Vulnerability Description
Mozilla Firefox before 3.0.13, and 3.5.x before 3.5.2, allows remote attackers to spoof the address bar, and possibly conduct phishing attacks, via a crafted web page that calls window.open with an invalid character in the URL, makes document.write calls to the resulting object, and then calls the stop method during the loading of the error page.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mozilla | Firefox | <= 3.5.1 |
Related Weaknesses (CWE)
References
- http://blog.mozilla.com/security/2009/07/28/url-bar-spoofing-vulnerability/PatchVendor Advisory
- http://es.geocities.com/jplopezy/firefoxspoofing.html
- http://osvdb.org/56717
- http://secunia.com/advisories/36001Vendor Advisory
- http://secunia.com/advisories/36126Vendor Advisory
- http://secunia.com/advisories/36141Vendor Advisory
- http://secunia.com/advisories/36435Vendor Advisory
- http://secunia.com/advisories/36669
- http://secunia.com/advisories/36670
- http://sunsolve.sun.com/search/document.do?assetkey=1-66-266148-1
- http://www.debian.org/security/2009/dsa-1873
- http://www.mozilla.org/security/announce/2009/mfsa2009-44.htmlPatchVendor Advisory
- http://www.redhat.com/support/errata/RHSA-2009-1430.html
- http://www.redhat.com/support/errata/RHSA-2009-1431.html
- http://www.redhat.com/support/errata/RHSA-2009-1432.html
FAQ
What is CVE-2009-2654?
CVE-2009-2654 is a vulnerability with a CVSS score of 5.8 (MEDIUM). Mozilla Firefox before 3.0.13, and 3.5.x before 3.5.2, allows remote attackers to spoof the address bar, and possibly conduct phishing attacks, via a crafted web page that calls window.open with an in...
How severe is CVE-2009-2654?
CVE-2009-2654 has been rated MEDIUM with a CVSS base score of 5.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2009-2654?
Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Firefox.