CVE-2008-1238

Mozilla Firefox before 2.0.0.13 and SeaMonkey before 1.1.9, when generating the HTTP Referer header, does not list the entire URL when it contains Basic Authentication credentials without a username, which makes it easier for remote attackers to bypass application protection mechanisms that rely on Referer headers, such as with some Cross-Site Request Forgery (CSRF) mechanisms.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:N/I:P/A:N
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 90%
VendorProductVersion
mozillafirefox
𝑥
≤ 2.0.0.12
mozillaseamonkey
𝑥
≤ 1.1.8
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
firefox
intrepid
dne
hardy
Fixed 2.0.0.13+1nobinonly-0ubuntu1
released
gutsy
Fixed 2.0.0.13+1nobinonly-0ubuntu0.7.10
released
feisty
Fixed 2.0.0.13+0nobinonly-0ubuntu0.7.4
released
edgy
Fixed 2.0.0.13+0nobinonly-0ubuntu0.6.10
released
dapper
Fixed 1.5.dfsg+1.5.0.15~prepatch080323a-0ubuntu1
released
iceape
intrepid
dne
hardy
dne
gutsy
ignored
feisty
dne
edgy
dne
dapper
dne
iceweasel
intrepid
dne
hardy
dne
gutsy
dne
feisty
dne
edgy
dne
dapper
dne
seamonkey
intrepid
Fixed 1.1.9+nobinonly-0ubuntu1
released
hardy
Fixed 1.1.9+nobinonly-0ubuntu1
released
gutsy
dne
feisty
dne
edgy
dne
dapper
dne
xulrunner
intrepid
Fixed 1.8.1.13+nobinonly-0ubuntu1
released
hardy
Fixed 1.8.1.13+nobinonly-0ubuntu1
released
gutsy
Fixed 1.8.1.18+nobinonly.b308.cvs20090331t155113-0ubuntu0.7.10.1
released
feisty
ignored
edgy
ignored
dapper
dne
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00002.html
http://rhn.redhat.com/errata/RHSA-2008-0208.html
http://secunia.com/advisories/29391
http://secunia.com/advisories/29526
http://secunia.com/advisories/29539
http://secunia.com/advisories/29541
http://secunia.com/advisories/29547
http://secunia.com/advisories/29550
http://secunia.com/advisories/29558
http://secunia.com/advisories/29560
http://secunia.com/advisories/29607
http://secunia.com/advisories/29616
http://secunia.com/advisories/29645
http://secunia.com/advisories/30327
http://secunia.com/advisories/30620
http://sla.ckers.org/forum/read.php?10%2C20033
http://sunsolve.sun.com/search/document.do?assetkey=1-26-238492-1
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0128
http://www.debian.org/security/2008/dsa-1532
http://www.debian.org/security/2008/dsa-1534
http://www.debian.org/security/2008/dsa-1535
http://www.gentoo.org/security/en/glsa/glsa-200805-18.xml
http://www.mandriva.com/security/advisories?name=MDVSA-2008:080
http://www.mozilla.org/security/announce/2008/mfsa2008-16.html
http://www.redhat.com/support/errata/RHSA-2008-0207.html
http://www.redhat.com/support/errata/RHSA-2008-0209.html
http://www.securityfocus.com/archive/1/490196/100/0/threaded
http://www.securityfocus.com/bid/28448
http://www.securitytracker.com/id?1019703
http://www.ubuntu.com/usn/usn-592-1
http://www.us-cert.gov/cas/techalerts/TA08-087A.html
http://www.vupen.com/english/advisories/2008/0998/references
http://www.vupen.com/english/advisories/2008/1793/references
https://exchange.xforce.ibmcloud.com/vulnerabilities/41449
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9889
http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00002.html
http://rhn.redhat.com/errata/RHSA-2008-0208.html
http://secunia.com/advisories/29391
http://secunia.com/advisories/29526
http://secunia.com/advisories/29539
http://secunia.com/advisories/29541
http://secunia.com/advisories/29547
http://secunia.com/advisories/29550
http://secunia.com/advisories/29558
http://secunia.com/advisories/29560
http://secunia.com/advisories/29607
http://secunia.com/advisories/29616
http://secunia.com/advisories/29645
http://secunia.com/advisories/30327
http://secunia.com/advisories/30620
http://sla.ckers.org/forum/read.php?10%2C20033
http://sunsolve.sun.com/search/document.do?assetkey=1-26-238492-1
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0128
http://www.debian.org/security/2008/dsa-1532
http://www.debian.org/security/2008/dsa-1534
http://www.debian.org/security/2008/dsa-1535
http://www.gentoo.org/security/en/glsa/glsa-200805-18.xml
http://www.mandriva.com/security/advisories?name=MDVSA-2008:080
http://www.mozilla.org/security/announce/2008/mfsa2008-16.html
http://www.redhat.com/support/errata/RHSA-2008-0207.html
http://www.redhat.com/support/errata/RHSA-2008-0209.html
http://www.securityfocus.com/archive/1/490196/100/0/threaded
http://www.securityfocus.com/bid/28448
http://www.securitytracker.com/id?1019703
http://www.ubuntu.com/usn/usn-592-1
http://www.us-cert.gov/cas/techalerts/TA08-087A.html
http://www.vupen.com/english/advisories/2008/0998/references
http://www.vupen.com/english/advisories/2008/1793/references
https://exchange.xforce.ibmcloud.com/vulnerabilities/41449
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9889