CVE-2009-3012 — Cross-site Scripting in Mozilla Firefox

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

4.3MEDIUMNVD

EPSS

0.2%

top 52.17%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox

Timeline

PublishedAug 31

Latest updateMay 2

Description

Mozilla Firefox 3.0.13 and earlier, 3.5, 3.6 a1 pre, and 3.7 a1 pre does not properly block data: URIs in Location headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Location header that contains JavaScript sequences in a data:text/html URI or (2) entering a data:text/html URI with JavaScript sequences when specifying the content of a Location header. NOTE: the JavaScript executes outside of the context of…

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages1 packages

▶NVDmozilla/firefox3.0.13+16

🔴Vulnerability Details

GHSA

GHSA-mpq2-pcrq-r69f: Mozilla Firefox 3↗2022-05-02

▶

📋Vendor Advisories

Red Hat

firefox: xss due to data: URIs in Location header↗2009-07-14

▶

💬Community

Bugzilla

CVE-2009-3012 firefox: xss due to data: URIs in Location header↗2009-08-31

▶