CVE-2008-0593

CVSS V2 Medium 4.3 CVSS V3 None

Description

Gecko-based browsers, including Mozilla Firefox before 2.0.0.12 and SeaMonkey before 1.1.8, modify the .href property of stylesheet DOM nodes to the final URI of a 302 redirect, which might allow remote attackers to bypass the Same Origin Policy and read sensitive information from the original URL, such as with Single-Signon systems.

Overview

CVE ID
CVE-2008-0593

Assigner
secalert@redhat.com

Vulnerability Status
Modified

Published Version
2008-02-09T01:00:00

Last Modified Date
2018-10-15T22:01:36

Weakness Enumerations

CWE	URL
CWE-200	http://cwe.mitre.org/data/definitions/200.html

CPE Configuration (Product)

CPE	Vulnerable	Operator	Version End
cpe:2.3:a:mozilla:firefox::::::::	1	OR	2.0.0.11
cpe:2.3:a:mozilla:firefox:0.2:::::::*	1	OR
cpe:2.3:a:mozilla:firefox:0.9.2:::::::*	1	OR
cpe:2.3:a:mozilla:firefox:1.0.2:::::::*	1	OR
cpe:2.3:a:mozilla:firefox:1.5.0.2:::::::*	1	OR
cpe:2.3:a:mozilla:firefox:1.5.0.12:::::::*	1	OR
cpe:2.3:a:mozilla:firefox:1.5.2:::::::*	1	OR
cpe:2.3:a:mozilla:firefox:2.0:::::::*	1	OR
cpe:2.3:a:mozilla:firefox:2.0.0.1:::::::*	1	OR
cpe:2.3:a:mozilla:firefox:2.0.0.10:::::::*	1	OR
cpe:2.3:a:mozilla:seamonkey::::::::	1	OR
cpe:2.3:a:mozilla:seamonkey::::::::	1	OR	1.1.17
cpe:2.3:a:mozilla:seamonkey:1.0:::::::*	1	OR
cpe:2.3:a:mozilla:seamonkey:1.0::alpha:::::	1	OR
cpe:2.3:a:mozilla:seamonkey:1.0::beta:::::	1	OR
cpe:2.3:a:mozilla:seamonkey:1.0::dev:::::	1	OR
cpe:2.3:a:mozilla:seamonkey:1.0:alpha::::::	1	OR
cpe:2.3:a:mozilla:seamonkey:1.0:beta::::::	1	OR
cpe:2.3:a:mozilla:seamonkey:1.0.1:::::::*	1	OR
cpe:2.3:a:mozilla:seamonkey:1.0.2:::::::*	1	OR
cpe:2.3:a:mozilla:seamonkey:1.0.3:::::::*	1	OR
cpe:2.3:a:mozilla:seamonkey:1.0.4:::::::*	1	OR
cpe:2.3:a:mozilla:seamonkey:1.0.5:::::::*	1	OR
cpe:2.3:a:mozilla:seamonkey:1.0.6:::::::*	1	OR
cpe:2.3:a:mozilla:seamonkey:1.0.7:::::::*	1	OR
cpe:2.3:a:mozilla:seamonkey:1.0.8:::::::*	1	OR
cpe:2.3:a:mozilla:seamonkey:1.0.9:::::::*	1	OR
cpe:2.3:a:mozilla:seamonkey:1.0.99:::::::*	1	OR
cpe:2.3:a:mozilla:seamonkey:1.1:::::::*	1	OR
cpe:2.3:a:mozilla:seamonkey:1.1.1:::::::*	1	OR
cpe:2.3:a:mozilla:seamonkey:1.1.2:::::::*	1	OR
cpe:2.3:a:mozilla:seamonkey:1.1.10:::::::*	1	OR
cpe:2.3:a:mozilla:seamonkey:1.1.11:::::::*	1	OR
cpe:2.3:a:mozilla:seamonkey:1.1.12:::::::*	1	OR
cpe:2.3:a:mozilla:seamonkey:1.1.13:::::::*	1	OR
cpe:2.3:a:mozilla:seamonkey:1.1.14:::::::*	1	OR
cpe:2.3:a:mozilla:seamonkey:1.1.15:::::::*	1	OR
cpe:2.3:a:mozilla:seamonkey:1.1.16:::::::*	1	OR

