CVE - CVE-2007-3656

CVE-ID
CVE-2007-3656	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
Mozilla Firefox before 1.8.0.13 and 1.8.1.x before 1.8.1.5 does not perform a security zone check when processing a wyciwyg URI, which allows remote attackers to obtain sensitive information, poison the browser cache, and possibly enable further attack vectors via (1) HTTP 302 redirect controls, (2) XMLHttpRequest, or (3) view-source URIs.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
BUGTRAQ:20070709 Firefox wyciwyg:// cache zone bypass URL:http://www.securityfocus.com/archive/1/473191/100/0/threaded BUGTRAQ:20070720 rPSA-2007-0148-1 firefox thunderbird URL:http://www.securityfocus.com/archive/1/474226/100/0/threaded BUGTRAQ:20070724 FLEA-2007-0033-1: firefox thunderbird URL:http://www.securityfocus.com/archive/1/474542/100/0/threaded MISC:http://lcamtuf.coredump.cx/ffcache/ CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=387333 CONFIRM:http://www.mozilla.org/security/announce/2007/mfsa2007-24.html CONFIRM:ftp://ftp.slackware.com/pub/slackware/slackware-12.0/ChangeLog.txt CONFIRM:http://support.novell.com/techcenter/psdb/07d098f99c9fe6956523beae37f32fda.html DEBIAN:DSA-1337 URL:http://www.debian.org/security/2007/dsa-1337 DEBIAN:DSA-1338 URL:http://www.debian.org/security/2007/dsa-1338 DEBIAN:DSA-1339 URL:http://www.debian.org/security/2007/dsa-1339 GENTOO:GLSA-200708-09 URL:http://www.gentoo.org/security/en/glsa/glsa-200708-09.xml HP:HPSBUX02153 URL:http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00771742 HP:SSRT061181 URL:http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00771742 MANDRIVA:MDKSA-2007:152 URL:http://www.mandriva.com/security/advisories?name=MDKSA-2007:152 REDHAT:RHSA-2007:0722 URL:http://www.redhat.com/support/errata/RHSA-2007-0722.html REDHAT:RHSA-2007:0724 URL:http://www.redhat.com/support/errata/RHSA-2007-0724.html SGI:20070701-01-P URL:ftp://patches.sgi.com/support/free/security/advisories/20070701-01-P.asc SUNALERT:103177 URL:http://sunsolve.sun.com/search/document.do?assetkey=1-26-103177-1 SUNALERT:201516 URL:http://sunsolve.sun.com/search/document.do?assetkey=1-66-201516-1 SUSE:SUSE-SA:2007:049 URL:http://www.novell.com/linux/security/advisories/2007_49_mozilla.html UBUNTU:USN-490-1 URL:http://www.ubuntu.com/usn/usn-490-1 BID:24831 URL:http://www.securityfocus.com/bid/24831 OSVDB:38028 URL:http://osvdb.org/38028 OVAL:oval:org.mitre.oval:def:9105 URL:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9105 VUPEN:ADV-2007-4256 URL:http://www.vupen.com/english/advisories/2007/4256 SECTRACK:1018411 URL:http://www.securitytracker.com/id?1018411 SECUNIA:25990 URL:http://secunia.com/advisories/25990 SECUNIA:26103 URL:http://secunia.com/advisories/26103 SECUNIA:26107 URL:http://secunia.com/advisories/26107 SECUNIA:25589 URL:http://secunia.com/advisories/25589 SECUNIA:26179 URL:http://secunia.com/advisories/26179 SECUNIA:26149 URL:http://secunia.com/advisories/26149 SECUNIA:26151 URL:http://secunia.com/advisories/26151 SECUNIA:26072 URL:http://secunia.com/advisories/26072 SECUNIA:26211 URL:http://secunia.com/advisories/26211 SECUNIA:26216 URL:http://secunia.com/advisories/26216 SECUNIA:26204 URL:http://secunia.com/advisories/26204 SECUNIA:26205 URL:http://secunia.com/advisories/26205 SECUNIA:26159 URL:http://secunia.com/advisories/26159 SECUNIA:26271 URL:http://secunia.com/advisories/26271 SECUNIA:26258 URL:http://secunia.com/advisories/26258 SECUNIA:26460 URL:http://secunia.com/advisories/26460 SECUNIA:28135 URL:http://secunia.com/advisories/28135 SREASON:2872 URL:http://securityreason.com/securityalert/2872 XF:mozilla-wyciwyg-security-bypass(35298) URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/35298
Assigning CNA
N/A
Date Entry Created
20070710	Disclaimer: The entry creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20070710)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an entry on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: cve@mitre.org

Use of the Common Vulnerabilities and Exposures (CVE®) List and the associated references from this website are subject to the terms of use. CVE is sponsored by US-CERT in the office of Cybersecurity and Communications at the U.S. Department of Homeland Security. Copyright © 1999–2018, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. For more information, please contact us.