National Vulnerability Database (NVD) National Vulnerability Database (CVE-2007-0780)

National Cyber Awareness System

Vulnerability Summary for CVE-2007-0780

Original release date:02/26/2007

Last revised:03/08/2011

Source: US-CERT/NIST

Overview

browser.js in Mozilla Firefox 1.5.x before 1.5.0.10 and 2.x before 2.0.0.2, and SeaMonkey before 1.0.8 uses the requesting URI to identify child windows, which allows remote attackers to conduct cross-site scripting (XSS) attacks by opening a blocked popup originating from a javascript: URI in combination with multiple frames having the same data: URI.

Impact

CVSS Severity (version 2.0):

CVSS v2 Base Score:6.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:P) (legend)

Impact Subscore: 6.4

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type:Provides unauthorized access, Allows partial confidentiality, integrity, and availability violation; Allows unauthorized disclosure of information; Allows disruption of service

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

External Source: CONFIRM

Name: http://www.mozilla.org/security/announce/2007/mfsa2007-05.html

Type: Patch Information

Hyperlink:http://www.mozilla.org/security/announce/2007/mfsa2007-05.html

External Source: MISC

Name: https://bugzilla.mozilla.org/show_bug.cgi?id=354973

Hyperlink:https://bugzilla.mozilla.org/show_bug.cgi?id=354973

External Source: VUPEN

Name: ADV-2007-0718

Hyperlink:http://www.vupen.com/english/advisories/2007/0718

External Source: OVAL

Name: oval:org.mitre.oval:def:9884

Hyperlink:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:9884

External Source: HP

Name: SSRT061181

Hyperlink:http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00771742

External Source: CONFIRM

Name: https://issues.rpath.com/browse/RPL-1103

Hyperlink:https://issues.rpath.com/browse/RPL-1103

External Source: CONFIRM

Name: https://issues.rpath.com/browse/RPL-1081

Hyperlink:https://issues.rpath.com/browse/RPL-1081

External Source: XF

Name: mozilla-dataurl-xss(32667)

Hyperlink:http://xforce.iss.net/xforce/xfdb/32667

External Source: UBUNTU

Name: USN-428-1

Hyperlink:http://www.ubuntu.com/usn/usn-428-1

External Source: SECTRACK

Name: 1017702

Hyperlink:http://www.securitytracker.com/id?1017702

External Source: BID

Name: 22694

Hyperlink:http://www.securityfocus.com/bid/22694

External Source: BUGTRAQ

Name: 20070303 rPSA-2007-0040-3 firefox thunderbird

Hyperlink:http://www.securityfocus.com/archive/1/archive/1/461809/100/0/threaded

External Source: BUGTRAQ

Name: 20070226 rPSA-2007-0040-1 firefox

Hyperlink:http://www.securityfocus.com/archive/1/archive/1/461336/100/0/threaded

External Source: REDHAT

Name: RHSA-2007:0108

Hyperlink:http://www.redhat.com/support/errata/RHSA-2007-0108.html

External Source: REDHAT

Name: RHSA-2007:0097

Hyperlink:http://www.redhat.com/support/errata/RHSA-2007-0097.html

External Source: REDHAT

Name: RHSA-2007:0079

Hyperlink:http://www.redhat.com/support/errata/RHSA-2007-0079.html

External Source: REDHAT

Name: RHSA-2007:0078

Hyperlink:http://www.redhat.com/support/errata/RHSA-2007-0078.html

External Source: OSVDB

Name: 32107

Hyperlink:http://www.osvdb.org/32107

External Source: SUSE

Name: SUSE-SA:2007:022

Hyperlink:http://www.novell.com/linux/security/advisories/2007_22_mozilla.html

External Source: MANDRIVA

Name: MDKSA-2007:050

Hyperlink:http://www.mandriva.com/security/advisories?name=MDKSA-2007:050

External Source: GENTOO

Name: GLSA-200703-08

Hyperlink:http://www.gentoo.org/security/en/glsa/glsa-200703-08.xml

External Source: SLACKWARE

Name: SSA:2007-066-03

Hyperlink:http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.374851

External Source: SLACKWARE

Name: SSA:2007-066-05

Hyperlink:http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.338131

External Source: GENTOO

Name: GLSA-200703-04

Hyperlink:http://security.gentoo.org/glsa/glsa-200703-04.xml

External Source: SECUNIA

Name: 24650

Hyperlink:http://secunia.com/advisories/24650

External Source: SECUNIA

Name: 24457

Hyperlink:http://secunia.com/advisories/24457

External Source: SECUNIA

Name: 24455

Hyperlink:http://secunia.com/advisories/24455

External Source: SECUNIA

Name: 24437

Hyperlink:http://secunia.com/advisories/24437

External Source: SECUNIA

Name: 24395

Hyperlink:http://secunia.com/advisories/24395

External Source: SECUNIA

Name: 24393

Hyperlink:http://secunia.com/advisories/24393

External Source: SECUNIA

Name: 24384

Hyperlink:http://secunia.com/advisories/24384

External Source: SECUNIA

Name: 24343

Hyperlink:http://secunia.com/advisories/24343

External Source: SECUNIA

Name: 24342

Hyperlink:http://secunia.com/advisories/24342

External Source: SECUNIA

Name: 24333

Hyperlink:http://secunia.com/advisories/24333

External Source: SECUNIA

Name: 24328

Hyperlink:http://secunia.com/advisories/24328

External Source: SECUNIA

Name: 24320

Hyperlink:http://secunia.com/advisories/24320

External Source: SECUNIA

Name: 24293

Hyperlink:http://secunia.com/advisories/24293

External Source: SECUNIA

Name: 24290

Hyperlink:http://secunia.com/advisories/24290

External Source: SECUNIA

Name: 24287

Hyperlink:http://secunia.com/advisories/24287

External Source: SECUNIA

Name: 24238

Hyperlink:http://secunia.com/advisories/24238

External Source: SECUNIA

Name: 24205

Hyperlink:http://secunia.com/advisories/24205

External Source: REDHAT

Name: RHSA-2007:0077

Hyperlink:http://rhn.redhat.com/errata/RHSA-2007-0077.html

External Source: SUSE

Name: SUSE-SA:2007:019

Hyperlink:http://lists.suse.com/archive/suse-security-announce/2007-Mar/0001.html

External Source: HP

Name: SSRT061181

Hyperlink:http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00771742

External Source: FEDORA

Name: FEDORA-2007-293

Hyperlink:http://fedoranews.org/cms/node/2728

External Source: FEDORA

Name: FEDORA-2007-281

Hyperlink:http://fedoranews.org/cms/node/2713

External Source: SGI

Name: 20070301-01-P

Hyperlink:ftp://patches.sgi.com/support/free/security/advisories/20070301-01-P.asc

External Source: SGI

Name: 20070202-01-P

Hyperlink:ftp://patches.sgi.com/support/free/security/advisories/20070202-01-P.asc

References to Check Content

Identifier:oval:org.mitre.oval:def:9884

Check System:http://oval.mitre.org/XMLSchema/oval-definitions-5

Hyperlink:http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:9884

Vulnerable software and versions

Configuration 1

* cpe:/a:mozilla:firefox:1.5.0.9 and previous versions

* cpe:/a:mozilla:firefox:2.0.0.1 and previous versions

* cpe:/a:mozilla:seamonkey:1.0.7 and previous versions

* Denotes Vulnerable Software

Technical Details

Vulnerability Type (View All)

CVE Standard Vulnerability Entry:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0780