Vulnerabilities > Mozilla > Firefox > 3.0beta5
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2009-08-31 | CVE-2009-3010 | Cross-Site Scripting vulnerability in Mozilla Firefox, Mozilla and Seamonkey Mozilla Firefox 3.0.13 and earlier, 3.5, 3.6 a1 pre, and 3.7 a1 pre; SeaMonkey 1.1.17; and Mozilla 1.7.x and earlier do not properly block data: URIs in Refresh headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header that contains JavaScript sequences in a data:text/html URI or (2) entering a data:text/html URI with JavaScript sequences when specifying the content of a Refresh header. | 4.3 |
| 2009-07-22 | CVE-2009-2467 | Unspecified vulnerability in Mozilla Firefox Mozilla Firefox before 3.0.12 and 3.5 before 3.5.1 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors involving a Flash object, a slow script dialog, and the unloading of the Flash plugin, which triggers attempted use of a deleted object. | 10.0 |
| 2009-06-12 | CVE-2009-1841 | Code Injection vulnerability in Mozilla Firefox, Seamonkey and Thunderbird js/src/xpconnect/src/xpcwrappedjsclass.cpp in Mozilla Firefox before 3.0.11, Thunderbird before 2.0.0.22, and SeaMonkey before 1.1.17 allows remote attackers to execute arbitrary web script with the privileges of a chrome object, as demonstrated by the browser sidebar and the FeedWriter. | 9.3 |
| 2009-06-12 | CVE-2009-1840 | Permissions, Privileges, and Access Controls vulnerability in Mozilla Firefox, Seamonkey and Thunderbird Mozilla Firefox before 3.0.11, Thunderbird, and SeaMonkey do not check content policy before loading a script file into a XUL document, which allows remote attackers to bypass intended access restrictions via a crafted HTML document, as demonstrated by a "web bug" in an e-mail message, or web script or an advertisement in a web page. | 9.3 |
| 2009-06-12 | CVE-2009-1839 | Permissions, Privileges, and Access Controls vulnerability in Mozilla Firefox Mozilla Firefox 3 before 3.0.11 associates an incorrect principal with a file: URL loaded through the location bar, which allows user-assisted remote attackers to bypass intended access restrictions and read files via a crafted HTML document, aka a "file-URL-to-file-URL scripting" attack. | 5.4 |
| 2009-06-12 | CVE-2009-1838 | Code Injection vulnerability in Mozilla Firefox, Seamonkey and Thunderbird The garbage-collection implementation in Mozilla Firefox before 3.0.11, Thunderbird before 2.0.0.22, and SeaMonkey before 1.1.17 sets an element's owner document to null in unspecified circumstances, which allows remote attackers to execute arbitrary JavaScript with chrome privileges via a crafted event handler, related to an incorrect context for this event handler. | 9.3 |
| 2009-06-12 | CVE-2009-1836 | Improper Authentication vulnerability in Mozilla Firefox, Seamonkey and Thunderbird Mozilla Firefox before 3.0.11, Thunderbird before 2.0.0.22, and SeaMonkey before 1.1.17 use the HTTP Host header to determine the context of a document provided in a non-200 CONNECT response from a proxy server, which allows man-in-the-middle attackers to execute arbitrary web script by modifying this CONNECT response, aka an "SSL tampering" attack. | 6.8 |
| 2009-06-12 | CVE-2009-1833 | Code Injection vulnerability in Mozilla Firefox, Seamonkey and Thunderbird The JavaScript engine in Mozilla Firefox before 3.0.11, Thunderbird before 2.0.0.22, and SeaMonkey before 1.1.17 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to (1) js_LeaveSharpObject, (2) ParseXMLSource, and (3) a certain assertion in jsinterp.c; and other vectors. | 9.3 |
| 2009-06-12 | CVE-2009-1832 | Code Injection vulnerability in Mozilla Firefox, Seamonkey and Thunderbird Mozilla Firefox before 3.0.11, Thunderbird before 2.0.0.22, and SeaMonkey before 1.1.17 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors involving "double frame construction." | 9.3 |
| 2009-04-22 | CVE-2009-1312 | Configuration vulnerability in Mozilla Firefox and Seamonkey Mozilla Firefox before 3.0.9 and SeaMonkey 1.1.17 do not block javascript: URIs in Refresh headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header or (2) specifying the content of a Refresh header. | 4.3 |