CVE-2009-3987 — Sensitive Information Exposure in Mozilla Firefox

CWE-200 — Sensitive Information Exposure5 documents5 sources

Severity

7.8HIGHNVD

EPSS

0.8%

top 25.71%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Seamonkey

Timeline

PublishedDec 17

Latest updateMay 2

Description

The GeckoActiveXObject function in Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey before 2.0.1, generates different exception messages depending on whether the referenced COM object is listed in the registry, which allows remote attackers to obtain potentially sensitive information about installed software by making multiple calls that specify the ProgID values of different COM objects.

CVSS vector

AV:N/AC:L/C:C/I:N/A:NExploitability: 10.0 | Impact: 6.9

Affected Packages2 packages

▶NVDmozilla/firefox3.0.15+98

▶NVDmozilla/seamonkey2.0+35

Patches

Patch: securitytracker.com ↗Patch: securitytracker.com ↗Patch: www.vupen.com ↗

🔴Vulnerability Details

GHSA

GHSA-vwqf-r5hr-488h: The GeckoActiveXObject function in Mozilla Firefox before 3↗2022-05-02

▶

CVEList

CVE-2009-3987: The GeckoActiveXObject function in Mozilla Firefox before 3↗2009-12-17

▶

📋Vendor Advisories

Red Hat

Mozilla GeckoActiveXObject exception messages can be used to enumerate installed COM objects↗2009-12-15

▶

💬Community

Bugzilla

CVE-2009-3987 Mozilla GeckoActiveXObject exception messages can be used to enumerate installed COM objects↗2009-12-11

▶