CVE-2009-0357 — Mozilla Firefox vulnerability

CWE-2648 documents6 sources
Severity
5.0MEDIUMNVD
EPSS
1.1%
top 22.12%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mozilla FirefoxMozilla Seamonkey
Timeline
PublishedFeb 4
Latest updateMay 2

Description

Mozilla Firefox before 3.0.6 and SeaMonkey before 1.1.15 do not properly restrict access from web pages to the (1) Set-Cookie and (2) Set-Cookie2 HTTP response headers, which allows remote attackers to obtain sensitive information from cookies via XMLHttpRequest calls, related to the HTTPOnly protection mechanism.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages2 packages

â–¶NVDmozilla/firefox3.0.5+62
â–¶NVDmozilla/seamonkey1.1.13+23

🔴Vulnerability Details

2
GHSA
GHSA-xprr-83m2-vv8v: Mozilla Firefox before 3↗2022-05-02
â–¶
CVEList
CVE-2009-0357: Mozilla Firefox before 3↗2009-02-04
â–¶

📋Vendor Advisories

4
Ubuntu
Firefox vulnerabilities↗2009-02-11
â–¶
Ubuntu
Firefox and Xulrunner vulnerabilities↗2009-02-10
â–¶
Ubuntu
Firefox vulnerabilities↗2009-02-10
â–¶
Red Hat
Firefox XMLHttpRequest allows reading HTTPOnly cookies↗2009-02-03
â–¶

💬Community

1
Bugzilla
CVE-2009-0357 Firefox XMLHttpRequest allows reading HTTPOnly cookies↗2009-01-29
â–¶
CVE-2009-0357 — Mozilla Firefox vulnerability | cvebase