Vulnerabilities > Mozilla > Firefox > 3.0.7

DATE CVE VULNERABILITY TITLE RISK
2009-06-12 CVE-2009-1392 Code Injection vulnerability in Mozilla Firefox, Seamonkey and Thunderbird
The browser engine in Mozilla Firefox 3 before 3.0.11, Thunderbird before 2.0.0.22, and SeaMonkey before 1.1.17 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to (1) nsEventStateManager::GetContentState and nsNativeTheme::CheckBooleanAttr; (2) UnhookTextRunFromFrames and ClearAllTextRunReferences; (3) nsTextFrame::ClearTextRun; (4) IsPercentageAware; (5) PL_DHashTableFinish; (6) nsListBoxBodyFrame::GetNextItemBox; (7) AtomTableClearEntry, related to the atom table, DOM mutation events, and Unicode surrogates; (8) nsHTMLEditor::HideResizers; and (9) nsWindow::SetCursor, related to changing the cursor; and other vectors.
network
mozilla CWE-94
critical
9.3
2009-04-22 CVE-2009-1312 Configuration vulnerability in Mozilla Firefox and Seamonkey
Mozilla Firefox before 3.0.9 and SeaMonkey 1.1.17 do not block javascript: URIs in Refresh headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header or (2) specifying the content of a Refresh header.
network
mozilla CWE-16
4.3
2009-04-22 CVE-2009-1311 Information Exposure vulnerability in Mozilla Firefox and Seamonkey
Mozilla Firefox before 3.0.9 and SeaMonkey before 1.1.17 allow user-assisted remote attackers to obtain sensitive information via a web page with an embedded frame, which causes POST data from an outer page to be sent to the inner frame's URL during a SAVEMODE_FILEONLY save of the inner frame.
network
mozilla CWE-200
4.3
2009-04-22 CVE-2009-1310 Cross-Site Scripting vulnerability in Mozilla Firefox
Cross-site scripting (XSS) vulnerability in the MozSearch plugin implementation in Mozilla Firefox before 3.0.9 allows user-assisted remote attackers to inject arbitrary web script or HTML via a javascript: URI in the SearchForm element.
network
mozilla CWE-79
4.3
2009-04-22 CVE-2009-1309 Configuration vulnerability in Mozilla Firefox, Seamonkey and Thunderbird
Mozilla Firefox before 3.0.9, Thunderbird, and SeaMonkey do not properly implement the Same Origin Policy for (1) XMLHttpRequest, involving a mismatch for a document's principal, and (2) XPCNativeWrapper.toString, involving an incorrect __proto__ scope, which allows remote attackers to conduct cross-site scripting (XSS) attacks and possibly other attacks via a crafted document.
network
mozilla CWE-16
4.3
2009-04-22 CVE-2009-1307 Improper Input Validation vulnerability in Mozilla Firefox, Seamonkey and Thunderbird
The view-source: URI implementation in Mozilla Firefox before 3.0.9, Thunderbird, and SeaMonkey does not properly implement the Same Origin Policy, which allows remote attackers to (1) bypass crossdomain.xml restrictions and connect to arbitrary web sites via a Flash file; (2) read, create, or modify Local Shared Objects via a Flash file; or (3) bypass unspecified restrictions and render content via vectors involving a jar: URI.
network
mozilla CWE-20
6.8
2009-04-22 CVE-2009-1306 Configuration vulnerability in Mozilla Firefox, Seamonkey and Thunderbird
The jar: URI implementation in Mozilla Firefox before 3.0.9, Thunderbird, and SeaMonkey does not follow the Content-Disposition header of the inner URI, which allows remote attackers to conduct cross-site scripting (XSS) attacks and possibly other attacks via an uploaded .jar file with a "Content-Disposition: attachment" designation.
network
mozilla CWE-16
4.3
2009-04-22 CVE-2009-1305 Resource Management Errors vulnerability in Mozilla Firefox, Seamonkey and Thunderbird
The JavaScript engine in Mozilla Firefox before 3.0.9, Thunderbird before 2.0.0.22, and SeaMonkey before 1.1.16 allows remote attackers to cause a denial of service (application crash) and possibly trigger memory corruption via vectors involving JSOP_DEFVAR and properties that lack the JSPROP_PERMANENT attribute.
network
low complexity
mozilla CWE-399
5.0
2009-04-22 CVE-2009-1304 Resource Management Errors vulnerability in Mozilla Firefox, Seamonkey and Thunderbird
The JavaScript engine in Mozilla Firefox 3.x before 3.0.9, Thunderbird before 2.0.0.22, and SeaMonkey before 1.1.16 allows remote attackers to cause a denial of service (application crash) and possibly trigger memory corruption via vectors involving (1) js_FindPropertyHelper, related to the definitions of Math and Date; and (2) js_CheckRedeclaration.
network
low complexity
mozilla CWE-399
5.0
2009-04-22 CVE-2009-1303 Configuration vulnerability in Mozilla Firefox, Seamonkey and Thunderbird
The browser engine in Mozilla Firefox before 3.0.9, Thunderbird before 2.0.0.22, and SeaMonkey before 1.1.16 allows remote attackers to cause a denial of service (application crash) and possibly trigger memory corruption via vectors related to nsSVGElement::BindToTree.
network
low complexity
mozilla CWE-16
5.0