CVE-2007-3656 - Vulnerability Details

Mozilla Firefox before 1.8.0.13 and 1.8.1.x before 1.8.1.5 does not perform a security zone check when processing a wyciwyg URI, which allows remote attackers to obtain sensitive information, poison the browser cache, and possibly enable further attack vectors via (1) HTTP 302 redirect controls, (2) XMLHttpRequest, or (3) view-source URIs.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.0523.

Key SSVC decision points have not yet been added.

Vendors	Products
Mozilla Subscribe	Firefox Subscribe
Redhat Subscribe	Enterprise Linux Subscribe

Configuration 1 [-]

OR	cpe:2.3:a:mozilla:firefox:1.0:::::::*
	cpe:2.3:a:mozilla:firefox:1.0.1:::::::*
	cpe:2.3:a:mozilla:firefox:1.0.2:::::::*
	cpe:2.3:a:mozilla:firefox:1.0.3:::::::*
	cpe:2.3:a:mozilla:firefox:1.0.4:::::::*
	cpe:2.3:a:mozilla:firefox:1.0.5:::::::*
	cpe:2.3:a:mozilla:firefox:1.0.6:::::::*
	cpe:2.3:a:mozilla:firefox:1.0.7:::::::*
	cpe:2.3:a:mozilla:firefox:1.0.8:::::::*
	cpe:2.3:a:mozilla:firefox:1.5:::::::*
	cpe:2.3:a:mozilla:firefox:1.5.0.1:::::::*
	cpe:2.3:a:mozilla:firefox:1.5.0.2:::::::*
	cpe:2.3:a:mozilla:firefox:1.5.0.3:::::::*
	cpe:2.3:a:mozilla:firefox:1.5.0.4:::::::*
	cpe:2.3:a:mozilla:firefox:1.5.0.5:::::::*
	cpe:2.3:a:mozilla:firefox:1.5.0.6:::::::*
	cpe:2.3:a:mozilla:firefox:1.5.0.7:::::::*
	cpe:2.3:a:mozilla:firefox:1.5.0.8:::::::*
	cpe:2.3:a:mozilla:firefox:1.5.0.9:::::::*
	cpe:2.3:a:mozilla:firefox:1.5.0.10:::::::*
	cpe:2.3:a:mozilla:firefox:1.5.0.11:::::::*
	cpe:2.3:a:mozilla:firefox:1.5.0.12:::::::*
	cpe:2.3:a:mozilla:firefox:1.5.1:::::::*
	cpe:2.3:a:mozilla:firefox:1.5.2:::::::*
	cpe:2.3:a:mozilla:firefox:1.5.3:::::::*
	cpe:2.3:a:mozilla:firefox:1.5.4:::::::*
	cpe:2.3:a:mozilla:firefox:1.5.5:::::::*
	cpe:2.3:a:mozilla:firefox:1.5.6:::::::*
	cpe:2.3:a:mozilla:firefox:1.5.7:::::::*
	cpe:2.3:a:mozilla:firefox:1.5.8:::::::*
	cpe:2.3:a:mozilla:firefox:1.8:::::::*

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 2.1
seamonkey-0:1.0.9-0.4.el2	cpe:/o:redhat:enterprise_linux:2.1	RHSA-2007:0722	2007-07-19T00:00:00Z
Red Hat Enterprise Linux 3
seamonkey-0:1.0.9-0.3.el3	cpe:/o:redhat:enterprise_linux:3	RHSA-2007:0722	2007-07-19T00:00:00Z
Red Hat Enterprise Linux 4
seamonkey-0:1.0.9-4.el4	cpe:/o:redhat:enterprise_linux:4	RHSA-2007:0722	2007-07-19T00:00:00Z
firefox-0:1.5.0.12-0.3.el4	cpe:/o:redhat:enterprise_linux:4	RHSA-2007:0724	2007-07-19T00:00:00Z
Red Hat Enterprise Linux 5
firefox-0:1.5.0.12-3.el5	cpe:/o:redhat:enterprise_linux:5	RHSA-2007:0724	2007-07-19T00:00:00Z

No data.

