CVE-2008-1238

Mozilla Firefox <2.0.0.13 & SeaMonkey <1.1.9 - CSRF

Title source: llm
STIX 2.1

Description

Mozilla Firefox before 2.0.0.13 and SeaMonkey before 1.1.9, when generating the HTTP Referer header, does not list the entire URL when it contains Basic Authentication credentials without a username, which makes it easier for remote attackers to bypass application protection mechanisms that rely on Referer headers, such as with some Cross-Site Request Forgery (CSRF) mechanisms.

References (35)

Core 35
Core References
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/490196/100/0/threaded
Vendor Advisory vendor-advisory x_refsource_sunalert
http://sunsolve.sun.com/search/document.do?assetkey=1-26-238492-1
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/usn-592-1
Various Sources x_refsource_misc
http://sla.ckers.org/forum/read.php?10%2C20033
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/29541
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/29539
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1019703
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/30620
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/29560
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2008/dsa-1532
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/30327
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/29616
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/29550
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/29645
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/29607
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2008/1793/references
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/29558
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9889
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2008-0208.html
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/29526
US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA08-087A.html
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/29391
Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2008-0209.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/28448
Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2008-0207.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/41449
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2008/dsa-1534
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/29547
Third Party Advisory vendor-advisory x_refsource_gentoo
http://www.gentoo.org/security/en/glsa/glsa-200805-18.xml
Third Party Advisory x_refsource_confirm
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0128
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2008/0998/references
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2008/dsa-1535
Vendor Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2008:080

Scores

EPSS 0.0244
EPSS Percentile 82.3%

Details

CWE
CWE-287
Status published
Products (2)
mozilla/firefox < 2.0.0.12
mozilla/seamonkey < 1.1.8
Published Mar 27, 2008
Tracked Since Feb 18, 2026