Mozilla Seamonkey vulnerabilities

CVE-2008-0416 [MEDIUM] CWE-79 CVE-2008-0416: Multiple cross-site scripting (XSS) vulnerabilities in Mozilla Firefox before 2.0.0.12, Thunderbird Multiple cross-site scripting (XSS) vulnerabilities in Mozilla Firefox before 2.0.0.12, Thunderbird before 2.0.0.12, and SeaMonkey before 1.1.8 allow remote attackers to inject arbitrary web script or HTML via certain character encodings, including (1) a backspace character that is treated as whitespace, (2) 0x80 with Shift_JIS encoding, and (3) "zero-

CVE-2008-0592 [MEDIUM] CVE-2008-0592: Mozilla Firefox before 2.0.0.12 and SeaMonkey before 1.1.8 allows user-assisted remote attackers to Mozilla Firefox before 2.0.0.12 and SeaMonkey before 1.1.8 allows user-assisted remote attackers to cause a denial of service via a plain .txt file with a "Content-Disposition: attachment" and an invalid "Content-Type: plain/text," which prevents Firefox from rendering future plain text files within the browser.

CVE-2008-0593 [MEDIUM] CWE-200 CVE-2008-0593: Gecko-based browsers, including Mozilla Firefox before 2.0.0.12 and SeaMonkey before 1.1.8, modify t Gecko-based browsers, including Mozilla Firefox before 2.0.0.12 and SeaMonkey before 1.1.8, modify the .href property of stylesheet DOM nodes to the final URI of a 302 redirect, which might allow remote attackers to bypass the Same Origin Policy and read sensitive information from the original URL, such as with Single-Signon systems.

CVE-2008-0413 [CRITICAL] CWE-399 CVE-2008-0413: The JavaScript engine in Mozilla Firefox before 2.0.0.12, Thunderbird before 2.0.0.12, and SeaMonkey The JavaScript engine in Mozilla Firefox before 2.0.0.12, Thunderbird before 2.0.0.12, and SeaMonkey before 1.1.8 allows remote attackers to cause a denial of service (crash) and possibly trigger memory corruption via (1) a large switch statement, (2) certain uses of watch and eval, (3) certain uses of the mousedown event listener, and other vectors

CVE-2008-0419 [CRITICAL] CWE-399 CVE-2008-0419: Mozilla Firefox before 2.0.0.12 and SeaMonkey before 1.1.8 allows remote attackers to steal navigati Mozilla Firefox before 2.0.0.12 and SeaMonkey before 1.1.8 allows remote attackers to steal navigation history and cause a denial of service (crash) via images in a page that uses designMode frames, which triggers memory corruption related to resize handles.

CVE-2008-0412 [CRITICAL] CWE-399 CVE-2008-0412: The browser engine in Mozilla Firefox before 2.0.0.12, Thunderbird before 2.0.0.12, and SeaMonkey be The browser engine in Mozilla Firefox before 2.0.0.12, Thunderbird before 2.0.0.12, and SeaMonkey before 1.1.8 allows remote attackers to cause a denial of service (crash) and possibly trigger memory corruption via vectors related to the (1) nsTableFrame::GetFrameAtOrBefore, (2) nsAccessibilityService::GetAccessible, (3) nsBindingManager::GetNestedI

CVE-2008-0418 [MEDIUM] CWE-22 CVE-2008-0418: Directory traversal vulnerability in Mozilla Firefox before 2.0.0.12, Thunderbird before 2.0.0.12, a Directory traversal vulnerability in Mozilla Firefox before 2.0.0.12, Thunderbird before 2.0.0.12, and SeaMonkey before 1.1.8, when using "flat" addons, allows remote attackers to read arbitrary Javascript, image, and stylesheet files via the chrome: URI scheme, as demonstrated by stealing session information from sessionstore.js.

CVE-2008-0414 [MEDIUM] CWE-20 CVE-2008-0414: Mozilla Firefox before 2.0.0.12 and SeaMonkey before 1.1.8 allows user-assisted remote attackers to Mozilla Firefox before 2.0.0.12 and SeaMonkey before 1.1.8 allows user-assisted remote attackers to trick the user into uploading arbitrary files via label tags that shift focus to a file input field, aka "focus spoofing."

CVE-2008-0415 [MEDIUM] CWE-79 CVE-2008-0415: Mozilla Firefox before 2.0.0.12, Thunderbird before 2.0.0.12, and SeaMonkey before 1.1.8 allows remo Mozilla Firefox before 2.0.0.12, Thunderbird before 2.0.0.12, and SeaMonkey before 1.1.8 allows remote attackers to execute script outside of the sandbox and conduct cross-site scripting (XSS) attacks via multiple vectors including the XMLDocument.load function, aka "JavaScript privilege escalation bugs."

CVE-2007-6589 [MEDIUM] CVE-2007-6589: The jar protocol handler in Mozilla Firefox before 2.0.0.10 and SeaMonkey before 1.1.7 does not upda The jar protocol handler in Mozilla Firefox before 2.0.0.10 and SeaMonkey before 1.1.7 does not update the origin domain when retrieving the inner URL parameter yields an HTTP redirect, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a jar: URI, a different vulnerability than CVE-2007-5947.