Advisories

Source	ID	Title
Debian DSA	DSA-1337-1	New xulrunner packages fix several vulnerabilities
Debian DSA	DSA-1338-1	New iceweasel packages fix several vulnerabilities
Debian DSA	DSA-1339-1	New iceape packages fix several vulnerabilities
EUVD	EUVD-2007-3640	Mozilla Firefox before 1.8.0.13 and 1.8.1.x before 1.8.1.5 does not perform a security zone check when processing a wyciwyg URI, which allows remote attackers to obtain sensitive information, poison the browser cache, and possibly enable further attack vectors via (1) HTTP 302 redirect controls, (2) XMLHttpRequest, or (3) view-source URIs.
Ubuntu USN	USN-490-1	Firefox vulnerabilities

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
ftp://ftp.slackware.com/pub/slackware/slackware-12.0/ChangeLog.txt
ftp://patches.sgi.com/support/free/security/advisories/20070701-01-P.asc
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00771742
http://lcamtuf.coredump.cx/ffcache/
http://osvdb.org/38028
http://secunia.com/advisories/25589
http://secunia.com/advisories/25990
http://secunia.com/advisories/26072
http://secunia.com/advisories/26103
http://secunia.com/advisories/26107
http://secunia.com/advisories/26149
http://secunia.com/advisories/26151
http://secunia.com/advisories/26159
http://secunia.com/advisories/26179
http://secunia.com/advisories/26204
http://secunia.com/advisories/26205
http://secunia.com/advisories/26211
http://secunia.com/advisories/26216
http://secunia.com/advisories/26258
http://secunia.com/advisories/26271
http://secunia.com/advisories/26460
http://secunia.com/advisories/28135
http://securityreason.com/securityalert/2872
http://sunsolve.sun.com/search/document.do?assetkey=1-26-103177-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-201516-1
http://support.novell.com/techcenter/psdb/07d098f99c9fe6956523beae37f32fda.html
http://www.debian.org/security/2007/dsa-1337
http://www.debian.org/security/2007/dsa-1338
http://www.debian.org/security/2007/dsa-1339
http://www.gentoo.org/security/en/glsa/glsa-200708-09.xml
http://www.mandriva.com/security/advisories?name=MDKSA-2007:152
http://www.mozilla.org/security/announce/2007/mfsa2007-24.html
http://www.novell.com/linux/security/advisories/2007_49_mozilla.html
http://www.redhat.com/support/errata/RHSA-2007-0722.html
http://www.redhat.com/support/errata/RHSA-2007-0724.html
http://www.securityfocus.com/archive/1/473191/100/0/threaded
http://www.securityfocus.com/archive/1/474226/100/0/threaded
http://www.securityfocus.com/archive/1/474542/100/0/threaded
http://www.securityfocus.com/bid/24831
http://www.securitytracker.com/id?1018411
http://www.ubuntu.com/usn/usn-490-1
http://www.vupen.com/english/advisories/2007/4256
https://bugzilla.mozilla.org/show_bug.cgi?id=387333
https://exchange.xforce.ibmcloud.com/vulnerabilities/35298
https://nvd.nist.gov/vuln/detail/CVE-2007-3656
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9105
https://www.cve.org/CVERecord?id=CVE-2007-3656

History

No history.

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2007-07-10T19:00:00

Updated: 2024-08-07T14:28:51.087Z

Reserved: 2007-07-10T00:00:00

Link: CVE-2007-3656

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2007-07-10T19:30:00.000

Modified: 2025-04-09T00:30:58.490

Link: CVE-2007-3656

Redhat

Severity : Moderate

Publid Date: 2007-07-09T00:00:00Z

Links: CVE-2007-3656 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

CWE-200

Metrics

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

Projects

Metrics

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

Projects

JSON object

JSON object

JSON object

JSON object

JSON object