CVE-2008-5022 — HIGH (7.5) — White Hats Nepal

Q: How severe is CVE-2008-5022?

CVE-2008-5022 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2008-5022?

Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Firefox, Mozilla Seamonkey, Mozilla Thunderbird, Debian Debian Linux, Canonical Ubuntu Linux.

Vulnerability Description

The nsXMLHttpRequest::NotifyEventListeners method in Firefox 3.x before 3.0.4, Firefox 2.x before 2.0.0.18, Thunderbird 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 allows remote attackers to bypass the same-origin policy and execute arbitrary script via multiple listeners, which bypass the inner window check.

CVSS Score

7.5

HIGH

AV:N/AC:L/Au:N/C:P/I:P/A:P

Confidentiality

PARTIAL

Integrity

PARTIAL

Availability

PARTIAL

Affected Products

Vendor	Product	Versions
Mozilla	Firefox	>= 2.0, < 2.0.0.18
Mozilla	Seamonkey	>= 1.0, < 1.1.13
Mozilla	Thunderbird	>= 2.0, < 2.0.0.18
Debian	Debian Linux	4.0
Canonical	Ubuntu Linux	6.06

Related Weaknesses (CWE)

CWE-287

References

http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00004.htmlThird Party Advisory
http://secunia.com/advisories/32684Third Party Advisory
http://secunia.com/advisories/32693Third Party Advisory
http://secunia.com/advisories/32694Third Party Advisory
http://secunia.com/advisories/32695Third Party Advisory
http://secunia.com/advisories/32713Third Party Advisory
http://secunia.com/advisories/32714Third Party Advisory
http://secunia.com/advisories/32715Third Party Advisory
http://secunia.com/advisories/32721Third Party Advisory
http://secunia.com/advisories/32778Third Party Advisory
http://secunia.com/advisories/32798Third Party Advisory
http://secunia.com/advisories/32845Third Party Advisory
http://secunia.com/advisories/32853Third Party Advisory
http://secunia.com/advisories/33433Third Party Advisory
http://secunia.com/advisories/33434Third Party Advisory

FAQ

What is CVE-2008-5022?

CVE-2008-5022 is a vulnerability with a CVSS score of 7.5 (HIGH). The nsXMLHttpRequest::NotifyEventListeners method in Firefox 3.x before 3.0.4, Firefox 2.x before 2.0.0.18, Thunderbird 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 allows remote attackers to ...

How severe is CVE-2008-5022?

CVE-2008-5022 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2008-5022?

Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Firefox, Mozilla Seamonkey, Mozilla Thunderbird, Debian Debian Linux, Canonical Ubuntu Linux.