Mozilla Firefox before 2.0.0.15 and SeaMonkey before 1.1.10 allow remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via vectors involving (1) an event handler attached to an outer window, (2) a SCRIPT element in an unloaded document, or (3) the onreadystatechange handler in conjunction with an XMLHttpRequest.

Metrics

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.02008.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Mozilla Subscribe
Firefox Subscribe
Seamonkey Subscribe
Redhat Subscribe
Enterprise Linux Subscribe

Configuration 1 [-]

OR cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:2.0:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:2.0.0.1:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:2.0.0.2:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:2.0.0.3:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:2.0.0.4:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:2.0.0.5:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:2.0.0.6:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:2.0.0.7:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:2.0.0.8:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:2.0.0.9:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:2.0.0.10:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:2.0.0.11:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:2.0.0.12:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:2.0.0.13:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:seamonkey:*:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:seamonkey:1.1:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:seamonkey:1.1.2:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:seamonkey:1.1.3:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:seamonkey:1.1.4:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:seamonkey:1.1.5:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:seamonkey:1.1.6:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:seamonkey:1.1.7:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:seamonkey:1.1.8:*:*:*:*:*:*:*
Package CPE Advisory Released Date
Red Hat Enterprise Linux 2.1
seamonkey-0:1.0.9-0.17.el2 cpe:/o:redhat:enterprise_linux:2.1 RHSA-2008:0547 2008-07-02T00:00:00Z
Red Hat Enterprise Linux 3
seamonkey-0:1.0.9-0.20.el3 cpe:/o:redhat:enterprise_linux:3 RHSA-2008:0547 2008-07-02T00:00:00Z
Red Hat Enterprise Linux 4
seamonkey-0:1.0.9-16.3.el4_6 cpe:/o:redhat:enterprise_linux:4 RHSA-2008:0547 2008-07-02T00:00:00Z
firefox-0:1.5.0.12-0.19.el4 cpe:/o:redhat:enterprise_linux:4 RHSA-2008:0549 2008-07-02T00:00:00Z
thunderbird-0:1.5.0.12-14.el4 cpe:/o:redhat:enterprise_linux:4 RHSA-2008:0616 2008-07-23T00:00:00Z
Red Hat Enterprise Linux 5
devhelp-0:0.12-17.el5 cpe:/o:redhat:enterprise_linux:5 RHSA-2008:0569 2008-07-02T00:00:00Z
firefox-0:3.0-2.el5 cpe:/o:redhat:enterprise_linux:5 RHSA-2008:0569 2008-07-02T00:00:00Z
xulrunner-0:1.9-1.el5 cpe:/o:redhat:enterprise_linux:5 RHSA-2008:0569 2008-07-02T00:00:00Z
yelp-0:2.16.0-19.el5 cpe:/o:redhat:enterprise_linux:5 RHSA-2008:0569 2008-07-02T00:00:00Z
thunderbird-0:2.0.0.16-1.el5 cpe:/o:redhat:enterprise_linux:5 RHSA-2008:0616 2008-07-23T00:00:00Z

