QwikSec

Security Database

CVE

CWE

Training

CVE-2009-0356

Published: Feb 4, 2009

Modified: Aug 7, 2024

PUBLISHED

Description

Mozilla Firefox before 3.0.6 and SeaMonkey do not block links to the (1) about:plugins and (2) about:config URIs from .desktop files, which allows user-assisted remote attackers to bypass the Same Origin Policy and execute arbitrary code with chrome privileges via vectors involving the URL field in a Desktop Entry section of a .desktop file, related to representation of about: URIs as jar:file:// URIs. NOTE: this issue exists because of an incomplete fix for CVE-2008-4582.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

vdb-entry

x_refsource_VUPEN

http://www.mozilla.org/security/announce/2009/mfsa2009-04.html

x_refsource_CONFIRM

SUSE-SA:2009:009

vendor-advisory

x_refsource_SUSE

third-party-advisory

x_refsource_SECUNIA

oval:org.mitre.oval:def:9922

vdb-entry

signature

x_refsource_OVAL

vendor-advisory

x_refsource_MANDRIVA

vendor-advisory

x_refsource_REDHAT

https://bugzilla.mozilla.org/show_bug.cgi?id=460425

x_refsource_CONFIRM

http://support.avaya.com/elmodocs2/security/ASA-2009-040.htm

x_refsource_CONFIRM

vdb-entry

x_refsource_SECTRACK

third-party-advisory

x_refsource_SECUNIA

third-party-advisory

x_refsource_SECUNIA

third-party-advisory

x_refsource_SECUNIA

third-party-advisory

x_refsource_SECUNIA

vdb-entry

x_refsource_BID

FEDORA-2009-1399

vendor-advisory

x_refsource_FEDORA

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.