4.3

CVE-2009-3014

Exploit

Mozilla Firefox 3.0.13 and earlier, 3.5, 3.6 a1 pre, and 3.7 a1 pre; SeaMonkey 1.1.17; and Mozilla 1.7.x and earlier do not properly handle javascript: URIs in HTML links within 302 error documents sent from web servers, which allows user-assisted remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Location HTTP response header or (2) specifying the content of a Location HTTP response header.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)
MozillaFirefox Version <= 3.0.13
MozillaFirefox Version3.0.1
MozillaFirefox Version3.0.2
MozillaFirefox Version3.0.3
MozillaFirefox Version3.0.4
MozillaFirefox Version3.0.5
MozillaFirefox Version3.0.6
MozillaFirefox Version3.0.7
MozillaFirefox Version3.0.8
MozillaFirefox Version3.0.9
MozillaFirefox Version3.0.10
MozillaFirefox Version3.0.11
MozillaFirefox Version3.0.12
MozillaFirefox Version3.5
MozillaFirefox Version3.6 Updatea1_pre
MozillaFirefox Version3.7 Updatea1_pre
MozillaMozilla Version <= 1.7
MozillaMozilla Version0.8
MozillaMozilla Version0.9.2
MozillaMozilla Version0.9.2.1
MozillaMozilla Version0.9.3
MozillaMozilla Version0.9.4
MozillaMozilla Version0.9.4.1
MozillaMozilla Version0.9.5
MozillaMozilla Version0.9.6
MozillaMozilla Version0.9.7
MozillaMozilla Version0.9.8
MozillaMozilla Version0.9.9
MozillaMozilla Version0.9.35
MozillaMozilla Version0.9.48
MozillaMozilla Version1.0
MozillaMozilla Version1.0 Updaterc1
MozillaMozilla Version1.0 Updaterc2
MozillaMozilla Version1.0 Updaterc3
MozillaMozilla Version1.0.1
MozillaMozilla Version1.0.2
MozillaMozilla Version1.1
MozillaMozilla Version1.1 Updatealpha
MozillaMozilla Version1.1 Updatebeta
MozillaMozilla Version1.2
MozillaMozilla Version1.2 Updatealpha
MozillaMozilla Version1.2 Updatebeta
MozillaMozilla Version1.2.1
MozillaMozilla Version1.3
MozillaMozilla Version1.3.1
MozillaMozilla Version1.4
MozillaMozilla Version1.4 Updatealpha
MozillaMozilla Version1.4 Updatebeta
MozillaMozilla Version1.4.1
MozillaMozilla Version1.4.2
MozillaMozilla Version1.4.4
MozillaMozilla Version1.5
MozillaMozilla Version1.5 Updatealpha
MozillaMozilla Version1.5 Updaterc1
MozillaMozilla Version1.5 Updaterc2
MozillaMozilla Version1.5.1
MozillaMozilla Version1.6
MozillaMozilla Version1.6 Updatealpha
MozillaMozilla Version1.6 Updatebeta
MozillaSeamonkey Version1.1.17
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.29% 0.491
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:N/I:P/A:N
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.