CVE-2008-5024 — XML Injection (aka Blind XPath Injection) in Mozilla Firefox

CWE-91 — XML Injection (aka Blind XPath Injection)7 documents6 sources

Severity

7.5HIGHNVD

EPSS

7.2%

top 8.37%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Seamonkey Mozilla Thunderbird +2 more

Timeline

PublishedNov 13

Latest updateMay 14

Description

Mozilla Firefox 3.x before 3.0.4, Firefox 2.x before 2.0.0.18, Thunderbird 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 do not properly escape quote characters used for XML processing, which allows remote attackers to conduct XML injection attacks via the default namespace in an E4X document.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages3 packages

▶NVDmozilla/firefox2.0 — 2.0.0.18+1

▶NVDmozilla/seamonkey1.0 — 1.1.13

▶NVDmozilla/thunderbird2.0 — 2.0.0.18

Also affects: Debian Linux 4.0, Ubuntu Linux 6.06, 7.10, 8.04, 8.10

🔴Vulnerability Details

GHSA

GHSA-r9x5-wf23-5hh7: Mozilla Firefox 3↗2022-05-14

▶

CVEList

CVE-2008-5024: Mozilla Firefox 3↗2008-11-13

▶

📋Vendor Advisories

Ubuntu

Thunderbird vulnerabilities↗2008-11-26

▶

Ubuntu

Firefox and xulrunner vulnerabilities↗2008-11-17

▶

Red Hat

Mozilla parsing error in E4X default namespace↗2008-11-12

▶

💬Community

Bugzilla

CVE-2008-5024 Mozilla parsing error in E4X default namespace↗2008-11-10

▶