CVE-2009-3988 — Cross-site Scripting in Mozilla Firefox

CWE-2647 documents6 sources

Severity

5.0MEDIUMNVD

EPSS

0.4%

top 39.36%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Seamonkey

Timeline

PublishedFeb 22

Latest updateMay 2

Description

Mozilla Firefox 3.0.x before 3.0.18 and 3.5.x before 3.5.8, and SeaMonkey before 2.0.3, does not properly restrict read access to object properties in showModalDialog, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via crafted dialogArguments values.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages2 packages

▶NVDmozilla/firefox3.0.17+24

▶NVDmozilla/seamonkey2.0

🔴Vulnerability Details

GHSA

GHSA-rjp9-ghg2-39qp: Mozilla Firefox 3↗2022-05-02

▶

CVEList

CVE-2009-3988: Mozilla Firefox 3↗2010-02-21

▶

📋Vendor Advisories

Ubuntu

Firefox 3.0 and Xulrunner 1.9 vulnerabilities↗2010-02-17

▶

Ubuntu

Firefox 3.5 and Xulrunner 1.9.1 vulnerabilities↗2010-02-17

▶

Red Hat

Mozilla violation of same-origin policy due to properties set on objects passed to showModalDialog (MFSA 2010-04)↗2010-02-17

▶

💬Community

Bugzilla

CVE-2009-3988 Mozilla violation of same-origin policy due to properties set on objects passed to showModalDialog (MFSA 2010-04)↗2010-02-17

▶