Vulnerability Description
The jar protocol handler in Mozilla Firefox before 2.0.0.10 and SeaMonkey before 1.1.7 retrieves the inner URL regardless of its MIME type, and considers HTML documents within a jar archive to have the same origin as the inner URL, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a jar: URI.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mozilla | Firefox | <= 2.0.0.9 |
| Mozilla | Seamonkey | <= 1.1.6 |
Related Weaknesses (CWE)
References
- http://browser.netscape.com/releasenotes/
- http://bugs.gentoo.org/show_bug.cgi?id=198965
- http://bugs.gentoo.org/show_bug.cgi?id=200909
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00771742
- http://lists.opensuse.org/opensuse-security-announce/2007-12/msg00004.html
- http://secunia.com/advisories/27605Vendor Advisory
- http://secunia.com/advisories/27793Vendor Advisory
- http://secunia.com/advisories/27796Vendor Advisory
- http://secunia.com/advisories/27797Vendor Advisory
- http://secunia.com/advisories/27800Vendor Advisory
- http://secunia.com/advisories/27816Vendor Advisory
- http://secunia.com/advisories/27838Vendor Advisory
- http://secunia.com/advisories/27845Vendor Advisory
- http://secunia.com/advisories/27855Vendor Advisory
- http://secunia.com/advisories/27944Vendor Advisory
FAQ
What is CVE-2007-5947?
CVE-2007-5947 is a vulnerability with a CVSS score of 4.3 (MEDIUM). The jar protocol handler in Mozilla Firefox before 2.0.0.10 and SeaMonkey before 1.1.7 retrieves the inner URL regardless of its MIME type, and considers HTML documents within a jar archive to have th...
How severe is CVE-2007-5947?
CVE-2007-5947 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2007-5947?
Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Firefox, Mozilla Seamonkey.