CVE-2008-4582
Mozilla Firefox 3.0.1 through 3.0.3, Firefox 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13, when running on Windows, do not properly identify the context of Windows .url shortcut files, which allows user-assisted remote attackers to bypass the Same Origin Policy and obtain sensitive information via an HTML document that is directly accessible through a filesystem, as demonstrated by documents in (1) local folders, (2) Windows share folders, and (3) RAR archives, and as demonstrated by IFRAMEs referencing shortcuts that point to (a) about:cache?device=memory and (b) about:cache?device=disk, a variant of CVE-2008-2810.
Published
2008-10-15T20:08:02.810
Last Modified
2025-04-09T00:30:58.490
Status
Deferred
Source
[email protected]
Severity
CVSSv2: 4.3 (MEDIUM)
CVSSv2 Vector
AV:N/AC:M/Au:N/C:P/I:N/A:N
- Access Vector: NETWORK
- Access Complexity: MEDIUM
- Authentication: NONE
- Confidentiality Impact: PARTIAL
- Integrity Impact: NONE
- Availability Impact: NONE
Exploitability Score
8.6
Impact Score
2.9
Weaknesses
Affected Vendors & Products
References
-
http://liudieyu0.blog124.fc2.com/blog-entry-6.html
Broken Link
([email protected])
-
http://secunia.com/advisories/32192
Permissions Required, Third Party Advisory
([email protected])
-
http://secunia.com/advisories/32684
Permissions Required, Third Party Advisory
([email protected])
-
http://secunia.com/advisories/32693
Permissions Required, Third Party Advisory
([email protected])
-
http://secunia.com/advisories/32714
Permissions Required, Third Party Advisory
([email protected])
-
http://secunia.com/advisories/32721
Permissions Required, Third Party Advisory
([email protected])
-
http://secunia.com/advisories/32778
Permissions Required, Third Party Advisory
([email protected])
-
http://secunia.com/advisories/32845
Permissions Required, Third Party Advisory
([email protected])
-
http://secunia.com/advisories/32853
Permissions Required, Third Party Advisory
([email protected])
-
http://secunia.com/advisories/33433
Permissions Required, Third Party Advisory
([email protected])
-
http://secunia.com/advisories/33434
Permissions Required, Third Party Advisory
([email protected])
-
http://secunia.com/advisories/34501
Permissions Required, Third Party Advisory
([email protected])
-
http://securityreason.com/securityalert/4416
Third Party Advisory
([email protected])
-
http://securitytracker.com/alerts/2008/Nov/1021212.html
Third Party Advisory, VDB Entry
([email protected])
-
http://sunsolve.sun.com/search/document.do?assetkey=1-26-256408-1
Broken Link
([email protected])
-
http://ubuntu.com/usn/usn-667-1
Third Party Advisory
([email protected])
-
http://www.debian.org/security/2008/dsa-1669
Third Party Advisory
([email protected])
-
http://www.debian.org/security/2008/dsa-1671
Third Party Advisory
([email protected])
-
http://www.debian.org/security/2009/dsa-1696
Third Party Advisory
([email protected])
-
http://www.debian.org/security/2009/dsa-1697
Third Party Advisory
([email protected])
-
http://www.mozilla.org/security/announce/2008/mfsa2008-47.html
Vendor Advisory
([email protected])
-
http://www.securityfocus.com/archive/1/497091/100/0/threaded
([email protected])
-
http://www.securityfocus.com/bid/31611
Third Party Advisory, VDB Entry
([email protected])
-
http://www.securityfocus.com/bid/31747
Third Party Advisory, VDB Entry
([email protected])
-
http://www.securitytracker.com/id?1021190
Third Party Advisory, VDB Entry
([email protected])
-
http://www.us-cert.gov/cas/techalerts/TA08-319A.html
Third Party Advisory, US Government Resource
([email protected])
-
http://www.vupen.com/english/advisories/2008/2818
Not Applicable
([email protected])
-
http://www.vupen.com/english/advisories/2009/0977
Not Applicable
([email protected])
-
https://bugzilla.mozilla.org/show_bug.cgi?id=455311
Issue Tracking
([email protected])
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/45740
