Strix
26.1K

CVE-2009-3012

UnknownEPSS 0.83%

Last modified

CVE-2009-3012 is a vulnerability of currently unknown severity. Mozilla Firefox 3.0.13 and earlier, 3.5, 3.6 a1 pre, and 3.7 a1 pre does not properly block data: URIs in Location headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Location header that contains JavaScript sequences in a data:text/html URI or (2) entering a data:text/html URI with JavaScript sequences when specifying the content of a Location header. NOTE: the JavaScript executes outside of the context of the HTTP site.. EPSS estimates a 0.83% chance of exploitation in the next 30 days.

Description

Mozilla Firefox 3.0.13 and earlier, 3.5, 3.6 a1 pre, and 3.7 a1 pre does not properly block data: URIs in Location headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Location header that contains JavaScript sequences in a data:text/html URI or (2) entering a data:text/html URI with JavaScript sequences when specifying the content of a Location header. NOTE: the JavaScript executes outside of the context of the HTTP site.

Metrics

EPSS Probability
0.83%

52.8th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersionsUpdate
MozillaFirefox<= 3.0.13
MozillaFirefox3.0
MozillaFirefox3.0.1
MozillaFirefox3.0.2
MozillaFirefox3.0.3
MozillaFirefox3.0.4
MozillaFirefox3.0.5
MozillaFirefox3.0.6
MozillaFirefox3.0.7
MozillaFirefox3.0.8
MozillaFirefox3.0.9
MozillaFirefox3.0.10
MozillaFirefox3.0.11
MozillaFirefox3.0.12
MozillaFirefox3.5
MozillaFirefox3.6A1 Pre
MozillaFirefox3.7A1 Pre

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2009-3012?
Mozilla Firefox 3.0.13 and earlier, 3.5, 3.6 a1 pre, and 3.7 a1 pre does not properly block data: URIs in Location headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Location header that contains JavaScript sequences in a data:text/html URI or (2) entering a data:text/html URI with JavaScript sequences when specifying the content of a Location header. NOTE: the JavaScript executes outside of the context of the HTTP site.
How severe is CVE-2009-3012?
Severity scoring for CVE-2009-3012 is pending analysis. The EPSS model estimates a 0.83% probability of exploitation in the next 30 days.
How do I fix CVE-2009-3012?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2009-3012?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST