Rapid7 Vulnerability & Exploit Database

Multiple Mozilla Firefox Vulnerabilities: Fixed in 2.0.0.13

Back to Search

Multiple Mozilla Firefox Vulnerabilities: Fixed in 2.0.0.13

Severity
9
CVSS
(AV:N/AC:M/Au:N/C:C/I:C/A:C)
Published
03/25/2008
Created
07/25/2018
Added
03/18/2009
Modified
02/13/2015

Description

Firefox before version 2.0.0.13 is affected by the vulnerabilities described in the above links. Some details for each CVE are below.

Unspecified vulnerability in Mozilla Firefox before 2.0.0.13 allows remote attackers to execute arbitrary code via "XPCNativeWrapper pollution". (CVE-2008-1233)

Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 2.0.0.13 allows remote attackers to inject arbitrary web script or HTML via event handlers, aka "Universal XSS using event handlers." (CVE-2008-1234)

Unspecified vulnerability in Mozilla Firefox before 2.0.0.13 allows remote attackers to execute arbitrary code via unknown vectors that cause JavaScript to execute with the wrong principal, aka "Privilege escalation via incorrect principals." (CVE-2008-1235)

Multiple unspecified vulnerabilities in Mozilla Firefox before 2.0.0.13, low remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors related to the layout engine. (CVE-2008-1236)

Multiple unspecified vulnerabilities in Mozilla Firefox before 2.0.0.13 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors related to the JavaScript engine. (CVE-2008-1237)

Mozilla Firefox before 2.0.0.13 when generating the HTTP Referer header, does not list the entire URL when it contains Basic Authentication credentials without a username, which makes it easier for remote attackers to bypass application protection mechanisms that rely on Referer headers, such as with some Cross-Site Request Forgery (CSRF) mechanisms. (CVE-2008-1238)

LiveConnect in Mozilla Firefox before 2.0.0.13 does not properly parse the content origin for jar: URIs before sending them to the Java plugin, which allows remote attackers to access arbitrary ports on the local machine. NOTE: this is closely related to CVE-2008-1195. (CVE-2008-1240)

GUI overlay vulnerability in Mozilla Firefox before 2.0.0.13 allows remote attackers to spoof form elements and redirect user inputs via a borderless XUL pop-up window from a background tab. (CVE-2008-1241)

Mozilla Firefox before Firefox 2.0.0.13 can automatically install TLS client certificates with minimal user interaction, and automatically sends these certificates when requested, which makes it easier for remote web sites to track user activities across domains by requesting the TLS client certificates from other domains. (CVE-2007-4879)

Unspecified vulnerability in Sun JDK and Java Runtime Environment (JRE) 6 Update 4 and earlier and 5.0 Update 14 and earlier; and SDK and JRE 1.4.2_16 and earlier; allows remote attackers to access arbitrary network services on the local host via unspecified vectors related to JavaScript and Java APIs. (CVE-2008-1195)

Solution(s)

  • mozilla-firefox-upgrade-2_0_0_13

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;