CVE-2009-1307 — Improper Input Validation in Mozilla Firefox

CWE-20 — Improper Input Validation6 documents5 sources

Severity

6.8MEDIUMNVD

EPSS

1.4%

top 19.74%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox

Timeline

PublishedApr 22

Latest updateMay 2

Description

The view-source: URI implementation in Mozilla Firefox before 3.0.9, Thunderbird, and SeaMonkey does not properly implement the Same Origin Policy, which allows remote attackers to (1) bypass crossdomain.xml restrictions and connect to arbitrary web sites via a Flash file; (2) read, create, or modify Local Shared Objects via a Flash file; or (3) bypass unspecified restrictions and render content via vectors involving a jar: URI.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages1 packages

▶NVDmozilla/firefox3.0.8+79

Patches

Patch: bugzilla.mozilla.org ↗Patch: bugzilla.mozilla.org ↗

🔴Vulnerability Details

GHSA

GHSA-5cxh-4rwm-2jh3: The view-source: URI implementation in Mozilla Firefox before 3↗2022-05-02

▶

📋Vendor Advisories

Ubuntu

Thunderbird vulnerabilities↗2009-06-25

▶

Ubuntu

Firefox and Xulrunner vulnerabilities↗2009-04-23

▶

Red Hat

view-source: protocol↗2009-04-21

▶

💬Community

Bugzilla

CVE-2009-1307 Firefox Same-origin violations when Adobe Flash loaded via view-source: protocol↗2009-04-17

▶