CVE-2007-5959 [CRITICAL] CVE-2007-5959: Multiple unspecified vulnerabilities in Mozilla Firefox before 2.0.0.10 and SeaMonkey before 1.1.7 a Multiple unspecified vulnerabilities in Mozilla Firefox before 2.0.0.10 and SeaMonkey before 1.1.7 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors that trigger memory corruption.

CVE-2007-5960 [MEDIUM] CWE-22 CVE-2007-5960: Mozilla Firefox before 2.0.0.10 and SeaMonkey before 1.1.7 sets the Referer header to the window or Mozilla Firefox before 2.0.0.10 and SeaMonkey before 1.1.7 sets the Referer header to the window or frame in which script is running, instead of the address of the content that initiated the script, which allows remote attackers to spoof HTTP Referer headers and bypass Referer-based CSRF protection schemes by setting window.location and using a modal al

CVE-2007-5947 [MEDIUM] CWE-79 CVE-2007-5947: The jar protocol handler in Mozilla Firefox before 2.0.0.10 and SeaMonkey before 1.1.7 retrieves the The jar protocol handler in Mozilla Firefox before 2.0.0.10 and SeaMonkey before 1.1.7 retrieves the inner URL regardless of its MIME type, and considers HTML documents within a jar archive to have the same origin as the inner URL, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a jar: URI.

CVE-2007-5338 [CRITICAL] CWE-16 CVE-2007-5338: Mozilla Firefox before 2.0.0.8 and SeaMonkey before 1.1.5 allow remote attackers to execute arbitrar Mozilla Firefox before 2.0.0.8 and SeaMonkey before 1.1.5 allow remote attackers to execute arbitrary Javascript with user privileges by using the Script object to modify XPCNativeWrappers in a way that causes the script to be executed when a chrome action is performed.

CVE-2007-5337 [MEDIUM] CWE-200 CVE-2007-5337: Mozilla Firefox before 2.0.0.8 and SeaMonkey before 1.1.5, when running on Linux systems with gnome- Mozilla Firefox before 2.0.0.8 and SeaMonkey before 1.1.5, when running on Linux systems with gnome-vfs support, might allow remote attackers to read arbitrary files on SSH/sftp servers that accept key authentication by creating a web page on the target server, in which the web page contains URIs with (1) smb: or (2) sftp: schemes that access other fi

CVE-2007-5339 [MEDIUM] CWE-20 CVE-2007-5339: Multiple vulnerabilities in Mozilla Firefox before 2.0.0.8, Thunderbird before 2.0.0.8, and SeaMonke Multiple vulnerabilities in Mozilla Firefox before 2.0.0.8, Thunderbird before 2.0.0.8, and SeaMonkey before 1.1.5 allow remote attackers to cause a denial of service (crash) via crafted HTML that triggers memory corruption or assert errors.

CVE-2007-5334 [MEDIUM] CWE-16 CVE-2007-5334: Mozilla Firefox before 2.0.0.8 and SeaMonkey before 1.1.5 can hide the window's titlebar when displa Mozilla Firefox before 2.0.0.8 and SeaMonkey before 1.1.5 can hide the window's titlebar when displaying XUL markup language documents, which makes it easier for remote attackers to conduct phishing and spoofing attacks by setting the hidechrome attribute.

CVE-2007-5340 [MEDIUM] CWE-20 CVE-2007-5340: Multiple vulnerabilities in the Javascript engine in Mozilla Firefox before 2.0.0.8, Thunderbird bef Multiple vulnerabilities in the Javascript engine in Mozilla Firefox before 2.0.0.8, Thunderbird before 2.0.0.8, and SeaMonkey before 1.1.5 allow remote attackers to cause a denial of service (crash) via crafted HTML that triggers memory corruption.

CVE-2007-4879 [MEDIUM] CVE-2007-4879: Mozilla Firefox before Firefox 2.0.0.13, and SeaMonkey before 1.1.9, can automatically install TLS c Mozilla Firefox before Firefox 2.0.0.13, and SeaMonkey before 1.1.9, can automatically install TLS client certificates with minimal user interaction, and automatically sends these certificates when requested, which makes it easier for remote web sites to track user activities across domains by requesting the TLS client certificates from other domains.

CVE-2007-4841 [CRITICAL] CVE-2007-4841: Mozilla Firefox before 2.0.0.8, Thunderbird before 2.0.0.8, and SeaMonkey before 1.1.5 allows remote Mozilla Firefox before 2.0.0.8, Thunderbird before 2.0.0.8, and SeaMonkey before 1.1.5 allows remote attackers to execute arbitrary commands via a (1) mailto, (2) nntp, (3) news, or (4) snews URI with invalid "%" encoding, related to improper file type handling on Windows XP with Internet Explorer 7 installed, a variant of CVE-2007-3845.