No data.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-1607-1 New iceweasel packages fix several vulnerabilities
Debian DSA Debian DSA DSA-1615-1 New xulrunner packages fix several vulnerabilities
Debian DSA Debian DSA DSA-1697-1 New iceape packages fix several vulnerabilities
EUVD EUVD EUVD-2008-2793 Mozilla Firefox before 2.0.0.15 and SeaMonkey before 1.1.10 allow remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via vectors involving (1) an event handler attached to an outer window, (2) a SCRIPT element in an unloaded document, or (3) the onreadystatechange handler in conjunction with an XMLHttpRequest.
Ubuntu USN Ubuntu USN USN-619-1 Firefox vulnerabilities
Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References
Link Providers
http://lists.opensuse.org/opensuse-security-announce/2008-07/msg00004.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2008-0616.html cve-icon cve-icon
http://secunia.com/advisories/30878 cve-icon cve-icon
http://secunia.com/advisories/30898 cve-icon cve-icon
http://secunia.com/advisories/30903 cve-icon cve-icon
http://secunia.com/advisories/30911 cve-icon cve-icon
http://secunia.com/advisories/30949 cve-icon cve-icon
http://secunia.com/advisories/31005 cve-icon cve-icon
http://secunia.com/advisories/31008 cve-icon cve-icon
http://secunia.com/advisories/31021 cve-icon cve-icon
http://secunia.com/advisories/31023 cve-icon cve-icon
http://secunia.com/advisories/31069 cve-icon cve-icon
http://secunia.com/advisories/31076 cve-icon cve-icon
http://secunia.com/advisories/31183 cve-icon cve-icon
http://secunia.com/advisories/31195 cve-icon cve-icon
http://secunia.com/advisories/31377 cve-icon cve-icon
http://secunia.com/advisories/33433 cve-icon cve-icon
http://secunia.com/advisories/34501 cve-icon cve-icon
http://security.gentoo.org/glsa/glsa-200808-03.xml cve-icon cve-icon
http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.383152 cve-icon cve-icon
http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.384911 cve-icon cve-icon
http://sunsolve.sun.com/search/document.do?assetkey=1-26-256408-1 cve-icon cve-icon
http://wiki.rpath.com/Advisories:rPSA-2008-0216 cve-icon cve-icon
http://www.debian.org/security/2008/dsa-1607 cve-icon cve-icon
http://www.debian.org/security/2008/dsa-1615 cve-icon cve-icon
http://www.debian.org/security/2009/dsa-1697 cve-icon cve-icon
http://www.mandriva.com/security/advisories?name=MDVSA-2008:136 cve-icon cve-icon
http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.15 cve-icon cve-icon
http://www.mozilla.org/security/announce/2008/mfsa2008-22.html cve-icon cve-icon
http://www.redhat.com/support/errata/RHSA-2008-0547.html cve-icon cve-icon
http://www.redhat.com/support/errata/RHSA-2008-0549.html cve-icon cve-icon
http://www.redhat.com/support/errata/RHSA-2008-0569.html cve-icon cve-icon
http://www.securityfocus.com/archive/1/494080/100/0/threaded cve-icon cve-icon
http://www.securityfocus.com/bid/30038 cve-icon cve-icon
http://www.securitytracker.com/id?1020419 cve-icon cve-icon
http://www.ubuntu.com/usn/usn-619-1 cve-icon cve-icon
http://www.vupen.com/english/advisories/2008/1993/references cve-icon cve-icon
http://www.vupen.com/english/advisories/2009/0977 cve-icon cve-icon
https://bugzilla.mozilla.org/show_bug.cgi?id=428672 cve-icon cve-icon
https://bugzilla.mozilla.org/show_bug.cgi?id=432591 cve-icon cve-icon
https://bugzilla.mozilla.org/show_bug.cgi?id=433328 cve-icon cve-icon
https://bugzilla.mozilla.org/show_bug.cgi?id=439035 cve-icon cve-icon
https://bugzilla.mozilla.org/show_bug.cgi?id=440308 cve-icon cve-icon
https://issues.rpath.com/browse/RPL-2646 cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2008-2800 cve-icon
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9386 cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2008-2800 cve-icon
https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00207.html cve-icon cve-icon
https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00288.html cve-icon cve-icon
https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00295.html cve-icon cve-icon
History

No history.

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2024-08-07T09:14:14.814Z

Reserved: 2008-06-20T00:00:00

Link: CVE-2008-2800

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2008-07-07T23:41:00.000

Modified: 2025-04-09T00:30:58.490

Link: CVE-2008-2800

cve-icon Redhat

Severity : Moderate

Publid Date: 2008-07-02T00:00:00Z

Links: CVE-2008-2800 - Bugzilla

cve-icon OpenCVE Enrichment

No data.

Weaknesses