CVE-2009-3382
published 2009-10-29CVE-2009-3382: layout/base/nsCSSFrameConstructor.cpp in the browser engine in Mozilla Firefox 3.0.x before 3.0.15 does not properly handle first-letter frames, which allows…
PriorityP346critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
10.84%
95.3th percentile
layout/base/nsCSSFrameConstructor.cpp in the browser engine in Mozilla Firefox 3.0.x before 3.0.15 does not properly handle first-letter frames, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unspecified vectors.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat10.0CRITICAL
vendor_ubuntu4.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Firefox and Xulrunner regression
vendor_ubuntu·2009-11-11·CVSS 4.4
[MEDIUM] Firefox and Xulrunner regression
Title: Firefox and Xulrunner regression
Summary: Firefox and Xulrunner regression
USN-853-1 fixed vulnerabilities in Firefox and Xulrunner. The upstream
changes introduced regressions that could lead to crashes when processing
certain malformed GIF images, fonts and web pages. This update fixes the
problem.
We apologize for the inconvenience.
Original advisory details:
Alin Rad Pop discovered a heap-based buffer overflow in Firefox when it
converted strings to floating point numbers. If a user were tricked into
viewing a malicious website, a remote attacker could cause a denial of service
or possibly execute arbitrary code with the privileges of the user invoking the
program. (CVE-2009-1563)
Jeremy Brown discovered that the Firefox Download Manager was vulnerable to
symlink attacks.
Ubuntu
Firefox and Xulrunner vulnerabilities
vendor_ubuntu·2009-10-31·CVSS 4.4
CVE-2009-3371 [MEDIUM] Firefox and Xulrunner vulnerabilities
Title: Firefox and Xulrunner vulnerabilities
Summary: Firefox and Xulrunner vulnerabilities
Alin Rad Pop discovered a heap-based buffer overflow in Firefox when it
converted strings to floating point numbers. If a user were tricked into
viewing a malicious website, a remote attacker could cause a denial of service
or possibly execute arbitrary code with the privileges of the user invoking the
program. (CVE-2009-1563)
Jeremy Brown discovered that the Firefox Download Manager was vulnerable to
symlink attacks. A local attacker could exploit this to create or overwrite
files with the privileges of the user invoking the program. (CVE-2009-3274)
Paul Stone discovered a flaw in the Firefox form history. If a user were
tricked into viewing a malicious website, a remote attacker could access t
Red Hat
Firefox crashes with evidence of memory corruption
vendor_redhat·2009-10-27·CVSS 10.0
CVE-2009-3382 [CRITICAL] Firefox crashes with evidence of memory corruption
Firefox crashes with evidence of memory corruption
layout/base/nsCSSFrameConstructor.cpp in the browser engine in Mozilla Firefox 3.0.x before 3.0.15 does not properly handle first-letter frames, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unspecified vectors.
GHSA
GHSA-xrcj-j2px-vg49: layout/base/nsCSSFrameConstructor
ghsa_unreviewed·2022-05-02
CVE-2009-3382 [HIGH] GHSA-xrcj-j2px-vg49: layout/base/nsCSSFrameConstructor
layout/base/nsCSSFrameConstructor.cpp in the browser engine in Mozilla Firefox 3.0.x before 3.0.15 does not properly handle first-letter frames, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unspecified vectors.
No detection rules found.
Exploit-DB
Mozilla Firefox 3.0.14 - Remote Memory Corruption
exploitdb·2009-10-27
CVE-2009-3382 Mozilla Firefox 3.0.14 - Remote Memory Corruption
Mozilla Firefox 3.0.14 - Remote Memory Corruption
---
source: https://www.securityfocus.com/bid/36866/info
Mozilla Firefox is prone to a remote memory-corruption vulnerability.
Successful exploits may allow an attacker to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will result in a denial-of-service condition.
NOTE: This issue was previously covered in BID 36843 (Mozilla Firefox and SeaMonkey MFSA 2009-52 through -64 Multiple Vulnerabilities), but has been assigned its own record to better document it.
function doe2(i) { document.getElementById('a').setAttribute('style', 'display: -moz-box; '); document.getElementById('c').style.display= 'none'; } setTimeout(doe2,500,0); div::first-letter {float: right; } a m
Exploit-DB
Apache Tomcat 6.0.13 - Insecure Cookie Handling Quote Delimiter Session ID Disclosure
exploitdb·2007-08-14
CVE-2007-3382 Apache Tomcat 6.0.13 - Insecure Cookie Handling Quote Delimiter Session ID Disclosure
Apache Tomcat 6.0.13 - Insecure Cookie Handling Quote Delimiter Session ID Disclosure
---
source: https://www.securityfocus.com/bid/25316/info
Apache Tomcat is prone to multiple information-disclosure vulnerabilities because it fails to adequately sanitize user-supplied data.
Attackers can exploit these issues to access potentially sensitive data that may aid in further attacks.
Versions prior to Apache Tomcat 6.0.14 are vulnerable.
http://www.example.com:8080/examples/servlets/servlet/CookieExample?cookiename=HAHA&cookievalue=%5C%22FOO%3B+Expires%3DThu%2C+1+Jan+2009+00%3A00%3A01+UTC%3B+Path%3D%2F%3B
http://www.example.com:8080/servlets-examples/servlet/CookieExample?cookiename=BLOCKER&cookievalue=%5C%22A%3D%27%3B+Expires%3DThu%2C+1+Jan+2009+00%3A00%3A01+UTC%3B+Path%3D%2Fservlets-ex
http://sunsolve.sun.com/search/document.do?assetkey=1-26-272909-1http://www.mozilla.org/security/announce/2009/mfsa2009-64.htmlhttp://www.vupen.com/english/advisories/2009/3334https://bugzilla.mozilla.org/show_bug.cgi?id=514960https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11219https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5581http://sunsolve.sun.com/search/document.do?assetkey=1-26-272909-1http://www.mozilla.org/security/announce/2009/mfsa2009-64.htmlhttp://www.vupen.com/english/advisories/2009/3334https://bugzilla.mozilla.org/show_bug.cgi?id=514960https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11219https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5581
2009-10-29
Published