Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2009-1834Improper Input Validation in Mozilla Firefox

CWE-20Improper Input Validation8 documents7 sources
Severity
4.3MEDIUMNVD
EPSS
11.4%
top 6.43%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Mozilla FirefoxMozilla Seamonkey
Timeline
PublishedJun 12
Latest updateMay 2

Description

Visual truncation vulnerability in netwerk/dns/src/nsIDNService.cpp in Mozilla Firefox before 3.0.11 and SeaMonkey before 1.1.17 allows remote attackers to spoof the location bar via an IDN with invalid Unicode characters that are displayed as whitespace, as demonstrated by the \u115A through \u115E characters.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages2 packages

NVDmozilla/firefox3.0.10+89
NVDmozilla/seamonkey1.1.16+21

Patches

Patch: www.vupen.comPatch: www.vupen.com

🔴Vulnerability Details

2
GHSA
GHSA-m6fm-xwqg-f4r6: Visual truncation vulnerability in netwerk/dns/src/nsIDNService2022-05-02
CVEList
CVE-2009-1834: Visual truncation vulnerability in netwerk/dns/src/nsIDNService2009-06-12

💥Exploits & PoCs

2
Exploit-DB
Mozilla Firefox 3.0.10 / SeaMonkey 1.1.16 - Address Bar URI Spoofing2009-05-11
Exploit-DB
WordPress MU < 2.7 - 'HOST' HTTP Header Cross-Site Scripting2009-03-10

📋Vendor Advisories

2
Ubuntu
Firefox and Xulrunner vulnerabilities2009-06-12
Red Hat
Firefox URL spoofing with invalid unicode characters2009-06-11

💬Community

1
Bugzilla
CVE-2009-1834 Firefox URL spoofing with invalid unicode characters2009-06-01
CVE-2009-1834 — Improper Input Validation in Mozilla | cvebase