CVSS Version 2

Version
2.0

Vector String
AV:N/AC:M/Au:N/C:P/I:N/A:N

Access Vector
NETWORK

Access Compatibility
MEDIUM

Authentication
NONE

Confidentiality Impact
PARTIAL

Integrity Impact
NONE

Availability Impact
NONE

Base Score
4.3

Severity
MEDIUM

Exploitability Score
8.6

Impact Score
2.9

References

Reference URL	Reference Tags
http://www.mozilla.org/security/announce/2008/mfsa2008-10.html
https://bugzilla.mozilla.org/show_bug.cgi?id=397427
http://wiki.rpath.com/Advisories:rPSA-2008-0051
http://www.debian.org/security/2008/dsa-1484
http://www.debian.org/security/2008/dsa-1485
http://www.debian.org/security/2008/dsa-1489
http://www.redhat.com/support/errata/RHSA-2008-0103.html	Vendor Advisory
http://www.redhat.com/support/errata/RHSA-2008-0104.html	Vendor Advisory
http://www.redhat.com/support/errata/RHSA-2008-0105.html	Vendor Advisory
http://www.ubuntu.com/usn/usn-576-1
http://www.securityfocus.com/bid/27683
http://www.securitytracker.com/id?1019341
http://secunia.com/advisories/28818	Vendor Advisory
http://secunia.com/advisories/28754	Vendor Advisory
http://secunia.com/advisories/28758	Vendor Advisory
http://secunia.com/advisories/28766	Vendor Advisory
http://secunia.com/advisories/28815	Vendor Advisory
http://secunia.com/advisories/28839	Vendor Advisory
http://secunia.com/advisories/28864	Vendor Advisory
http://secunia.com/advisories/28865	Vendor Advisory
http://secunia.com/advisories/28877	Vendor Advisory
http://secunia.com/advisories/28879	Vendor Advisory
https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00274.html
https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00309.html
https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00381.html
http://secunia.com/advisories/28924	Vendor Advisory
http://secunia.com/advisories/28939	Vendor Advisory
http://browser.netscape.com/releasenotes/
http://www.debian.org/security/2008/dsa-1506
http://www.mandriva.com/security/advisories?name=MDVSA-2008:048
http://lists.opensuse.org/opensuse-security-announce/2008-02/msg00006.html
http://secunia.com/advisories/28958	Vendor Advisory
http://secunia.com/advisories/29049	Vendor Advisory
http://secunia.com/advisories/29086	Vendor Advisory
https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00905.html
https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00946.html
http://secunia.com/advisories/29167	Vendor Advisory
http://support.novell.com/techcenter/psdb/6251b18e050302ebe7fe74294b55c818.html
http://secunia.com/advisories/29567	Vendor Advisory
http://secunia.com/advisories/30327	Vendor Advisory
http://www.gentoo.org/security/en/glsa/glsa-200805-18.xml
http://sunsolve.sun.com/search/document.do?assetkey=1-26-238492-1
http://secunia.com/advisories/30620	Vendor Advisory
http://www.vupen.com/english/advisories/2008/0627/references	Vendor Advisory
http://www.vupen.com/english/advisories/2008/0453/references	Vendor Advisory
http://www.vupen.com/english/advisories/2008/1793/references	Vendor Advisory
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10075
http://www.securityfocus.com/archive/1/487826/100/0/threaded

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2008-0593
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0593

History

Created	Old Value	New Value	Data Type	Notes
2022-05-10 18:18:31				Added to TrackCVE