CVE-2009-1306Cross-site Scripting in Mozilla Firefox

CWE-166 documents5 sources
Severity
4.3MEDIUMNVD
EPSS
1.8%
top 17.01%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Mozilla Firefox
Timeline
PublishedApr 22
Latest updateMay 2

Description

The jar: URI implementation in Mozilla Firefox before 3.0.9, Thunderbird, and SeaMonkey does not follow the Content-Disposition header of the inner URI, which allows remote attackers to conduct cross-site scripting (XSS) attacks and possibly other attacks via an uploaded .jar file with a "Content-Disposition: attachment" designation.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages1 packages

NVDmozilla/firefox3.0.8+87

🔴Vulnerability Details

1
GHSA
GHSA-hh3w-x3wq-8jvq: The jar: URI implementation in Mozilla Firefox before 32022-05-02

📋Vendor Advisories

3
Ubuntu
Thunderbird vulnerabilities2009-06-25
Ubuntu
Firefox and Xulrunner vulnerabilities2009-04-23
Red Hat
jar: scheme ignores the content-disposition: header on the inner URI2009-04-21

💬Community

1
Bugzilla
CVE-2009-1306 Firefox jar: scheme ignores the content-disposition: header on the inner URI2009-04-17