CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
EPSS
Percentile
97.5%
Mozilla Firefox is an open-source web browser and Mozilla Thunderbird an open-source email client, both from the Mozilla Project. The SeaMonkey project is a community effort to deliver production-quality releases of code derived from the application formerly known as the ‘Mozilla Application Suite’. XULRunner is a Mozilla runtime package that can be used to bootstrap XUL+XPCOM applications like Firefox and Thunderbird.
The following vulnerabilities were reported in all mentioned Mozilla products:
The following vulnerability was reported in Thunderbird and SeaMonkey:
The following vulnerabilities were reported in Firefox, SeaMonkey and XULRunner:
The following vulnerabilities were reported in Firefox:
A remote attacker could entice a user to view a specially crafted web page or email that will trigger one of the vulnerabilities, possibly leading to the execution of arbitrary code or a Denial of Service. It is also possible for an attacker to trick a user to upload arbitrary files when submitting a form, to corrupt saved passwords for other sites, to steal login credentials, or to conduct Cross-Site Scripting and Cross-Site Request Forgery attacks.
There is no known workaround at this time.
All Mozilla Firefox users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-2.0.0.14"
All Mozilla Firefox binary users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-bin-2.0.0.14"
All Mozilla Thunderbird users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=mail-client/mozilla-thunderbird-2.0.0.14"
All Mozilla Thunderbird binary users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=mail-client/mozilla-thunderbird-bin-2.0.0.14"
All SeaMonkey users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/seamonkey-1.1.9-r1"
All SeaMonkey binary users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/seamonkey-bin-1.1.9"
All XULRunner users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/xulrunner-1.8.1.14"
NOTE: The crash vulnerability (CVE-2008-1380) is currently unfixed in the SeaMonkey binary ebuild, as no precompiled packages have been released. Until an update is available, we recommend all SeaMonkey users to disable JavaScript, use Firefox for JavaScript-enabled browsing, or switch to the SeaMonkey source ebuild.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Gentoo | any | all | www-client/mozilla-firefox | < 2.0.0.14 | UNKNOWN |
Gentoo | any | all | www-client/mozilla-firefox-bin | < 2.0.0.14 | UNKNOWN |
Gentoo | any | all | mail-client/mozilla-thunderbird | < 2.0.0.14 | UNKNOWN |
Gentoo | any | all | mail-client/mozilla-thunderbird-bin | < 2.0.0.14 | UNKNOWN |
Gentoo | any | all | www-client/seamonkey | < 1.1.9-r1 | UNKNOWN |
Gentoo | any | all | www-client/seamonkey-bin | < 1.1.9 | UNKNOWN |
Gentoo | any | all | net-libs/xulrunner | < 1.8.1.14 | UNKNOWN |