CVE-2008-5022 — Improper Authentication in Mozilla Firefox

CWE-287 — Improper Authentication7 documents6 sources

Severity

7.5HIGHNVD

EPSS

13.4%

top 5.78%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Seamonkey Mozilla Thunderbird +2 more

Timeline

PublishedNov 13

Latest updateMay 14

Description

The nsXMLHttpRequest::NotifyEventListeners method in Firefox 3.x before 3.0.4, Firefox 2.x before 2.0.0.18, Thunderbird 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 allows remote attackers to bypass the same-origin policy and execute arbitrary script via multiple listeners, which bypass the inner window check.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages3 packages

▶NVDmozilla/firefox2.0 — 2.0.0.18+1

▶NVDmozilla/seamonkey1.0 — 1.1.13

▶NVDmozilla/thunderbird2.0 — 2.0.0.18

Also affects: Debian Linux 4.0, Ubuntu Linux 6.06, 7.10, 8.04, 8.10

🔴Vulnerability Details

GHSA

GHSA-49p4-3jx5-xgmj: The nsXMLHttpRequest::NotifyEventListeners method in Firefox 3↗2022-05-14

▶

CVEList

CVE-2008-5022: The nsXMLHttpRequest::NotifyEventListeners method in Firefox 3↗2008-11-13

▶

📋Vendor Advisories

Ubuntu

Thunderbird vulnerabilities↗2008-11-26

▶

Ubuntu

Firefox and xulrunner vulnerabilities↗2008-11-17

▶

Red Hat

nsXMLHttpRequest:: NotifyEventListeners() same-origin violation↗2008-11-12

▶

💬Community

Bugzilla

CVE-2008-5022 Mozilla nsXMLHttpRequest::NotifyEventListeners() same-origin violation↗2008-11-10

▶