CVE-2009-2472

Published: Jul 22, 2009Modified: Apr 23, 2026

4.3

Vector

AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability: 8.6 / Impact: 2.9

Source: NVD

Description

Mozilla Firefox before 3.0.12 does not always use XPCCrossOriginWrapper when required during object construction, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via a crafted document, related to a "cross origin wrapper bypass."

Affected (10)

Products: Mozilla: Firefox · Fedoraproject: Fedora · Opensuse: Opensuse · +1 more

Show all products

Mozilla: Firefox · Fedoraproject: Fedora · Opensuse: Opensuse · Suse: Linux Enterprise Debuginfo, Linux Enterprise Desktop, Linux Enterprise Server

1 product

1 product

1 product

3 products

Linux Enterprise Debuginfo

Linux Enterprise Desktop

Linux Enterprise Server

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Mozilla Firefox	Before 3.0.12

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 10

Configuration C

8 vulnerable

Vulnerable Software	Affected Versions
Opensuse Opensuse	Version 11.0
Opensuse Opensuse	Version 11.1
Suse Linux Enterprise Debuginfo	Version 10 sp2
Suse Linux Enterprise Debuginfo	Version 11
Suse Linux Enterprise Desktop	Version 10 sp2
Suse Linux Enterprise Desktop	Version 11
Suse Linux Enterprise Server	Version 10 sp2
Suse Linux Enterprise Server	Version 11

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (36)

http://lists.opensuse.org/opensuse-security-announce/2009-07/msg00005.html

Source: secalert@redhat.com

Mailing ListThird Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2009-08/msg00002.html

Source: secalert@redhat.com

Mailing ListThird Party Advisory

http://rhn.redhat.com/errata/RHSA-2009-1162.html

Source: secalert@redhat.com

Broken Link

http://secunia.com/advisories/35914

Source: secalert@redhat.com

Third Party Advisory

http://secunia.com/advisories/35944

Source: secalert@redhat.com

Third Party Advisory

http://secunia.com/advisories/36005

Source: secalert@redhat.com

Third Party Advisory

http://secunia.com/advisories/36145

Source: secalert@redhat.com

Third Party Advisory

http://sunsolve.sun.com/search/document.do?assetkey=1-26-265068-1

Source: secalert@redhat.com

Broken Link

http://sunsolve.sun.com/search/document.do?assetkey=1-77-1020800.1-1

Source: secalert@redhat.com

Broken Link

http://www.mozilla.org/security/announce/2009/mfsa2009-40.html

Source: secalert@redhat.com

PatchVendor Advisory

http://www.securityfocus.com/bid/35758

Source: secalert@redhat.com

PatchThird Party AdvisoryVDB Entry

http://www.vupen.com/english/advisories/2009/1972

Source: secalert@redhat.com

PatchThird Party Advisory

http://www.vupen.com/english/advisories/2009/2152

Source: secalert@redhat.com

Third Party Advisory

https://bugzilla.mozilla.org/show_bug.cgi?id=479288

Source: secalert@redhat.com

Issue TrackingPatchVendor Advisory

https://bugzilla.mozilla.org/show_bug.cgi?id=481434

Source: secalert@redhat.com

Issue TrackingPatchVendor Advisory

https://bugzilla.mozilla.org/show_bug.cgi?id=497102

Source: secalert@redhat.com

Issue TrackingPatchVendor Advisory

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9497

Source: secalert@redhat.com

Third Party Advisory

https://www.redhat.com/archives/fedora-package-announce/2009-July/msg01032.html

Source: secalert@redhat.com

Third Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2009-07/msg00005.html