CVE - CVE-2008-5012

CVE-ID
CVE-2008-5012	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
Mozilla Firefox 2.x before 2.0.0.18, Thunderbird 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 do not properly change the source URI when processing a canvas element and an HTTP redirect, which allows remote attackers to bypass the same origin policy and access arbitrary images that are not directly accessible to the attacker. NOTE: this issue can be leveraged to enumerate software on the client by performing redirections related to moz-icon.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
MISC:1021187 URL:http://www.securitytracker.com/id?1021187 MISC:20081118 Firefox cross-domain image theft (CESA-2008-009) URL:http://www.securityfocus.com/archive/1/498468 MISC:256408 URL:~~http://sunsolve.sun.com/search/document.do?assetkey=1-26-256408-1~~ (Obsolete source) MISC:32281 URL:http://www.securityfocus.com/bid/32281 MISC:32351 URL:http://www.securityfocus.com/bid/32351 MISC:32684 URL:http://secunia.com/advisories/32684 MISC:32693 URL:http://secunia.com/advisories/32693 MISC:32694 URL:http://secunia.com/advisories/32694 MISC:32714 URL:http://secunia.com/advisories/32714 MISC:32715 URL:http://secunia.com/advisories/32715 MISC:32778 URL:http://secunia.com/advisories/32778 MISC:32798 URL:http://secunia.com/advisories/32798 MISC:32845 URL:http://secunia.com/advisories/32845 MISC:32853 URL:http://secunia.com/advisories/32853 MISC:33433 URL:http://secunia.com/advisories/33433 MISC:33434 URL:http://secunia.com/advisories/33434 MISC:34501 URL:http://secunia.com/advisories/34501 MISC:ADV-2008-3146 URL:~~http://www.vupen.com/english/advisories/2008/3146~~ (Obsolete source) MISC:ADV-2009-0977 URL:~~http://www.vupen.com/english/advisories/2009/0977~~ (Obsolete source) MISC:DSA-1669 URL:http://www.debian.org/security/2008/dsa-1669 MISC:DSA-1671 URL:http://www.debian.org/security/2008/dsa-1671 MISC:DSA-1696 URL:http://www.debian.org/security/2009/dsa-1696 MISC:DSA-1697 URL:http://www.debian.org/security/2009/dsa-1697 MISC:FEDORA-2008-9667 URL:https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00366.html MISC:MDVSA-2008:228 URL:~~http://www.mandriva.com/security/advisories?name=MDVSA-2008:228~~ (Obsolete source) MISC:MDVSA-2008:235 URL:~~http://www.mandriva.com/security/advisories?name=MDVSA-2008:235~~ (Obsolete source) MISC:RHSA-2008:0976 URL:http://www.redhat.com/support/errata/RHSA-2008-0976.html MISC:RHSA-2008:0977 URL:http://www.redhat.com/support/errata/RHSA-2008-0977.html MISC:SUSE-SA:2008:055 URL:http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00004.html MISC:TA08-319A URL:http://www.us-cert.gov/cas/techalerts/TA08-319A.html MISC:USN-667-1 URL:http://ubuntu.com/usn/usn-667-1 MISC:http://scary.beasts.org/security/CESA-2008-009.html URL:http://scary.beasts.org/security/CESA-2008-009.html MISC:http://scarybeastsecurity.blogspot.com/2008/11/firefox-cross-domain-image-theft-and.html URL:http://scarybeastsecurity.blogspot.com/2008/11/firefox-cross-domain-image-theft-and.html MISC:http://www.mozilla.org/security/announce/2008/mfsa2008-48.html URL:http://www.mozilla.org/security/announce/2008/mfsa2008-48.html MISC:https://bugzilla.mozilla.org/show_bug.cgi?id=355126 URL:https://bugzilla.mozilla.org/show_bug.cgi?id=355126 MISC:https://bugzilla.mozilla.org/show_bug.cgi?id=451619 URL:https://bugzilla.mozilla.org/show_bug.cgi?id=451619 MISC:oval:org.mitre.oval:def:10750 URL:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10750
Assigning CNA
Red Hat, Inc.
Date Record Created
20081110	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20081110)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)