Description
Mozilla Firefox before 2.0.0.10 and SeaMonkey before 1.1.7 sets the Referer header to the window or frame in which script is running, instead of the address of the content that initiated the script, which allows remote attackers to spoof HTTP Referer headers and bypass Referer-based CSRF protection schemes by setting window.location and using a modal alert dialog that causes the wrong Referer to be sent.
References (57)
Core 57
Core References
Various Sources x_refsource_confirm
http://browser.netscape.com/releasenotes/
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/27816
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/27855
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2007/dsa-1424
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/26589
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2007-12/msg00004.html
Third Party Advisory vendor-advisory
x_refsource_gentoo
http://security.gentoo.org/glsa/glsa-200712-21.xml
Third Party Advisory x_refsource_confirm
http://wiki.rpath.com/wiki/Advisories:rPSA-2007-0260
Issue Tracking x_refsource_confirm
https://issues.rpath.com/browse/RPL-1995
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/28277
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/27845
Vendor Advisory vendor-advisory
x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2007-1083.html
Third Party Advisory x_refsource_confirm
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0093
Third Party Advisory, VDB Entry vdb-entry
signature
x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9794
Issue Tracking x_refsource_misc
http://bugs.gentoo.org/show_bug.cgi?id=200909
Third Party Advisory vdb-entry
x_refsource_vupen
http://www.vupen.com/english/advisories/2008/0643
Vendor Advisory vendor-advisory
x_refsource_fedora
https://www.redhat.com/archives/fedora-package-announce/2007-November/msg01011.html
Vendor Advisory vendor-advisory
x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2007-1082.html
Vendor Advisory vendor-advisory
x_refsource_slackware
http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.374833
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/28016
Vendor Advisory vendor-advisory
x_refsource_fedora
https://www.redhat.com/archives/fedora-package-announce/2007-December/msg00168.html
Vendor Advisory vendor-advisory
x_refsource_hp
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00771742
Vendor Advisory vendor-advisory
x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDKSA-2007:246
Vendor Advisory vendor-advisory
x_refsource_ubuntu
https://usn.ubuntu.com/546-1/
Third Party Advisory vdb-entry
x_refsource_vupen
http://www.vupen.com/english/advisories/2007/4018
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/488971/100/0/threaded
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/27838
Vendor Advisory vendor-advisory
x_refsource_fedora
https://www.redhat.com/archives/fedora-package-announce/2007-December/msg00135.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://securitytracker.com/id?1018995
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/488002/100/0/threaded
Third Party Advisory vdb-entry
x_refsource_vupen
http://www.vupen.com/english/advisories/2007/4002
Vendor Advisory vendor-advisory
x_refsource_sunalert
http://sunsolve.sun.com/search/document.do?assetkey=1-77-1018977.1-1
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/27793
Issue Tracking x_refsource_misc
http://bugs.gentoo.org/show_bug.cgi?id=198965
Third Party Advisory vdb-entry
x_refsource_vupen
http://www.vupen.com/english/advisories/2008/0083
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/27955
Third Party Advisory x_refsource_confirm
http://wiki.rpath.com/Advisories:rPSA-2008-0093
Vendor Advisory vendor-advisory
x_refsource_ubuntu
http://www.ubuntu.com/usn/usn-546-2
Vendor Advisory vendor-advisory
x_refsource_fedora
https://www.redhat.com/archives/fedora-package-announce/2007-December/msg00115.html
Vendor Advisory vendor-advisory
x_refsource_sunalert
http://sunsolve.sun.com/search/document.do?assetkey=1-26-231441-1
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/27957
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/28398
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/29164
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/38644
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/28001
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/27796
Vendor Advisory vendor-advisory
x_refsource_slackware
http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.365006
Issue Tracking x_refsource_confirm
https://issues.rpath.com/browse/RPL-1984
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/27797
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/27979
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/28171
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/27800
Vendor Advisory vendor-advisory
x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2007-1084.html
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2007/dsa-1425
Various Sources x_refsource_confirm
http://www.mozilla.org/security/announce/2007/mfsa2007-39.html
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/27944
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/27725
Scores
EPSS
0.0147
EPSS Percentile
70.6%
Details
CWE
CWE-22
Status
published
Products (47)
mozilla/firefox
0.8
mozilla/firefox
0.9
mozilla/firefox
0.9.1
mozilla/firefox
0.9.2
mozilla/firefox
0.9.3
mozilla/firefox
0.10
mozilla/firefox
0.10.1
mozilla/firefox
1.0
mozilla/firefox
1.0.1
mozilla/firefox
1.0.2
... and 37 more
Published
Nov 26, 2007
Tracked Since
Feb 18, 2026