National Vulnerability Database (NVD) National Vulnerability Database (CVE-2010-1125)

National Cyber Awareness System

Vulnerability Summary for CVE-2010-1125

Original release date:03/26/2010

Last revised:11/06/2012

Source: US-CERT/NIST

Overview

The JavaScript implementation in Mozilla Firefox 3.x before 3.5.10 and 3.6.x before 3.6.4, and SeaMonkey before 2.0.5, allows remote attackers to send selected keystrokes to a form field in a hidden frame, instead of the intended form field in a visible frame, via certain calls to the focus method.

Impact

CVSS Severity (version 2.0):

CVSS v2 Base Score:5.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:N) (legend)

Impact Subscore: 4.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type:Allows unauthorized disclosure of information; Allows unauthorized modification

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

External Source: CONFIRM

Name: https://bugzilla.mozilla.org/show_bug.cgi?id=552255

Hyperlink:https://bugzilla.mozilla.org/show_bug.cgi?id=552255

External Source: VUPEN

Name: ADV-2010-1773

Type: Advisory

Hyperlink:http://www.vupen.com/english/advisories/2010/1773

External Source: VUPEN

Name: ADV-2010-1640

Type: Advisory

Hyperlink:http://www.vupen.com/english/advisories/2010/1640

External Source: VUPEN

Name: ADV-2010-1592

Hyperlink:http://www.vupen.com/english/advisories/2010/1592

External Source: VUPEN

Name: ADV-2010-1557

Type: Advisory

Hyperlink:http://www.vupen.com/english/advisories/2010/1557

External Source: VUPEN

Name: ADV-2010-1551

Type: Advisory

Hyperlink:http://www.vupen.com/english/advisories/2010/1551

External Source: UBUNTU

Name: USN-930-2

Hyperlink:http://www.ubuntu.com/usn/usn-930-2

External Source: SECTRACK

Name: 1024138

Hyperlink:http://www.securitytracker.com/id?1024138

External Source: BUGTRAQ

Name: 20100313 ...because you can't get enough of clickjacking

Hyperlink:http://www.securityfocus.com/archive/1/archive/1/510070/100/0/threaded

External Source: REDHAT

Name: RHSA-2010:0501

Hyperlink:http://www.redhat.com/support/errata/RHSA-2010-0501.html

External Source: REDHAT

Name: RHSA-2010:0500

Hyperlink:http://www.redhat.com/support/errata/RHSA-2010-0500.html

External Source: CONFIRM

Name: http://www.mozilla.org/security/announce/2010/mfsa2010-31.html

Type: Advisory

Hyperlink:http://www.mozilla.org/security/announce/2010/mfsa2010-31.html

External Source: MANDRIVA

Name: MDVSA-2010:125

Hyperlink:http://www.mandriva.com/security/advisories?name=MDVSA-2010:125

External Source: UBUNTU

Name: USN-930-1

Hyperlink:http://ubuntu.com/usn/usn-930-1

External Source: CONFIRM

Name: http://support.avaya.com/css/P8/documents/100091069

Hyperlink:http://support.avaya.com/css/P8/documents/100091069

External Source: SECUNIA

Name: 40481

Type: Advisory

Hyperlink:http://secunia.com/advisories/40481

External Source: SECUNIA

Name: 40401

Type: Advisory

Hyperlink:http://secunia.com/advisories/40401

External Source: SECUNIA

Name: 40326

Type: Advisory

Hyperlink:http://secunia.com/advisories/40326

External Source: OVAL

Name: oval:org.mitre.oval:def:13962

Hyperlink:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:13962

External Source: OVAL

Name: oval:org.mitre.oval:def:10386

Hyperlink:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:10386

External Source: SUSE

Name: SUSE-SA:2010:030

Hyperlink:http://lists.opensuse.org/opensuse-security-announce/2010-07/msg00005.html

