CVE-2009-1309Cross-site Scripting in Mozilla Firefox

CWE-166 documents5 sources
Severity
4.3MEDIUMNVD
EPSS
1.8%
top 17.37%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Mozilla Firefox
Timeline
PublishedApr 22
Latest updateMay 2

Description

Mozilla Firefox before 3.0.9, Thunderbird, and SeaMonkey do not properly implement the Same Origin Policy for (1) XMLHttpRequest, involving a mismatch for a document's principal, and (2) XPCNativeWrapper.toString, involving an incorrect __proto__ scope, which allows remote attackers to conduct cross-site scripting (XSS) attacks and possibly other attacks via a crafted document.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages1 packages

NVDmozilla/firefox3.0.8+87

🔴Vulnerability Details

1
GHSA
GHSA-g3r3-3vcq-q6hc: Mozilla Firefox before 32022-05-02

📋Vendor Advisories

3
Ubuntu
Thunderbird vulnerabilities2009-06-25
Ubuntu
Firefox and Xulrunner vulnerabilities2009-04-23
Red Hat
Firefox Same-origin violations in XMLHttpRequest and XPCNativeWrapper.toString2009-04-21

💬Community

1
Bugzilla
CVE-2009-1309 Firefox Same-origin violations in XMLHttpRequest and XPCNativeWrapper.toString2009-04-17