4.3
CVE-2007-4038
- EPSS 1.11%
- Veröffentlicht 27.07.2007 22:30:00
- Zuletzt bearbeitet 16.06.2026 22:43:17
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
Argument injection vulnerability in Mozilla Firefox before 2.0.0.5, when running on systems with Thunderbird 1.5 installed and certain URIs registered, allows remote attackers to conduct cross-browser scripting attacks and execute arbitrary commands via shell metacharacters in a mailto URI, which are inserted into the command line that is created when invoking Thunderbird.exe, a similar issue to CVE-2007-3670.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Mozilla ≫ Thunderbird Version1.5
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.11% | 0.617 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 4.3 | 8.6 | 2.9 |
AV:N/AC:M/Au:N/C:N/I:P/A:N
|
CWE-94 Improper Control of Generation of Code ('Code Injection')
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
http://larholm.com/2007/07/25/mozilla-protocol-abuse/
http://seclists.org/fulldisclosure/2007/Jul/0557.html
http://www.securityfocus.com/archive/1/474624/100/0/threaded
http://www.securityfocus.com/archive/1/474686/100/0/threaded