([email protected])
-
https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00366.html
Not Applicable
([email protected])
-
https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00385.html
Not Applicable
([email protected])
-
http://liudieyu0.blog124.fc2.com/blog-entry-6.html
Broken Link
(af854a3a-2127-422b-91ae-364da2661108)
-
http://secunia.com/advisories/32192
Permissions Required, Third Party Advisory
(af854a3a-2127-422b-91ae-364da2661108)
-
http://secunia.com/advisories/32684
Permissions Required, Third Party Advisory
(af854a3a-2127-422b-91ae-364da2661108)
-
http://secunia.com/advisories/32693
Permissions Required, Third Party Advisory
(af854a3a-2127-422b-91ae-364da2661108)
-
http://secunia.com/advisories/32714
Permissions Required, Third Party Advisory
(af854a3a-2127-422b-91ae-364da2661108)
-
http://secunia.com/advisories/32721
Permissions Required, Third Party Advisory
(af854a3a-2127-422b-91ae-364da2661108)
-
http://secunia.com/advisories/32778
Permissions Required, Third Party Advisory
(af854a3a-2127-422b-91ae-364da2661108)
-
http://secunia.com/advisories/32845
Permissions Required, Third Party Advisory
(af854a3a-2127-422b-91ae-364da2661108)
-
http://secunia.com/advisories/32853
Permissions Required, Third Party Advisory
(af854a3a-2127-422b-91ae-364da2661108)
-
http://secunia.com/advisories/33433
Permissions Required, Third Party Advisory
(af854a3a-2127-422b-91ae-364da2661108)
-
http://secunia.com/advisories/33434
Permissions Required, Third Party Advisory
(af854a3a-2127-422b-91ae-364da2661108)
-
http://secunia.com/advisories/34501
Permissions Required, Third Party Advisory
(af854a3a-2127-422b-91ae-364da2661108)
-
http://securityreason.com/securityalert/4416
Third Party Advisory
(af854a3a-2127-422b-91ae-364da2661108)
-
http://securitytracker.com/alerts/2008/Nov/1021212.html
Third Party Advisory, VDB Entry
(af854a3a-2127-422b-91ae-364da2661108)
-
http://sunsolve.sun.com/search/document.do?assetkey=1-26-256408-1
Broken Link
(af854a3a-2127-422b-91ae-364da2661108)
-
http://ubuntu.com/usn/usn-667-1
Third Party Advisory
(af854a3a-2127-422b-91ae-364da2661108)
-
http://www.debian.org/security/2008/dsa-1669
Third Party Advisory
(af854a3a-2127-422b-91ae-364da2661108)
-
http://www.debian.org/security/2008/dsa-1671
Third Party Advisory
(af854a3a-2127-422b-91ae-364da2661108)
-
http://www.debian.org/security/2009/dsa-1696
Third Party Advisory
(af854a3a-2127-422b-91ae-364da2661108)
-
http://www.debian.org/security/2009/dsa-1697
Third Party Advisory
(af854a3a-2127-422b-91ae-364da2661108)
-
http://www.mozilla.org/security/announce/2008/mfsa2008-47.html
Vendor Advisory
(af854a3a-2127-422b-91ae-364da2661108)
-
http://www.securityfocus.com/archive/1/497091/100/0/threaded
(af854a3a-2127-422b-91ae-364da2661108)
-
http://www.securityfocus.com/bid/31611
Third Party Advisory, VDB Entry
(af854a3a-2127-422b-91ae-364da2661108)
-
http://www.securityfocus.com/bid/31747
Third Party Advisory, VDB Entry
(af854a3a-2127-422b-91ae-364da2661108)
-
http://www.securitytracker.com/id?1021190
Third Party Advisory, VDB Entry
(af854a3a-2127-422b-91ae-364da2661108)
-
http://www.us-cert.gov/cas/techalerts/TA08-319A.html
Third Party Advisory, US Government Resource
(af854a3a-2127-422b-91ae-364da2661108)
-
http://www.vupen.com/english/advisories/2008/2818
Not Applicable
(af854a3a-2127-422b-91ae-364da2661108)
-
http://www.vupen.com/english/advisories/2009/0977
Not Applicable
(af854a3a-2127-422b-91ae-364da2661108)
-
https://bugzilla.mozilla.org/show_bug.cgi?id=455311
Issue Tracking
(af854a3a-2127-422b-91ae-364da2661108)
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/45740
(af854a3a-2127-422b-91ae-364da2661108)
-
https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00366.html
Not Applicable
(af854a3a-2127-422b-91ae-364da2661108)
-
https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00385.html
Not Applicable
(af854a3a-2127-422b-91ae-364da2661108)