CVE-2007-6589

The jar protocol handler in Mozilla Firefox before 2.0.0.10 and SeaMonkey before 1.1.7 does not update the origin domain when retrieving the inner URL parameter yields an HTTP redirect, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a jar: URI, a different vulnerability than CVE-2007-5947.

Published: Dec 28, 2007
Updated: Apr 13, 2023
CVE: CVE-2007-6589
Severity: Low
Exploit:

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
mozilla / firefox	-	2.0.0.9.x
mozilla / seamonkey	-	1.1.6.x

http://blog.beford.org/?p=8
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00771742
http://osvdb.org/43477
http://www.mozilla.org/security/announce/2007/mfsa2007-37.html
http://www.vupen.com/english/advisories/2008/0083
https://bugzilla.mozilla.org/show_bug.cgi?id=369814
https://bugzilla.mozilla.org/show_bug.cgi?id=403331
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6033

Vulnerability Database

290,020

CVE-2007-6589