CVE-2008-7293Mozilla Firefox vulnerability

CWE-2644 documents4 sources
Severity
5.8MEDIUMNVD
EPSS
0.6%
top 30.80%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Mozilla Firefox
Timeline
PublishedAug 9
Latest updateMay 17

Description

Mozilla Firefox before 4 cannot properly restrict modifications to cookies established in HTTPS sessions, which allows man-in-the-middle attackers to overwrite or delete arbitrary cookies via a Set-Cookie header in an HTTP response, related to lack of the HTTP Strict Transport Security (HSTS) includeSubDomains feature, aka a "cookie forcing" issue.

CVSS vector

AV:N/AC:M/C:N/I:P/A:PExploitability: 8.6 | Impact: 4.9

Affected Packages1 packages

NVDmozilla/firefox4.0+106

Patches

Patch: bugzilla.mozilla.orgPatch: bugzilla.mozilla.org

🔴Vulnerability Details

1
GHSA
GHSA-87wr-93m4-5rjf: Mozilla Firefox before 4 cannot properly restrict modifications to cookies established in HTTPS sessions, which allows man-in-the-middle attackers to2022-05-17

📋Vendor Advisories

1
Red Hat
firefox: unable to restrict modifications to cookies in HTTPS sessions due to loack of HSTS support2008-11-24

💬Community

1
Bugzilla
CVE-2008-7293 firefox: unable to restrict modifications to cookies in HTTPS sessions due to loack of HSTS support2011-08-12