CVE-2009-2061
Firefox < 3.0.10 - Cross-Site Scripting via 3xx HTTP CONNECT Response
Title source: llmDescription
Mozilla Firefox before 3.0.10 processes a 3xx HTTP CONNECT response before a successful SSL handshake, which allows man-in-the-middle attackers to execute arbitrary web script, in an https site's context, by modifying this CONNECT response to specify a 302 redirect to an arbitrary https web site.
References (4)
Core 4
Core References
Exploit x_refsource_misc
http://research.microsoft.com/pubs/79323/pbp-final-with-update.pdf
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/35412
Vendor Advisory x_refsource_misc
http://research.microsoft.com/apps/pubs/default.aspx?id=79323
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/51203
Scores
EPSS
0.0123
EPSS Percentile
65.7%
Details
CWE
CWE-310
Status
published
Products (46)
mozilla/firefox
0.1
mozilla/firefox
0.2
mozilla/firefox
0.3
mozilla/firefox
0.4
mozilla/firefox
0.5
mozilla/firefox
0.6
mozilla/firefox
0.6.1
mozilla/firefox
0.7
mozilla/firefox
0.7.1
mozilla/firefox
0.8
... and 36 more
Published
Jun 15, 2009
Tracked Since
Feb 18, 2026