CVE-2009-1308

CVSS V2 Medium 4.3 CVSS V3 None
Description
Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 3.0.9, Thunderbird, and SeaMonkey allows remote attackers to inject arbitrary web script or HTML via vectors involving XBL JavaScript bindings and remote stylesheets, as exploited in the wild by a March 2009 eBay listing.
Overview
  • CVE ID
  • CVE-2009-1308
  • Assigner
  • secalert@redhat.com
  • Vulnerability Status
  • Modified
  • Published Version
  • 2009-04-22T18:30:00
  • Last Modified Date
  • 2023-02-13T02:20:06
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:* 1 OR 3.0.8
cpe:2.3:a:mozilla:firefox:0.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:0.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:0.3:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:0.4:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:0.5:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:0.6:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:0.6.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:0.7:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:0.7.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:0.8:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:0.9:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:0.9:rc:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:0.9.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:0.9.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:0.9.3:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:0.9_rc:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:0.10:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:0.10.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.0:preview_release:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.0.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.0.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.0.3:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.0.4:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.0.5:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.0.6:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.0.6:*:linux:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.0.7:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.0.8:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.5:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.5:beta1:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.5:beta2:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.5.0.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.5.0.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.5.0.3:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.5.0.4:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.5.0.5:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.5.0.6:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.5.0.7:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.5.0.8:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.5.0.9:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.5.0.10:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.5.0.11:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.5.0.12:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.5.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.5.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.5.3:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.5.4:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.5.5:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.5.6:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.5.7:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.5.8:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.8:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0:beta_1:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0:beta1:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0:rc2:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0:rc3:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0.0.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0.0.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0.0.3:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0.0.4:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0.0.5:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0.0.6:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0.0.7:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0.0.8:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0.0.9:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0.0.10:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0.0.11:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0.0.12:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0.0.13:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0.0.14:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0.0.15:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0.0.16:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0.0.17:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0.0.18:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0.0.19:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0.0.20:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0.0.21:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0_.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0_.4:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0_.5:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0_.6:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0_.7:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0_.9:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0_.10:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0_8:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:3.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:3.0:alpha:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:3.0:beta2:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:3.0:beta5:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:3.0.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:3.0.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:3.0.3:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:3.0.4:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:3.0.5:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:3.0.6:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:3.0.7:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:3.0beta5:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:seamonkey:*:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:* 1 OR
CVSS Version 2
  • Version
  • 2.0
  • Vector String
  • AV:N/AC:M/Au:N/C:N/I:P/A:N
  • Access Vector
  • NETWORK
  • Access Compatibility
  • MEDIUM
  • Authentication
  • NONE
  • Confidentiality Impact
  • NONE
  • Integrity Impact
  • PARTIAL
  • Availability Impact
  • NONE
  • Base Score
  • 4.3
  • Severity
  • MEDIUM
  • Exploitability Score
  • 8.6
  • Impact Score
  • 2.9
References
Reference URL Reference Tags
http://www.theregister.co.uk/2009/03/08/ebay_scam_wizardy/
https://bugzilla.mozilla.org/show_bug.cgi?id=481558 Exploit
http://www.mozilla.org/security/announce/2009/mfsa2009-18.html Vendor Advisory
http://www.securitytracker.com/id?1022097
http://secunia.com/advisories/34894
https://www.redhat.com/archives/fedora-package-announce/2009-April/msg00683.html
http://secunia.com/advisories/34758
http://www.redhat.com/support/errata/RHSA-2009-0436.html
http://www.securityfocus.com/bid/34656
http://secunia.com/advisories/34843
http://www.vupen.com/english/advisories/2009/1125
http://secunia.com/advisories/34780
http://lists.opensuse.org/opensuse-security-announce/2009-05/msg00000.html
http://secunia.com/advisories/35065
http://www.mandriva.com/security/advisories?name=MDVSA-2009:111
http://secunia.com/advisories/35042
http://www.debian.org/security/2009/dsa-1797
http://www.redhat.com/support/errata/RHSA-2009-1126.html
http://www.ubuntu.com/usn/usn-782-1
http://secunia.com/advisories/35536
http://www.mandriva.com/security/advisories?name=MDVSA-2009:141
http://sunsolve.sun.com/search/document.do?assetkey=1-66-264308-1
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7285
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6296
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6185
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6173
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10428
https://usn.ubuntu.com/764-1/
History
Created Old Value New Value Data Type Notes
2022-05-10 18:36:18 Added to TrackCVE
2023-02-02 19:02:27 2023-02-02T17:16:11 CVE Modified Date updated
2023-02-02 19:02:29 Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 3.0.9, Thunderbird, and SeaMonkey allows remote attackers to inject arbitrary web script or HTML via vectors involving XBL JavaScript bindings and remote stylesheets, as exploited in the wild by a March 2009 eBay listing. CVE-2009-1308 Firefox XSS hazard using third-party stylesheets and XBL bindings Description updated
2023-02-13 03:03:00 2023-02-13T02:20:06 CVE Modified Date updated
2023-02-13 03:03:01 CVE-2009-1308 Firefox XSS hazard using third-party stylesheets and XBL bindings Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 3.0.9, Thunderbird, and SeaMonkey allows remote attackers to inject arbitrary web script or HTML via vectors involving XBL JavaScript bindings and remote stylesheets, as exploited in the wild by a March 2009 eBay listing. Description updated