CVE-2009-2654

CVSS V2 Medium 5.8 CVSS V3 None
Description
Mozilla Firefox before 3.0.13, and 3.5.x before 3.5.2, allows remote attackers to spoof the address bar, and possibly conduct phishing attacks, via a crafted web page that calls window.open with an invalid character in the URL, makes document.write calls to the resulting object, and then calls the stop method during the loading of the error page.
Overview
  • CVE ID
  • CVE-2009-2654
  • Assigner
  • cve@mitre.org
  • Vulnerability Status
  • Modified
  • Published Version
  • 2009-08-03T14:30:00
  • Last Modified Date
  • 2018-10-03T22:00:55
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:* 1 OR 3.5.1
cpe:2.3:a:mozilla:firefox:0.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:0.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:0.3:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:0.4:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:0.5:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:0.6:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:0.6.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:0.7:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:0.7.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:0.8:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:0.9:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:0.9:rc:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:0.9.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:0.9.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:0.9.3:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:0.9_rc:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:0.10:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:0.10.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.0:preview_release:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.0.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.0.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.0.3:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.0.4:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.0.5:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.0.6:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.0.7:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.0.8:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.4.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.5:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.5:beta1:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.5:beta2:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.5.0.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.5.0.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.5.0.3:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.5.0.4:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.5.0.5:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.5.0.6:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.5.0.7:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.5.0.8:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.5.0.9:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.5.0.10:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.5.0.11:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.5.0.12:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.5.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.5.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.5.3:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.5.4:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.5.5:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.5.6:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.5.7:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.5.8:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:1.8:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0:beta_1:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0:beta1:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0:rc2:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0:rc3:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0.0.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0.0.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0.0.3:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0.0.4:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0.0.5:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0.0.6:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0.0.7:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0.0.8:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0.0.9:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0.0.10:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0.0.11:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0.0.12:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0.0.13:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0.0.14:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0.0.15:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0.0.16:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0.0.17:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0.0.18:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0.0.19:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0.0.20:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0.0.21:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0_.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0_.4:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0_.5:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0_.6:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0_.7:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0_.9:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0_.10:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:2.0_8:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:3.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:3.0:beta2:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:3.0:beta5:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:3.0.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:3.0.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:3.0.3:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:3.0.4:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:3.0.5:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:3.0.6:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:3.0.7:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:3.0.8:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:3.0.9:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:3.0.10:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:3.0.11:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:3.0.12:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:3.1:beta1:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:3.2:beta1:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:3.2:beta2:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:3.2:beta3:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:3.5:*:*:*:*:*:*:* 1 OR
CVSS Version 2
  • Version
  • 2.0
  • Vector String
  • AV:N/AC:M/Au:N/C:N/I:P/A:P
  • Access Vector
  • NETWORK
  • Access Compatibility
  • MEDIUM
  • Authentication
  • NONE
  • Confidentiality Impact
  • NONE
  • Integrity Impact
  • PARTIAL
  • Availability Impact
  • PARTIAL
  • Base Score
  • 5.8
  • Severity
  • MEDIUM
  • Exploitability Score
  • 8.6
  • Impact Score
  • 4.9
References
Reference URL Reference Tags
http://www.vupen.com/english/advisories/2009/2006 Patch Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=451898
http://secunia.com/advisories/36001 Vendor Advisory
http://blog.mozilla.com/security/2009/07/28/url-bar-spoofing-vulnerability/ Patch Vendor Advisory
http://www.securityfocus.com/archive/1/505242/30/0/threaded Exploit
http://www.mozilla.org/security/announce/2009/mfsa2009-44.html Patch Vendor Advisory
http://www.securityfocus.com/bid/35803 Exploit Patch
http://www.vupen.com/english/advisories/2009/2142 Patch Vendor Advisory
http://osvdb.org/56717
http://www.securityfocus.com/archive/1/505265
http://secunia.com/advisories/36141 Vendor Advisory
http://www.securitytracker.com/id?1022603
http://es.geocities.com/jplopezy/firefoxspoofing.html
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00261.html
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00198.html
http://secunia.com/advisories/36126 Vendor Advisory
http://sunsolve.sun.com/search/document.do?assetkey=1-66-266148-1
http://www.redhat.com/support/errata/RHSA-2009-1432.html
http://www.redhat.com/support/errata/RHSA-2009-1431.html
http://www.redhat.com/support/errata/RHSA-2009-1430.html
http://secunia.com/advisories/36435 Vendor Advisory
http://www.debian.org/security/2009/dsa-1873
http://secunia.com/advisories/36669
http://secunia.com/advisories/36670
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9686
https://usn.ubuntu.com/811-1/
History
Created Old Value New Value Data Type Notes
2022-05-10 18:36:16 Added to TrackCVE