External Source: FEDORA

Name: FEDORA-2010-10361

Hyperlink:http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043405.html

External Source: FEDORA

Name: FEDORA-2010-10344

Hyperlink:http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043369.html

References to Check Content

Identifier:oval:org.mitre.oval:def:10386

Check System:http://oval.mitre.org/XMLSchema/oval-definitions-5

Hyperlink:http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:10386

Identifier:oval:org.mitre.oval:def:13962

Check System:http://oval.mitre.org/XMLSchema/oval-definitions-5

Hyperlink:http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:13962

Vulnerable software and versions

Configuration 1

* cpe:/a:mozilla:firefox:3.0

* cpe:/a:mozilla:firefox:3.0.1

* cpe:/a:mozilla:firefox:3.0.10

* cpe:/a:mozilla:firefox:3.0.11

* cpe:/a:mozilla:firefox:3.0.12

* cpe:/a:mozilla:firefox:3.0.13

* cpe:/a:mozilla:firefox:3.0.14

* cpe:/a:mozilla:firefox:3.0.15

* cpe:/a:mozilla:firefox:3.0.2

* cpe:/a:mozilla:firefox:3.0.3

* cpe:/a:mozilla:firefox:3.0.4

* cpe:/a:mozilla:firefox:3.0.5

* cpe:/a:mozilla:firefox:3.0.7

* cpe:/a:mozilla:firefox:3.0.8

* cpe:/a:mozilla:firefox:3.0.9

* cpe:/a:mozilla:firefox:3.5

* cpe:/a:mozilla:firefox:3.5.1

* cpe:/a:mozilla:firefox:3.5.2

* cpe:/a:mozilla:firefox:3.5.3

* cpe:/a:mozilla:firefox:3.5.4

* cpe:/a:mozilla:firefox:3.5.5

* cpe:/a:mozilla:firefox:3.6

* cpe:/a:mozilla:firefox:3.6.2

* cpe:/a:mozilla:firefox:3.5.6

* cpe:/a:mozilla:firefox:3.5.7

* cpe:/a:mozilla:firefox:3.5.9

Configuration 2

* cpe:/a:mozilla:firefox:3.6

* cpe:/a:mozilla:firefox:3.6.1

* cpe:/a:mozilla:firefox:3.6.2

* cpe:/a:mozilla:firefox:3.6.3

Configuration 3

* cpe:/a:mozilla:seamonkey:2.0

* cpe:/a:mozilla:seamonkey:2.0.4 and previous versions

* cpe:/a:mozilla:seamonkey:2.0.3

* cpe:/a:mozilla:seamonkey:2.0.2

* cpe:/a:mozilla:seamonkey:2.0.1

* cpe:/a:mozilla:seamonkey:2.0:rc2

* cpe:/a:mozilla:seamonkey:2.0a1::pre

* cpe:/a:mozilla:seamonkey:2.0a1pre

* cpe:/a:mozilla:seamonkey:2.0:alpha_2

* cpe:/a:mozilla:seamonkey:2.0:alpha_1

* cpe:/a:mozilla:seamonkey:2.0:rc1

* cpe:/a:mozilla:seamonkey:2.0:beta_2

* cpe:/a:mozilla:seamonkey:2.0:beta_1

* cpe:/a:mozilla:seamonkey:2.0:alpha_3

* cpe:/a:mozilla:seamonkey:1.0

* cpe:/a:mozilla:seamonkey:1.0.1

* cpe:/a:mozilla:seamonkey:1.0.2

* cpe:/a:mozilla:seamonkey:1.0.3

* cpe:/a:mozilla:seamonkey:1.0.4

* cpe:/a:mozilla:seamonkey:1.0.5

* cpe:/a:mozilla:seamonkey:1.0.6

* cpe:/a:mozilla:seamonkey:1.0.7

* cpe:/a:mozilla:seamonkey:1.0.8

* cpe:/a:mozilla:seamonkey:1.0.9

* cpe:/a:mozilla:seamonkey:1.0:alpha

* cpe:/a:mozilla:seamonkey:1.0:beta

* cpe:/a:mozilla:seamonkey:1.1

* cpe:/a:mozilla:seamonkey:1.1.1

* cpe:/a:mozilla:seamonkey:1.1.10

* cpe:/a:mozilla:seamonkey:1.1.11

* cpe:/a:mozilla:seamonkey:1.1.12

* cpe:/a:mozilla:seamonkey:1.1.13

* cpe:/a:mozilla:seamonkey:1.1.14

* cpe:/a:mozilla:seamonkey:1.1.15

* cpe:/a:mozilla:seamonkey:1.1.16

* cpe:/a:mozilla:seamonkey:1.1.17

* cpe:/a:mozilla:seamonkey:1.1.18

* cpe:/a:mozilla:seamonkey:1.1.19

* cpe:/a:mozilla:seamonkey:1.1.2

* cpe:/a:mozilla:seamonkey:1.1.3

* cpe:/a:mozilla:seamonkey:1.1.4

* cpe:/a:mozilla:seamonkey:1.1.5

* cpe:/a:mozilla:seamonkey:1.1.6

* cpe:/a:mozilla:seamonkey:1.1.7

* cpe:/a:mozilla:seamonkey:1.1.8

* cpe:/a:mozilla:seamonkey:1.1.9

* cpe:/a:mozilla:seamonkey:1.1:alpha

* cpe:/a:mozilla:seamonkey:1.1:beta

* Denotes Vulnerable Software

Technical Details

Vulnerability Type (View All)

Information Leak / Disclosure (CWE-200)

CVE Standard Vulnerability Entry:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1125