National Vulnerability Database (NVD) National Vulnerability Database (CVE-2008-1235)

National Cyber Awareness System

Vulnerability Summary for CVE-2008-1235

Original release date:03/27/2008

Last revised:04/12/2011

Source: US-CERT/NIST

Overview

Unspecified vulnerability in Mozilla Firefox before 2.0.0.13, Thunderbird before 2.0.0.13, and SeaMonkey before 1.1.9 allows remote attackers to execute arbitrary code via unknown vectors that cause JavaScript to execute with the wrong principal, aka "Privilege escalation via incorrect principals."

Impact

CVSS Severity (version 2.0):

CVSS v2 Base Score:9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C) (legend)

Impact Subscore: 10.0

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type:Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

US-CERT Technical Alert: TA08-087A

Name: TA08-087A

Hyperlink:http://www.us-cert.gov/cas/techalerts/TA08-087A.html

US-CERT Vulnerability Note: VU#466521

Name: VU#466521

Hyperlink:http://www.kb.cert.org/vuls/id/466521

External Source: CONFIRM

Name: http://www.mozilla.org/security/announce/2008/mfsa2008-14.html

Type: Advisory; Patch Information

Hyperlink:http://www.mozilla.org/security/announce/2008/mfsa2008-14.html

External Source: FEDORA

Name: FEDORA-2008-3557

Hyperlink:https://www.redhat.com/archives/fedora-package-announce/2008-May/msg00074.html

External Source: FEDORA

Name: FEDORA-2008-3519

Hyperlink:https://www.redhat.com/archives/fedora-package-announce/2008-May/msg00058.html

External Source: XF

Name: mozilla-principal-code-execution(41457)

