CVE-2008-0591

Mozilla Firefox before 2.0.0.12 and Thunderbird before 2.0.0.12 does not properly manage a delay timer used in confirmation dialogs, which might allow remote attackers to trick users into confirming an unsafe action, such as remote file execution, by using a timer to change the window focus, aka the "dialog refocus bug" or "ffclick2".
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.3 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:P/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
mozillafirefox
𝑥
≤ 2.0.0.11
mozillathunderbird
𝑥
≤ 2.0.0.11
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
firefox
dapper
Fixed 1.5.dfsg+1.5.0.15~prepatch080202a-0ubuntu1
released
edgy
Fixed 2.0.0.12+0nobinonly+2-0ubuntu0.6.10
released
feisty
Fixed 2.0.0.12+1nobinonly+2-0ubuntu0.7.4
released
gutsy
Fixed 2.0.0.12+2nobinonly+2-0ubuntu0.7.10
released
hardy
Fixed 2.0.0.12+2nobinonly+2-0ubuntu3
released
intrepid
dne
iceape
dapper
dne
edgy
dne
feisty
dne
gutsy
ignored
hardy
dne
intrepid
dne
icedove
dapper
dne
edgy
dne
feisty
dne
gutsy
dne
hardy
dne
intrepid
dne
iceweasel
dapper
dne
edgy
dne
feisty
dne
gutsy
dne
hardy
dne
intrepid
dne
mozilla-thunderbird
dapper
Fixed 1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.06.0
released
edgy
Fixed 1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.10.0
released
feisty
Fixed 1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.7.04.0
released
gutsy
dne
hardy
dne
intrepid
dne
seamonkey
dapper
dne
edgy
dne
feisty
dne
gutsy
dne
hardy
Fixed 1.1.9+nobinonly-0ubuntu1
released
intrepid
Fixed 1.1.9+nobinonly-0ubuntu1
released
thunderbird
dapper
dne
edgy
dne
feisty
dne
gutsy
Fixed 2.0.0.12+nobinonly-0ubuntu0.7.10.0
released
hardy
Fixed 2.0.0.12+nobinonly-0ubuntu1
released
intrepid
Fixed 2.0.0.12+nobinonly-0ubuntu1
released
xulrunner
dapper
dne
edgy
ignored
feisty
ignored
gutsy
Fixed 1.8.1.18+nobinonly.b308.cvs20090331t155113-0ubuntu0.7.10.1
released
hardy
Fixed 1.8.1.13+nobinonly-0ubuntu1
released
intrepid
Fixed 1.8.1.13+nobinonly-0ubuntu1
released
References
http://archives.neohapsis.com/archives/fulldisclosure/2007-06/0026.html
http://browser.netscape.com/releasenotes/
http://lcamtuf.coredump.cx/ffclick2/
http://lists.opensuse.org/opensuse-security-announce/2008-02/msg00006.html
http://secunia.com/advisories/28754
http://secunia.com/advisories/28758
http://secunia.com/advisories/28766
http://secunia.com/advisories/28808
http://secunia.com/advisories/28818
http://secunia.com/advisories/28839
http://secunia.com/advisories/28864
http://secunia.com/advisories/28865
http://secunia.com/advisories/28877
http://secunia.com/advisories/28879
http://secunia.com/advisories/28924
http://secunia.com/advisories/28939
http://secunia.com/advisories/28958
http://secunia.com/advisories/29049
http://secunia.com/advisories/29086
http://secunia.com/advisories/29164
http://secunia.com/advisories/29167
http://secunia.com/advisories/29567
http://secunia.com/advisories/30327
http://secunia.com/advisories/30620
http://securityreason.com/securityalert/2781
http://sunsolve.sun.com/search/document.do?assetkey=1-26-238492-1
http://support.novell.com/techcenter/psdb/6251b18e050302ebe7fe74294b55c818.html
http://wiki.rpath.com/Advisories:rPSA-2008-0051
http://wiki.rpath.com/Advisories:rPSA-2008-0093
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0093
http://www.debian.org/security/2008/dsa-1484
http://www.debian.org/security/2008/dsa-1485
http://www.debian.org/security/2008/dsa-1489
http://www.debian.org/security/2008/dsa-1506
http://www.gentoo.org/security/en/glsa/glsa-200805-18.xml
http://www.mandriva.com/security/advisories?name=MDVSA-2008:048
http://www.mandriva.com/security/advisories?name=MDVSA-2008:062
http://www.mozilla.org/security/announce/2008/mfsa2008-08.html
http://www.redhat.com/support/errata/RHSA-2008-0103.html
http://www.redhat.com/support/errata/RHSA-2008-0104.html
http://www.redhat.com/support/errata/RHSA-2008-0105.html
http://www.securityfocus.com/archive/1/470446/100/0/threaded
http://www.securityfocus.com/archive/1/487826/100/0/threaded
