Rapid7 Vulnerability & Exploit Database

Mozilla Firefox Multiple Vulnerabilities Fixed in versions 2.0.0.19 and 3.0.5

Back to Search

Mozilla Firefox Multiple Vulnerabilities Fixed in versions 2.0.0.19 and 3.0.5

Severity
10
CVSS
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
Published
12/16/2008
Created
07/25/2018
Added
02/25/2009
Modified
02/13/2015

Description

Certain versions of Mozilla Firefox ship with a flawed version of the layout engine. This could allow remote attackers to cause a denial of service (crash) or trigger memory corruption. (CVE-2008-5500, CVE-2008-5501, CVE-2008-5502)

Certain versions of Mozilla Firefox ship with a flawed implementation of the loadBindingDocument function. This could allow remote attackers to read or access data from other domains via specially crafted XBL bindings. (CVE-2008-5503)

The feed preview in certain versions of Mozilla Firefox can be used as a vector for JavaScript privilege escalation. This could allow remote attackers to run arbitrary JavaScript with chrome privileges. (CVE-2008-5504)

Certain versions of Mozilla Firefox contain a flawed implementation of the persist attribute in the XUL element. This could allow remote attackers to bypass intended privacy restrictions. (CVE-2008-5505)

The XMLHttpRequest in certain versions of Mozilla Firefox can be used to bypass the same-origin policy. This could allow remote attackers to read sensitive data via the XMLHttpRequest response. (CVE-2008-5506)

Certain versions of Mozilla Firefox contain a flawed implementation of the window.onerror in the DOM API. This could allow remote attackers to bypass the same-origin policy and access data via a specially crafted JavaScript URL. (CVE-2008-5507)

Certain versions of Mozilla Firefox do not properly parse URLs with leading whitespace or control characters. This could allow remote attackers to launch phishing attacks against unsuspecting users via a misrepresented URL. (CVE-2008-5508)

The CSS parser in certain versions of Mozilla Firefox ignore the '\0' escaped null character. This could allow remote attackers to bypass protection mechinisms. (CVE-2008-5510)

The XBL binding of certain versions of Mozilla Firefox can be used to violate the same-origin policy. This could allow remote attackers to execute arbitrary JavaScript. (CVE-2008-5511, CVE-2008-5512)

Certain versions of Mozilla Firefox contain a flawed implementation of the session-restore feature. This could allow remote attackers to violate the same-origin policy and perform an XSS attack. (CVE-2008-5513)

Solution(s)

  • mozilla-firefox-upgrade-2_0_0_19
  • mozilla-firefox-upgrade-3_0_5

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;