Vulnerabilidad en Mozilla Firefox, Firefox y SeaMonkey en Windows (CVE-2008-4582)
Gravedad CVSS v2.0:
MEDIA
Tipo:
CWE-264
Permisos, privilegios y/o control de acceso
Fecha de publicación:
15/10/2008
Última modificación:
09/04/2025
Descripción
Mozilla Firefox 3.0.1 hasta la versión 3.0.3, Firefox 2.x en versiones anteriores a 2.0.0.18 y SeaMonkey 1.x en versiones anteriores a 1.1.13, cuando se ejecuta en Windows, no identifican correctamente el contexto de los archivos de acceso directo de Windows .url, lo que permite a atacantes remotos asistidos por usuario eludir la Same Origin Policy y obtener información sensible a través de un documento HTML que es accesible directamente a través de un sistema de archivos, como se demuestra por los documentos en (1) carpetas locales, (2) carpetas compartidas de Windows y (3) archivos RAR y como se demuestra por IFRAMEs referenciando shortcuts que apuntan a (a) about:cache?device=memory y (b) about:cache?device=disk, una variante de CVE-2008-2810.
Impacto
Puntuación base 2.0
4.30
Gravedad 2.0
MEDIA
Productos y versiones vulnerables
| CPE | Desde | Hasta |
|---|---|---|
| cpe:2.3:o:debian:debian_linux:4.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:mozilla:firefox:3.0.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:mozilla:firefox:3.0.2:*:*:*:*:*:*:* | ||
| cpe:2.3:a:mozilla:firefox:3.0.3:*:*:*:*:*:*:* | ||
| cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:* | ||
| cpe:2.3:a:mozilla:firefox:2.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:mozilla:firefox:2.0.0.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:mozilla:firefox:2.0.0.10:*:*:*:*:*:*:* | ||
| cpe:2.3:a:mozilla:firefox:2.0.0.11:*:*:*:*:*:*:* | ||
| cpe:2.3:a:mozilla:firefox:2.0.0.12:*:*:*:*:*:*:* | ||
| cpe:2.3:a:mozilla:firefox:2.0.0.13:*:*:*:*:*:*:* | ||
| cpe:2.3:a:mozilla:firefox:2.0.0.14:*:*:*:*:*:*:* | ||
| cpe:2.3:a:mozilla:firefox:2.0.0.15:*:*:*:*:*:*:* | ||
| cpe:2.3:a:mozilla:firefox:2.0.0.16:*:*:*:*:*:*:* | ||
| cpe:2.3:a:mozilla:firefox:2.0.0.17:*:*:*:*:*:*:* |
Para consultar la lista completa de nombres de CPE con productos y versiones, ver esta página
Referencias a soluciones, herramientas e información
- http://liudieyu0.blog124.fc2.com/blog-entry-6.html
- http://secunia.com/advisories/32192
- http://secunia.com/advisories/32684
- http://secunia.com/advisories/32693
- http://secunia.com/advisories/32714
- http://secunia.com/advisories/32721
- http://secunia.com/advisories/32778
- http://secunia.com/advisories/32845
- http://secunia.com/advisories/32853
- http://secunia.com/advisories/33433
- http://secunia.com/advisories/33434
- http://secunia.com/advisories/34501
- http://securityreason.com/securityalert/4416
- http://securitytracker.com/alerts/2008/Nov/1021212.html
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-256408-1
- http://ubuntu.com/usn/usn-667-1
- http://www.debian.org/security/2008/dsa-1669
- http://www.debian.org/security/2008/dsa-1671
- http://www.debian.org/security/2009/dsa-1696
- http://www.debian.org/security/2009/dsa-1697
- http://www.mozilla.org/security/announce/2008/mfsa2008-47.html
- http://www.securityfocus.com/archive/1/497091/100/0/threaded
- http://www.securityfocus.com/bid/31611
- http://www.securityfocus.com/bid/31747
- http://www.securitytracker.com/id?1021190=
- http://www.us-cert.gov/cas/techalerts/TA08-319A.html
- http://www.vupen.com/english/advisories/2008/2818
- http://www.vupen.com/english/advisories/2009/0977
- https://bugzilla.mozilla.org/show_bug.cgi?id=455311
- https://exchange.xforce.ibmcloud.com/vulnerabilities/45740
- https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00366.html
- https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00385.html
- http://liudieyu0.blog124.fc2.com/blog-entry-6.html
- http://secunia.com/advisories/32192
- http://secunia.com/advisories/32684
- http://secunia.com/advisories/32693
- http://secunia.com/advisories/32714
- http://secunia.com/advisories/32721
- http://secunia.com/advisories/32778
- http://secunia.com/advisories/32845
- http://secunia.com/advisories/32853
- http://secunia.com/advisories/33433
- http://secunia.com/advisories/33434
- http://secunia.com/advisories/34501
- http://securityreason.com/securityalert/4416
- http://securitytracker.com/alerts/2008/Nov/1021212.html
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-256408-1
- http://ubuntu.com/usn/usn-667-1
- http://www.debian.org/security/2008/dsa-1669
- http://www.debian.org/security/2008/dsa-1671
- http://www.debian.org/security/2009/dsa-1696
- http://www.debian.org/security/2009/dsa-1697
- http://www.mozilla.org/security/announce/2008/mfsa2008-47.html
- http://www.securityfocus.com/archive/1/497091/100/0/threaded
- http://www.securityfocus.com/bid/31611
- http://www.securityfocus.com/bid/31747
- http://www.securitytracker.com/id?1021190=
- http://www.us-cert.gov/cas/techalerts/TA08-319A.html
- http://www.vupen.com/english/advisories/2008/2818
- http://www.vupen.com/english/advisories/2009/0977
- https://bugzilla.mozilla.org/show_bug.cgi?id=455311
- https://exchange.xforce.ibmcloud.com/vulnerabilities/45740
- https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00366.html
- https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00385.html