CVE-2009-2472 — MEDIUM (4.3)

Q: How severe is CVE-2009-2472?

CVE-2009-2472 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2009-2472?

Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Firefox, Fedoraproject Fedora, Suse Linux Enterprise Debuginfo, Opensuse Opensuse, Suse Linux Enterprise Desktop.

Vulnerability Description

Mozilla Firefox before 3.0.12 does not always use XPCCrossOriginWrapper when required during object construction, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via a crafted document, related to a "cross origin wrapper bypass."

CVSS Score

4.3

MEDIUM

AV:N/AC:M/Au:N/C:N/I:P/A:N

Confidentiality

NONE

Integrity

PARTIAL

Availability

NONE

Affected Products

Vendor	Product	Versions
Mozilla	Firefox	< 3.0.12
Fedoraproject	Fedora	10
Suse	Linux Enterprise Debuginfo	10
Opensuse	Opensuse	11.0
Suse	Linux Enterprise Desktop	10
Suse	Linux Enterprise Server	10

Related Weaknesses (CWE)

CWE-79

References

http://lists.opensuse.org/opensuse-security-announce/2009-07/msg00005.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2009-08/msg00002.htmlMailing ListThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2009-1162.htmlBroken Link
http://secunia.com/advisories/35914Third Party Advisory
http://secunia.com/advisories/35944Third Party Advisory
http://secunia.com/advisories/36005Third Party Advisory
http://secunia.com/advisories/36145Third Party Advisory
http://sunsolve.sun.com/search/document.do?assetkey=1-26-265068-1Broken Link
http://sunsolve.sun.com/search/document.do?assetkey=1-77-1020800.1-1Broken Link
http://www.mozilla.org/security/announce/2009/mfsa2009-40.htmlPatchVendor Advisory
http://www.securityfocus.com/bid/35758PatchThird Party AdvisoryVDB Entry
http://www.vupen.com/english/advisories/2009/1972PatchThird Party Advisory
http://www.vupen.com/english/advisories/2009/2152Third Party Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=479288Issue TrackingPatchVendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=481434Issue TrackingPatchVendor Advisory

FAQ

What is CVE-2009-2472?

CVE-2009-2472 is a vulnerability with a CVSS score of 4.3 (MEDIUM). Mozilla Firefox before 3.0.12 does not always use XPCCrossOriginWrapper when required during object construction, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site ...

How severe is CVE-2009-2472?

CVE-2009-2472 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2009-2472?

Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Firefox, Fedoraproject Fedora, Suse Linux Enterprise Debuginfo, Opensuse Opensuse, Suse Linux Enterprise Desktop.