CVE-2009-3376Mozilla Seamonkey vulnerability

CWE-168 documents6 sources
Severity
9.3CRITICALNVD
EPSS
3.0%
top 13.36%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mozilla SeamonkeyMozilla Firefox
Timeline
PublishedOct 29
Latest updateMay 2

Description

Mozilla Firefox before 3.0.15 and 3.5.x before 3.5.4, and SeaMonkey before 2.0, does not properly handle a right-to-left override (aka RLO or U+202E) Unicode character in a download filename, which allows remote attackers to spoof file extensions via a crafted filename, as demonstrated by displaying a non-executable extension for an executable file.

CVSS vector

AV:N/AC:M/C:C/I:C/A:CExploitability: 8.6 | Impact: 10.0

Affected Packages2 packages

NVDmozilla/seamonkey1.5.0.10+30
NVDmozilla/firefox17 versions+16

Patches

Patch: www.mozilla.orgPatch: www.mozilla.org

🔴Vulnerability Details

2
GHSA
GHSA-xgrc-85pp-86cg: Mozilla Firefox before 32022-05-02
CVEList
CVE-2009-3376: Mozilla Firefox before 32009-10-29

📋Vendor Advisories

4
Ubuntu
Thunderbird vulnerabilities2010-03-18
Ubuntu
Firefox and Xulrunner regression2009-11-11
Ubuntu
Firefox and Xulrunner vulnerabilities2009-10-31
Red Hat
Firefox download filename spoofing with RTL override2009-10-27

💬Community

1
Bugzilla
CVE-2009-3376 Firefox download filename spoofing with RTL override2009-10-21
CVE-2009-3376 — Mozilla Seamonkey vulnerability | cvebase