Hyperlink:http://xforce.iss.net/xforce/xfdb/41457

External Source: VUPEN

Name: ADV-2008-2091

Hyperlink:http://www.vupen.com/english/advisories/2008/2091/references

External Source: VUPEN

Name: ADV-2008-1793

Type: Advisory

Hyperlink:http://www.vupen.com/english/advisories/2008/1793/references

External Source: VUPEN

Name: ADV-2008-0999

Type: Advisory

Hyperlink:http://www.vupen.com/english/advisories/2008/0999/references

External Source: VUPEN

Name: ADV-2008-0998

Type: Advisory

Hyperlink:http://www.vupen.com/english/advisories/2008/0998/references

External Source: UBUNTU

Name: USN-605-1

Hyperlink:http://www.ubuntu.com/usn/usn-605-1

External Source: UBUNTU

Name: USN-592-1

Hyperlink:http://www.ubuntu.com/usn/usn-592-1

External Source: SECTRACK

Name: 1019694

Hyperlink:http://www.securitytracker.com/id?1019694

External Source: BID

Name: 28448

Hyperlink:http://www.securityfocus.com/bid/28448

External Source: BUGTRAQ

Name: 20080327 rPSA-2008-0128-1 firefox

Hyperlink:http://www.securityfocus.com/archive/1/archive/1/490196/100/0/threaded

External Source: REDHAT

Name: RHSA-2008:0209

Hyperlink:http://www.redhat.com/support/errata/RHSA-2008-0209.html

External Source: REDHAT

Name: RHSA-2008:0207

Hyperlink:http://www.redhat.com/support/errata/RHSA-2008-0207.html

External Source: MANDRIVA

Name: MDVSA-2008:155

Hyperlink:http://www.mandriva.com/security/advisories?name=MDVSA-2008:155

External Source: MANDRIVA

Name: MDVSA-2008:080

Hyperlink:http://www.mandriva.com/security/advisories?name=MDVSA-2008:080

External Source: GENTOO

Name: GLSA-200805-18

Hyperlink:http://www.gentoo.org/security/en/glsa/glsa-200805-18.xml

External Source: DEBIAN

Name: DSA-1574

Hyperlink:http://www.debian.org/security/2008/dsa-1574

External Source: DEBIAN

Name: DSA-1535

Hyperlink:http://www.debian.org/security/2008/dsa-1535

External Source: DEBIAN

Name: DSA-1534

Hyperlink:http://www.debian.org/security/2008/dsa-1534

External Source: DEBIAN

Name: DSA-1532

Hyperlink:http://www.debian.org/security/2008/dsa-1532

External Source: CONFIRM

Name: http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0128

Hyperlink:http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0128

External Source: SUNALERT

Name: 239546

Hyperlink:http://sunsolve.sun.com/search/document.do?assetkey=1-26-239546-1

External Source: SUNALERT

Name: 238492

Hyperlink:http://sunsolve.sun.com/search/document.do?assetkey=1-26-238492-1

External Source: SECUNIA

Name: 31043

Type: Advisory

Hyperlink:http://secunia.com/advisories/31043

External Source: SECUNIA

Name: 30620

Type: Advisory

Hyperlink:http://secunia.com/advisories/30620

External Source: SECUNIA

Name: 30370

Type: Advisory

Hyperlink:http://secunia.com/advisories/30370

External Source: SECUNIA

Name: 30327

Type: Advisory

Hyperlink:http://secunia.com/advisories/30327

External Source: SECUNIA

Name: 30192

Type: Advisory

Hyperlink:http://secunia.com/advisories/30192

External Source: SECUNIA

Name: 30105

Type: Advisory

Hyperlink:http://secunia.com/advisories/30105

External Source: SECUNIA

Name: 30094

Type: Advisory

Hyperlink:http://secunia.com/advisories/30094

External Source: SECUNIA

Name: 30016

Type: Advisory

Hyperlink:http://secunia.com/advisories/30016

External Source: SECUNIA

Name: 29645

Type: Advisory

Hyperlink:http://secunia.com/advisories/29645

External Source: SECUNIA

Name: 29616

Type: Advisory

Hyperlink:http://secunia.com/advisories/29616

External Source: SECUNIA

Name: 29607

Type: Advisory

Hyperlink:http://secunia.com/advisories/29607

External Source: SECUNIA

Name: 29560

Type: Advisory

Hyperlink:http://secunia.com/advisories/29560

External Source: SECUNIA

Name: 29558

Type: Advisory

Hyperlink:http://secunia.com/advisories/29558

External Source: SECUNIA

Name: 29550

Type: Advisory

Hyperlink:http://secunia.com/advisories/29550

External Source: SECUNIA

Name: 29548

Type: Advisory

Hyperlink:http://secunia.com/advisories/29548

External Source: SECUNIA

Name: 29547

Type: Advisory

Hyperlink:http://secunia.com/advisories/29547

External Source: SECUNIA

Name: 29541

Type: Advisory

Hyperlink:http://secunia.com/advisories/29541

External Source: SECUNIA

Name: 29539

Type: Advisory

Hyperlink:http://secunia.com/advisories/29539

External Source: SECUNIA

Name: 29526

Type: Advisory

Hyperlink:http://secunia.com/advisories/29526

External Source: SECUNIA

Name: 29391

Type: Advisory

Hyperlink:http://secunia.com/advisories/29391

External Source: REDHAT

Name: RHSA-2008:0208