http://www.securityfocus.com/archive/1/488002/100/0/threaded
http://www.securityfocus.com/archive/1/488971/100/0/threaded
http://www.securityfocus.com/bid/24293
http://www.securityfocus.com/bid/27683
http://www.securitytracker.com/id?1019339
http://www.ubuntu.com/usn/usn-576-1
http://www.vupen.com/english/advisories/2008/0453/references
http://www.vupen.com/english/advisories/2008/0454/references
http://www.vupen.com/english/advisories/2008/0627/references
http://www.vupen.com/english/advisories/2008/1793/references
https://bugzilla.mozilla.org/show_bug.cgi?id=376473
https://issues.rpath.com/browse/RPL-1995
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10900
https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00274.html
https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00309.html
https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00381.html
https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00905.html
https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00946.html
http://archives.neohapsis.com/archives/fulldisclosure/2007-06/0026.html
http://browser.netscape.com/releasenotes/
http://lcamtuf.coredump.cx/ffclick2/
http://lists.opensuse.org/opensuse-security-announce/2008-02/msg00006.html
http://secunia.com/advisories/28754
http://secunia.com/advisories/28758
http://secunia.com/advisories/28766
http://secunia.com/advisories/28808
http://secunia.com/advisories/28818
http://secunia.com/advisories/28839
http://secunia.com/advisories/28864
http://secunia.com/advisories/28865
http://secunia.com/advisories/28877
http://secunia.com/advisories/28879
http://secunia.com/advisories/28924
http://secunia.com/advisories/28939
http://secunia.com/advisories/28958
http://secunia.com/advisories/29049
http://secunia.com/advisories/29086
http://secunia.com/advisories/29164
http://secunia.com/advisories/29167
http://secunia.com/advisories/29567
http://secunia.com/advisories/30327
http://secunia.com/advisories/30620
http://securityreason.com/securityalert/2781
http://sunsolve.sun.com/search/document.do?assetkey=1-26-238492-1
http://support.novell.com/techcenter/psdb/6251b18e050302ebe7fe74294b55c818.html
http://wiki.rpath.com/Advisories:rPSA-2008-0051
http://wiki.rpath.com/Advisories:rPSA-2008-0093
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0093
http://www.debian.org/security/2008/dsa-1484
http://www.debian.org/security/2008/dsa-1485
http://www.debian.org/security/2008/dsa-1489
http://www.debian.org/security/2008/dsa-1506
http://www.gentoo.org/security/en/glsa/glsa-200805-18.xml
http://www.mandriva.com/security/advisories?name=MDVSA-2008:048
http://www.mandriva.com/security/advisories?name=MDVSA-2008:062
http://www.mozilla.org/security/announce/2008/mfsa2008-08.html
http://www.redhat.com/support/errata/RHSA-2008-0103.html
http://www.redhat.com/support/errata/RHSA-2008-0104.html
http://www.redhat.com/support/errata/RHSA-2008-0105.html
http://www.securityfocus.com/archive/1/470446/100/0/threaded
http://www.securityfocus.com/archive/1/487826/100/0/threaded
http://www.securityfocus.com/archive/1/488002/100/0/threaded
http://www.securityfocus.com/archive/1/488971/100/0/threaded
http://www.securityfocus.com/bid/24293
http://www.securityfocus.com/bid/27683
http://www.securitytracker.com/id?1019339
http://www.ubuntu.com/usn/usn-576-1
http://www.vupen.com/english/advisories/2008/0453/references
http://www.vupen.com/english/advisories/2008/0454/references
http://www.vupen.com/english/advisories/2008/0627/references
http://www.vupen.com/english/advisories/2008/1793/references
https://bugzilla.mozilla.org/show_bug.cgi?id=376473
https://issues.rpath.com/browse/RPL-1995
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10900
https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00274.html
https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00309.html
https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00381.html
https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00905.html
https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00946.html