla Firefox 2↗2022-05-17

▶

CVEList

CVE-2008-5012: Mozilla Firefox 2↗2008-11-13

▶

📋Vendor Advisories

Ubuntu

Thunderbird vulnerabilities↗2008-11-26

▶

Ubuntu

Firefox and xulrunner vulnerabilities↗2008-11-17

▶

Red Hat

Mozilla Image stealing via canvas and HTTP redirect↗2008-11-12

▶

💬Community

Bugzilla

CVE-2008-5012 Mozilla Image stealing via canvas and HTTP redirect↗2008-11-10

▶