CVE - CVE-2007-5947

CVE-ID
CVE-2007-5947	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
The jar protocol handler in Mozilla Firefox before 2.0.0.10 and SeaMonkey before 1.1.7 retrieves the inner URL regardless of its MIME type, and considers HTML documents within a jar archive to have the same origin as the inner URL, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a jar: URI.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
BUGTRAQ:20080212 FLEA-2008-0001-1 firefox URL:http://www.securityfocus.com/archive/1/488002/100/0/threaded BUGTRAQ:20080229 rPSA-2008-0093-1 thunderbird URL:http://www.securityfocus.com/archive/1/488971/100/0/threaded MISC:http://www.gnucitizen.org/blog/web-mayhem-firefoxs-jar-protocol-issues MISC:http://bugs.gentoo.org/show_bug.cgi?id=198965 MISC:http://bugs.gentoo.org/show_bug.cgi?id=200909 CONFIRM:http://www.mozilla.org/security/announce/2007/mfsa2007-37.html CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=369814 CONFIRM:https://issues.rpath.com/browse/RPL-1984 CONFIRM:http://wiki.rpath.com/wiki/Advisories:rPSA-2007-0260 CONFIRM:http://browser.netscape.com/releasenotes/ CONFIRM:http://wiki.rpath.com/Advisories:rPSA-2008-0093 CONFIRM:http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0093 CONFIRM:https://issues.rpath.com/browse/RPL-1995 DEBIAN:DSA-1424 URL:http://www.debian.org/security/2007/dsa-1424 DEBIAN:DSA-1425 URL:http://www.debian.org/security/2007/dsa-1425 FEDORA:FEDORA-2007-3952 URL:https://www.redhat.com/archives/fedora-package-announce/2007-November/msg01011.html FEDORA:FEDORA-2007-4098 URL:https://www.redhat.com/archives/fedora-package-announce/2007-December/msg00168.html FEDORA:FEDORA-2007-4106 URL:https://www.redhat.com/archives/fedora-package-announce/2007-December/msg00135.html FEDORA:FEDORA-2007-756 URL:https://www.redhat.com/archives/fedora-package-announce/2007-December/msg00115.html GENTOO:GLSA-200712-21 URL:http://security.gentoo.org/glsa/glsa-200712-21.xml HP:HPSBUX02153 URL:http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00771742 HP:SSRT061181 URL:http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00771742 MANDRIVA:MDKSA-2007:246 URL:http://www.mandriva.com/security/advisories?name=MDKSA-2007:246 REDHAT:RHSA-2007:1082 URL:http://www.redhat.com/support/errata/RHSA-2007-1082.html REDHAT:RHSA-2007:1084 URL:http://www.redhat.com/support/errata/RHSA-2007-1084.html REDHAT:RHSA-2007:1083 URL:http://www.redhat.com/support/errata/RHSA-2007-1083.html SLACKWARE:SSA:2007-331-01 URL:http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.374833 SLACKWARE:SSA:2007-333-01 URL:http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.365006 SUNALERT:231441 URL:http://sunsolve.sun.com/search/document.do?assetkey=1-26-231441-1 SUNALERT:1018977 URL:http://sunsolve.sun.com/search/document.do?assetkey=1-77-1018977.1-1 SUSE:SUSE-SA:2007:066 URL:http://lists.opensuse.org/opensuse-security-announce/2007-12/msg00004.html UBUNTU:USN-546-1 URL:https://usn.ubuntu.com/546-1/ UBUNTU:USN-546-2 URL:http://www.ubuntu.com/usn/usn-546-2 CERT-VN:VU#715737 URL:http://www.kb.cert.org/vuls/id/715737 BID:26385 URL:http://www.securityfocus.com/bid/26385 OVAL:oval:org.mitre.oval:def:9873 URL:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9873 VUPEN:ADV-2007-3818 URL:http://www.vupen.com/english/advisories/2007/3818 VUPEN:ADV-2007-4002 URL:http://www.vupen.com/english/advisories/2007/4002 VUPEN:ADV-2007-4018 URL:http://www.vupen.com/english/advisories/2007/4018 VUPEN:ADV-2008-0083 URL:http://www.vupen.com/english/advisories/2008/0083 VUPEN:ADV-2008-0643 URL:http://www.vupen.com/english/advisories/2008/0643 SECTRACK:1018928 URL:http://www.securitytracker.com/id?1018928 SECUNIA:27605 URL:http://secunia.com/advisories/27605 SECUNIA:27793 URL:http://secunia.com/advisories/27793 SECUNIA:27796 URL:http://secunia.com/advisories/27796 SECUNIA:27797 URL:http://secunia.com/advisories/27797 SECUNIA:27816 URL:http://secunia.com/advisories/27816 SECUNIA:27944 URL:http://secunia.com/advisories/27944 SECUNIA:27957 URL:http://secunia.com/advisories/27957 SECUNIA:28001 URL:http://secunia.com/advisories/28001 SECUNIA:28016 URL:http://secunia.com/advisories/28016 SECUNIA:27955 URL:http://secunia.com/advisories/27955 SECUNIA:28171 URL:http://secunia.com/advisories/28171 SECUNIA:28277 URL:http://secunia.com/advisories/28277 SECUNIA:27800 URL:http://secunia.com/advisories/27800 SECUNIA:27838 URL:http://secunia.com/advisories/27838 SECUNIA:27845 URL:http://secunia.com/advisories/27845 SECUNIA:28398 URL:http://secunia.com/advisories/28398 SECUNIA:27855 URL:http://secunia.com/advisories/27855 SECUNIA:27979 URL:http://secunia.com/advisories/27979 SECUNIA:29164 URL:http://secunia.com/advisories/29164 XF:firefox-jar-uri-xss(38356) URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/38356
Assigning CNA
N/A
Date Entry Created
20071113	Disclaimer: The entry creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20071113)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an entry on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: cve@mitre.org