CVE-2008-5024 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.5 UNKNOWN	NETWORK	LOW		AV:N/AC:L/Au:N/C:P/I:P/A:P
redhat	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 89%

Vendor	Product	Version
mozilla	firefox	2.0 ≤ 𝑥 < 2.0.0.18
mozilla	firefox	3.0 ≤ 𝑥 < 3.0.4
mozilla	seamonkey	1.0 ≤ 𝑥 < 1.1.13
mozilla	thunderbird	2.0 ≤ 𝑥 < 2.0.0.18
debian	debian_linux	4.0
canonical	ubuntu_linux	6.06
canonical	ubuntu_linux	7.10
canonical	ubuntu_linux	8.04
canonical	ubuntu_linux	8.10

𝑥

= Vulnerable software versions

Ubuntu Releases

Ubuntu Product

Codename

firefox

intrepid	dne
hardy	Fixed 2.0.0.18+nobinonly-0ubuntu0.8.04.1 released
gutsy	Fixed 2.0.0.18+nobinonly-0ubuntu0.7.10 released
dapper	Fixed 1.5.dfsg+1.5.0.15~prepatch080614h-0ubuntu1 released

firefox-3.0

intrepid	Fixed 3.0.4+nobinonly-0ubuntu0.8.10.1 released
hardy	Fixed 3.0.4+nobinonly-0ubuntu0.8.04.1 released
gutsy	ignored
dapper	dne

iceape

intrepid	dne
hardy	dne
gutsy	ignored
dapper	dne

icedove

intrepid	dne
hardy	dne
gutsy	dne
dapper	dne

iceweasel

intrepid	dne
hardy	dne
gutsy	dne
dapper	dne

mozilla-thunderbird

intrepid	dne
hardy	dne
gutsy	dne
dapper	Fixed 1.5.0.13+1.5.0.15~prepatch080614h-0ubuntu0.6.06.1 released

seamonkey

intrepid	Fixed 1.1.15+nobinonly-0ubuntu0.8.10.2 released
hardy	Fixed 1.1.15+nobinonly-0ubuntu0.8.04.2 released
gutsy	dne
dapper	dne

thunderbird

intrepid	Fixed 2.0.0.18+nobinonly-0ubuntu0.8.10.1 released
hardy	Fixed 2.0.0.18+nobinonly-0ubuntu0.8.04.1 released
gutsy	Fixed 2.0.0.18+nobinonly-0ubuntu0.7.10.1 released
dapper	dne

xulrunner

intrepid	Fixed 1.8.1.16+nobinonly-0ubuntu1 released
hardy	Fixed 1.8.1.18+nobinonly.b308.cvs20090331t155113-0ubuntu0.8.04.1 released
gutsy	Fixed 1.8.1.18+nobinonly.b308.cvs20090331t155113-0ubuntu0.7.10.1 released
dapper	dne

xulrunner-1.9

intrepid	Fixed 1.9.0.4+nobinonly-0ubuntu0.8.10.1 released
hardy	Fixed 1.9.0.4+nobinonly-0ubuntu0.8.04.1 released
gutsy	ignored
dapper	dne

Known Exploits!

Common Weakness Enumeration

CWE-91 - XML Injection (aka Blind XPath Injection)
The software does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.

References

http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00004.html

http://secunia.com/advisories/32684

http://secunia.com/advisories/32693

http://secunia.com/advisories/32694

http://secunia.com/advisories/32695

http://secunia.com/advisories/32713

http://secunia.com/advisories/32714

http://secunia.com/advisories/32715

http://secunia.com/advisories/32721

http://secunia.com/advisories/32778

http://secunia.com/advisories/32798

http://secunia.com/advisories/32845

http://secunia.com/advisories/32853

http://secunia.com/advisories/33433

http://secunia.com/advisories/33434

http://secunia.com/advisories/34501

http://sunsolve.sun.com/search/document.do?assetkey=1-26-256408-1

http://ubuntu.com/usn/usn-667-1

http://www.debian.org/security/2008/dsa-1669

http://www.debian.org/security/2008/dsa-1671

http://www.debian.org/security/2009/dsa-1696

http://www.debian.org/security/2009/dsa-1697

http://www.mandriva.com/security/advisories?name=MDVSA-2008:228

http://www.mandriva.com/security/advisories?name=MDVSA-2008:230

http://www.mandriva.com/security/advisories?name=MDVSA-2008:235

http://www.mozilla.org/security/announce/2008/mfsa2008-58.html

http://www.redhat.com/support/errata/RHSA-2008-0976.html

http://www.redhat.com/support/errata/RHSA-2008-0977.html

http://www.redhat.com/support/errata/RHSA-2008-0978.html

http://www.securityfocus.com/bid/32281

http://www.securitytracker.com/id?1021192

http://www.us-cert.gov/cas/techalerts/TA08-319A.html

http://www.vupen.com/english/advisories/2008/3146

http://www.vupen.com/english/advisories/2009/0977

https://bugzilla.mozilla.org/show_bug.cgi?id=453915

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9063

https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00366.html

https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00385.html

http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00004.html

http://secunia.com/advisories/32684

http://secunia.com/advisories/32693

http://secunia.com/advisories/32694

http://secunia.com/advisories/32695

http://secunia.com/advisories/32713

http://secunia.com/advisories/32714

http://secunia.com/advisories/32715

http://secunia.com/advisories/32721

http://secunia.com/advisories/32778

http://secunia.com/advisories/32798

http://secunia.com/advisories/32845

http://secunia.com/advisories/32853

http://secunia.com/advisories/33433

http://secunia.com/advisories/33434

http://secunia.com/advisories/34501

http://sunsolve.sun.com/search/document.do?assetkey=1-26-256408-1

http://ubuntu.com/usn/usn-667-1

http://www.debian.org/security/2008/dsa-1669

http://www.debian.org/security/2008/dsa-1671

http://www.debian.org/security/2009/dsa-1696

http://www.debian.org/security/2009/dsa-1697

http://www.mandriva.com/security/advisories?name=MDVSA-2008:228

http://www.mandriva.com/security/advisories?name=MDVSA-2008:230

http://www.mandriva.com/security/advisories?name=MDVSA-2008:235

http://www.mozilla.org/security/announce/2008/mfsa2008-58.html

http://www.redhat.com/support/errata/RHSA-2008-0976.html

http://www.redhat.com/support/errata/RHSA-2008-0977.html

http://www.redhat.com/support/errata/RHSA-2008-0978.html

http://www.securityfocus.com/bid/32281

http://www.securitytracker.com/id?1021192

http://www.us-cert.gov/cas/techalerts/TA08-319A.html

http://www.vupen.com/english/advisories/2008/3146

http://www.vupen.com/english/advisories/2009/0977

https://bugzilla.mozilla.org/show_bug.cgi?id=453915

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9063

https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00366.html

https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00385.html