7.5

CVE-2008-5024

Exploit

Mozilla Firefox 3.x before 3.0.4, Firefox 2.x before 2.0.0.18, Thunderbird 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 do not properly escape quote characters used for XML processing, which allows remote attackers to conduct XML injection attacks via the default namespace in an E4X document.

Data is provided by the National Vulnerability Database (NVD)
MozillaFirefox Version >= 2.0 < 2.0.0.18
MozillaFirefox Version >= 3.0 < 3.0.4
MozillaSeamonkey Version >= 1.0 < 1.1.13
MozillaThunderbird Version >= 2.0 < 2.0.0.18
DebianDebian Linux Version4.0
CanonicalUbuntu Linux Version6.06 SwEditionlts
CanonicalUbuntu Linux Version7.10
CanonicalUbuntu Linux Version8.04 SwEditionlts
CanonicalUbuntu Linux Version8.10
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 7.22% 0.912
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 7.5 10 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:P
CWE-91 XML Injection (aka Blind XPath Injection)

The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.

http://ubuntu.com/usn/usn-667-1
Third Party Advisory
http://www.us-cert.gov/cas/techalerts/TA08-319A.html
Third Party Advisory
US Government Resource
http://www.securityfocus.com/bid/32281
Third Party Advisory
VDB Entry
http://www.securitytracker.com/id?1021192
Third Party Advisory
VDB Entry
https://bugzilla.mozilla.org/show_bug.cgi?id=453915
Vendor Advisory
Exploit
Issue Tracking