CVE-2009-2472 — Cross-site Scripting in Mozilla Firefox

CWE-79 — Cross-site Scripting6 documents6 sources

Severity

4.3MEDIUMNVD

EPSS

0.7%

top 27.95%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

6

Mozilla Firefox Fedoraproject Fedora Opensuse +3 more

Timeline

PublishedJul 22

Latest updateMay 2

Description

Mozilla Firefox before 3.0.12 does not always use XPCCrossOriginWrapper when required during object construction, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via a crafted document, related to a "cross origin wrapper bypass."

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages5 packages

▶NVDmozilla/firefox< 3.0.12

▶NVDopensuse/opensuse11.0, 11.1+1

▶NVDsuse/linux_enterprise_server10, 11+1

▶NVDsuse/linux_enterprise_desktop10, 11+1

▶NVDsuse/linux_enterprise_debuginfo10, 11+1

Also affects: Fedora 10

Patches

Patch: www.mozilla.org ↗Patch: www.securityfocus.com ↗Patch: www.vupen.com ↗

🔴Vulnerability Details

2

GHSA

GHSA-xwvm-8xx6-229v: Mozilla Firefox before 3↗2022-05-02

▶

CVEList

CVE-2009-2472: Mozilla Firefox before 3↗2009-07-22

▶

📋Vendor Advisories

2

Ubuntu

Firefox and Xulrunner vulnerabilities↗2009-07-22

▶

Red Hat

Mozilla multiple cross origin wrapper bypasses↗2009-07-21

▶

💬Community

1

Bugzilla

CVE-2009-2472 Mozilla multiple cross origin wrapper bypasses↗2009-07-16

▶

CVE-2009-2472 — Cross-site Scripting in Mozilla Firefox | cvebase