CVE-2008-2801

Mozilla Firefox before 2.0.0.15 and SeaMonkey before 1.1.10 do not properly implement JAR signing, which allows remote attackers to execute arbitrary code via (1) injection of JavaScript into documents within a JAR archive or (2) a JAR archive that uses relative URLs to JavaScript files.

Published: Jul 7, 2008
Updated: Nov 9, 2025
CVE: CVE-2008-2801
Severity: High
Exploit:

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

CWEs:

CWE-287

OWASP TOP 10:

A2 - Broken Authentication

Affected Software
References

Software	From	Fixed in
mozilla / firefox	2.0.0.12	2.0.0.12.x
mozilla / seamonkey	-	1.1.9.x
mozilla / seamonkey	1.1.8	1.1.8.x
mozilla / seamonkey	1.1.7	1.1.7.x
mozilla / seamonkey	1.1.3	1.1.3.x
mozilla / firefox	2.0.0.2	2.0.0.2.x
mozilla / seamonkey	1.1.5	1.1.5.x
mozilla / firefox	2.0.0.7	2.0.0.7.x
mozilla / seamonkey	1.1	1.1.x
mozilla / firefox	2.0.0.9	2.0.0.9.x
mozilla / seamonkey	1.1.2	1.1.2.x
mozilla / firefox	2.0	2.0.x
mozilla / firefox	-	2.0.0.14.x
mozilla / firefox	2.0.0.3	2.0.0.3.x
mozilla / firefox	2.0.0.6	2.0.0.6.x
mozilla / seamonkey	1.1.6	1.1.6.x
mozilla / firefox	2.0.0.11	2.0.0.11.x
mozilla / firefox	2.0.0.4	2.0.0.4.x
mozilla / firefox	2.0.0.13	2.0.0.13.x
mozilla / firefox	2.0.0.1	2.0.0.1.x
mozilla / firefox	2.0.0.8	2.0.0.8.x
mozilla / firefox	2.0.0.5	2.0.0.5.x
mozilla / firefox	2.0.0.10	2.0.0.10.x
mozilla / seamonkey	1.1.4	1.1.4.x

Vulnerability Database

300,445

CVE-2008-2801

Deep Security Visibility Without the Complexity