CVE-2009-0356Link Following in Mozilla Firefox

CWE-59Link Following4 documents4 sources
Severity
5.1MEDIUMNVD
EPSS
0.9%
top 24.18%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Mozilla Firefox
Timeline
PublishedFeb 4
Latest updateMay 2

Description

Mozilla Firefox before 3.0.6 and SeaMonkey do not block links to the (1) about:plugins and (2) about:config URIs from .desktop files, which allows user-assisted remote attackers to bypass the Same Origin Policy and execute arbitrary code with chrome privileges via vectors involving the URL field in a Desktop Entry section of a .desktop file, related to representation of about: URIs as jar:file:// URIs. NOTE: this issue exists because of an incomplete fix for CVE-2008-4582.

CVSS vector

AV:N/AC:H/C:P/I:P/A:PExploitability: 4.9 | Impact: 6.4

Affected Packages1 packages

NVDmozilla/firefox3.0.5+80

🔴Vulnerability Details

1
GHSA
GHSA-95pc-m84q-vvmm: Mozilla Firefox before 32022-05-02

📋Vendor Advisories

1
Red Hat
Firefox Chrome privilege escalation via local .desktop files2009-02-03

💬Community

1
Bugzilla
CVE-2009-0356 Firefox Chrome privilege escalation via local .desktop files2009-01-29