Hyperlink:http://rhn.redhat.com/errata/RHSA-2008-0208.html

External Source: OVAL

Name: oval:org.mitre.oval:def:10980

Hyperlink:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:10980

External Source: SLACKWARE

Name: SSA:2008-128-02

Hyperlink:http://marc.info/?l=slackware-security&m=121022465927874&w=2

External Source: SUSE

Name: SUSE-SA:2008:019

Hyperlink:http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00002.html

References to Check Content

Identifier:oval:org.mitre.oval:def:10980

Check System:http://oval.mitre.org/XMLSchema/oval-definitions-5

Hyperlink:http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:10980

Vulnerable software and versions

Configuration 1

* cpe:/a:mozilla:firefox:2.0.0.12 and previous versions

* cpe:/a:mozilla:seamonkey:1.1.8 and previous versions

* cpe:/a:mozilla:thunderbird:2.0.0.12 and previous versions

* cpe:/a:mozilla:firefox:2.0.0.11

* cpe:/a:mozilla:firefox:2.0.0.10

* cpe:/a:mozilla:firefox:2.0.0.9

* cpe:/a:mozilla:firefox:2.0.0.8

* cpe:/a:mozilla:firefox:2.0.0.7

* cpe:/a:mozilla:firefox:2.0.0.6

* cpe:/a:mozilla:firefox:2.0.0.5

* cpe:/a:mozilla:firefox:2.0.0.4

* cpe:/a:mozilla:firefox:2.0.0.3

* cpe:/a:mozilla:firefox:2.0.0.2

* cpe:/a:mozilla:firefox:2.0.0.1

* cpe:/a:mozilla:firefox:2.0

* cpe:/a:mozilla:firefox:1.5.0.12

* cpe:/a:mozilla:firefox:1.5.0.11

* cpe:/a:mozilla:firefox:1.5.0.10

* cpe:/a:mozilla:firefox:1.5.0.9

* cpe:/a:mozilla:firefox:1.5.0.8

* cpe:/a:mozilla:firefox:1.5.0.7

* cpe:/a:mozilla:firefox:1.5.0.6

* cpe:/a:mozilla:firefox:1.5.0.5

* cpe:/a:mozilla:firefox:1.5.0.4

* cpe:/a:mozilla:firefox:1.5.0.3

* cpe:/a:mozilla:firefox:1.5.0.2

* cpe:/a:mozilla:firefox:1.5.0.1

* cpe:/a:mozilla:firefox:1.5

* cpe:/a:mozilla:firefox:1.0.8

* cpe:/a:mozilla:firefox:1.0.7

* cpe:/a:mozilla:firefox:1.0.6

* cpe:/a:mozilla:firefox:1.0.5

* cpe:/a:mozilla:firefox:1.0.4

* cpe:/a:mozilla:firefox:1.0.3

* cpe:/a:mozilla:firefox:1.0.2

* cpe:/a:mozilla:firefox:1.0.1

* cpe:/a:mozilla:firefox:1.0

* cpe:/a:mozilla:firefox:1.0:preview_release

* cpe:/a:mozilla:firefox:0.9.3

* cpe:/a:mozilla:firefox:0.9.2

* cpe:/a:mozilla:firefox:0.9.1

* cpe:/a:mozilla:firefox:0.9

* cpe:/a:mozilla:firefox:0.8

* cpe:/a:mozilla:firefox:0.7.1

* cpe:/a:mozilla:firefox:0.7

* cpe:/a:mozilla:firefox:0.6.1

* cpe:/a:mozilla:firefox:0.6

* cpe:/a:mozilla:firefox:0.5

* cpe:/a:mozilla:firefox:0.4

* cpe:/a:mozilla:firefox:0.2

* cpe:/a:mozilla:firefox:0.1

* cpe:/a:mozilla:thunderbird:2.0.0.9

* cpe:/a:mozilla:thunderbird:2.0.0.6

* cpe:/a:mozilla:thunderbird:2.0.0.5

* cpe:/a:mozilla:thunderbird:2.0.0.4

* cpe:/a:mozilla:thunderbird:2.0.0.0

* cpe:/a:mozilla:thunderbird:1.5.0.14

* cpe:/a:mozilla:thunderbird:1.5.0.13

* cpe:/a:mozilla:thunderbird:1.5.0.12

* cpe:/a:mozilla:thunderbird:1.5.0.10

* cpe:/a:mozilla:thunderbird:1.5.0.9

* cpe:/a:mozilla:thunderbird:1.5.0.8

* cpe:/a:mozilla:thunderbird:1.5.0.7

* cpe:/a:mozilla:thunderbird:1.5.0.5

* cpe:/a:mozilla:thunderbird:1.5.0.4

* cpe:/a:mozilla:thunderbird:1.5.0.2

* cpe:/a:mozilla:thunderbird:1.5

* cpe:/a:mozilla:thunderbird:1.0.8

* cpe:/a:mozilla:thunderbird:1.0.7

* cpe:/a:mozilla:thunderbird:1.0.6

* cpe:/a:mozilla:thunderbird:1.0.5

* cpe:/a:mozilla:thunderbird:1.0.4

* cpe:/a:mozilla:thunderbird:1.0.2

* cpe:/a:mozilla:thunderbird:1.0

* cpe:/a:mozilla:thunderbird:0.9

* cpe:/a:mozilla:thunderbird:0.8

* cpe:/a:mozilla:thunderbird:0.7

* cpe:/a:mozilla:thunderbird:0.6

* cpe:/a:mozilla:thunderbird:0.5

* cpe:/a:mozilla:thunderbird:0.4

* cpe:/a:mozilla:thunderbird:0.3

* cpe:/a:mozilla:thunderbird:0.2

* cpe:/a:mozilla:thunderbird:0.1

* cpe:/a:mozilla:seamonkey:1.1.7

* cpe:/a:mozilla:seamonkey:1.1.6

* cpe:/a:mozilla:seamonkey:1.1.5

* cpe:/a:mozilla:seamonkey:1.1.4

* cpe:/a:mozilla:seamonkey:1.1.3

* cpe:/a:mozilla:seamonkey:1.1.2

* cpe:/a:mozilla:seamonkey:1.1.1

* cpe:/a:mozilla:seamonkey:1.1

* cpe:/a:mozilla:seamonkey:1.1:beta

* cpe:/a:mozilla:seamonkey:1.1:alpha

* cpe:/a:mozilla:seamonkey:1.0.9

* cpe:/a:mozilla:seamonkey:1.0.8

* cpe:/a:mozilla:seamonkey:1.0.7

* cpe:/a:mozilla:seamonkey:1.0.6

* cpe:/a:mozilla:seamonkey:1.0.5

* cpe:/a:mozilla:seamonkey:1.0.4

* cpe:/a:mozilla:seamonkey:1.0.3

* cpe:/a:mozilla:seamonkey:1.0.2

* cpe:/a:mozilla:seamonkey:1.0.1

* cpe:/a:mozilla:seamonkey:1.0

* cpe:/a:mozilla:seamonkey:1.0:beta

* cpe:/a:mozilla:seamonkey:1.0:alpha

* Denotes Vulnerable Software

Technical Details

Vulnerability Type (View All)

Insufficient Information (NVD-CWE-noinfo)

CVE Standard Vulnerability Entry:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1235