Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2009-2654Improper Input Validation in Mozilla Firefox

CWE-20Improper Input Validation9 documents6 sources
Severity
6.8MEDIUMNVD
NVD5.8
EPSS
13.2%
top 5.85%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Mozilla FirefoxMozilla Seamonkey
Timeline
PublishedAug 3
Latest updateMay 2

Description

Mozilla Firefox before 3.0.13, and 3.5.x before 3.5.2, allows remote attackers to spoof the address bar, and possibly conduct phishing attacks, via a crafted web page that calls window.open with an invalid character in the URL, makes document.write calls to the resulting object, and then calls the stop method during the loading of the error page.

CVSS vector

AV:N/AC:M/C:N/I:P/A:PExploitability: 8.6 | Impact: 4.9

Affected Packages2 packages

NVDmozilla/firefox3.5.1+103
NVDmozilla/seamonkey2.0+35

Patches

Patch: blog.mozilla.comPatch: www.mozilla.orgPatch: www.securityfocus.com

🔴Vulnerability Details

2
GHSA
GHSA-4h5h-76c6-8744: Mozilla Firefox before 32022-05-02
GHSA
GHSA-gfvv-6f6j-f63q: Mozilla Firefox before 32022-05-02

💥Exploits & PoCs

1
Exploit-DB
Mozilla Firefox 3.5.1 - Error Page Address Bar URI Spoofing2009-06-24

📋Vendor Advisories

3
Red Hat
Mozilla URL spoofing via invalid document.location2009-12-15
Ubuntu
Firefox and Xulrunner vulnerability2009-08-08
Red Hat
firefox: URL bar spoofing vulnerability2009-07-24

💬Community

1
Bugzilla
CVE-2009-2654 firefox: URL bar spoofing vulnerability2009-09-04