CVE-2009-0355

EUVD-2009-0359
components/sessionstore/src/nsSessionStore.js in Mozilla Firefox before 3.0.6 does not block changes of INPUT elements to type="file" during tab restoration, which allows user-assisted remote attackers to read arbitrary files on a client machine via a crafted INPUT element.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.4 UNKNOWN
NETWORK
HIGH
AV:N/AC:H/Au:N/C:C/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 84%
Affected Products (NVD)
VendorProductVersion
mozillafirefox
𝑥
≤ 3.0.5
mozillafirefox
0.1
mozillafirefox
0.2
mozillafirefox
0.3
mozillafirefox
0.4
mozillafirefox
0.5
mozillafirefox
0.6
mozillafirefox
0.6.1
mozillafirefox
0.7
mozillafirefox
0.7.1
mozillafirefox
0.8
mozillafirefox
0.9
mozillafirefox
0.9:rc
mozillafirefox
0.9.1
mozillafirefox
0.9.2
mozillafirefox
0.9.3
mozillafirefox
0.9_rc:_rc
mozillafirefox
0.10
mozillafirefox
0.10.1
mozillafirefox
1.0
mozillafirefox
1.0:preview_release
mozillafirefox
1.0.1
mozillafirefox
1.0.2
mozillafirefox
1.0.3
mozillafirefox
1.0.4
mozillafirefox
1.0.5
mozillafirefox
1.0.6
mozillafirefox
1.0.7
mozillafirefox
1.0.8
mozillafirefox
1.5
mozillafirefox
1.5:beta1
mozillafirefox
1.5:beta2
mozillafirefox
1.5.0.1
mozillafirefox
1.5.0.2
mozillafirefox
1.5.0.3
mozillafirefox
1.5.0.4
mozillafirefox
1.5.0.5
mozillafirefox
1.5.0.6
mozillafirefox
1.5.0.7
mozillafirefox
1.5.0.8
mozillafirefox
1.5.0.9
mozillafirefox
1.5.0.10
mozillafirefox
1.5.0.11
mozillafirefox
1.5.0.12
mozillafirefox
1.5.1
mozillafirefox
1.5.2
mozillafirefox
1.5.3
mozillafirefox
1.5.4
mozillafirefox
1.5.5
mozillafirefox
1.5.6
mozillafirefox
1.5.7
mozillafirefox
1.5.8
mozillafirefox
1.8
mozillafirefox
2.0
mozillafirefox
2.0:beta_1
mozillafirefox
2.0:beta1
mozillafirefox
2.0:rc2
mozillafirefox
2.0:rc3
mozillafirefox
2.0.0.1
mozillafirefox
2.0.0.2
mozillafirefox
2.0.0.3
mozillafirefox
2.0.0.4
mozillafirefox
2.0.0.5
mozillafirefox
2.0.0.6
mozillafirefox
2.0.0.7
mozillafirefox
2.0.0.8
mozillafirefox
2.0.0.9
mozillafirefox
2.0.0.10
mozillafirefox
2.0.0.11
mozillafirefox
2.0.0.12
mozillafirefox
2.0.0.13
mozillafirefox
2.0.0.14
mozillafirefox
2.0.0.15
mozillafirefox
2.0.0.16
mozillafirefox
2.0.0.17
mozillafirefox
2.0.0.18
mozillafirefox
2.0_.1:_.1
mozillafirefox
2.0_.4:_.4
mozillafirefox
2.0_.5:_.5
mozillafirefox
2.0_.6:_.6
mozillafirefox
2.0_.7:_.7
mozillafirefox
2.0_.9:_.9
mozillafirefox
2.0_.10:_.10
mozillafirefox
2.0_8:_8
mozillafirefox
3.0
mozillafirefox
3.0:alpha
mozillafirefox
3.0:beta2
mozillafirefox
3.0:beta5
mozillafirefox
3.0.1
mozillafirefox
3.0.2
mozillafirefox
3.0.3
mozillafirefox
3.0.4
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
firefox
dapper
ignored
gutsy
Fixed 2.0.0.21~20090209t122238+nobinonly-0ubuntu0.7.10.1
released
hardy
ignored
intrepid
dne
jaunty
dne
karmic
dne
lucid
not-affected
maverick
not-affected
natty
not-affected
iceape
dapper
dne
gutsy
not-affected
hardy
dne
intrepid
dne
jaunty
dne
karmic
dne
lucid
dne
maverick
dne
natty
dne
seamonkey
dapper
dne
gutsy
dne
hardy
not-affected
intrepid
not-affected
jaunty
not-affected
karmic
not-affected
lucid
not-affected
maverick
not-affected
natty
not-affected
xulrunner
dapper
dne
gutsy
Fixed 1.8.1.18+nobinonly.b308.cvs20090331t155113-0ubuntu0.7.10.1
released
hardy
Fixed 1.8.1.18+nobinonly.b308.cvs20090331t155113-0ubuntu0.8.04.1
released
intrepid
Fixed 1.8.1.18+nobinonly.b308.cvs20090331t155113-0ubuntu0.8.10.1
released
jaunty
ignored
karmic
ignored
lucid
dne
maverick
dne
natty
dne
xulrunner-1.9
dapper
dne
gutsy
ignored
hardy
Fixed 1.9.0.6+nobinonly-0ubuntu0.8.04.1
released
intrepid
Fixed 1.9.0.6+nobinonly-0ubuntu0.8.10.1
released
jaunty
Fixed 1.9.0.6+nobinonly-0ubuntu1
released
karmic
dne
lucid
dne
maverick
dne
natty
dne
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00001.html
http://rhn.redhat.com/errata/RHSA-2009-0256.html
http://secunia.com/advisories/33799
http://secunia.com/advisories/33808
http://secunia.com/advisories/33809
http://secunia.com/advisories/33816
http://secunia.com/advisories/33831
http://secunia.com/advisories/33841
http://secunia.com/advisories/33846
http://secunia.com/advisories/33869
http://secunia.com/advisories/34324
http://secunia.com/advisories/34417
http://support.avaya.com/elmodocs2/security/ASA-2009-040.htm
http://www.mandriva.com/security/advisories?name=MDVSA-2009:044
http://www.mozilla.org/security/announce/2009/mfsa2009-03.html
http://www.redhat.com/support/errata/RHSA-2009-0257.html
http://www.redhat.com/support/errata/RHSA-2009-0258.html
http://www.securityfocus.com/bid/33598
http://www.securitytracker.com/id?1021665
http://www.ubuntu.com/usn/usn-717-1
http://www.ubuntu.com/usn/usn-717-2
http://www.vupen.com/english/advisories/2009/0313
https://bugzilla.mozilla.org/show_bug.cgi?id=466937
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9161
https://www.redhat.com/archives/fedora-package-announce/2009-February/msg00240.html
https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00769.html
https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00771.html
http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00001.html
http://rhn.redhat.com/errata/RHSA-2009-0256.html
http://secunia.com/advisories/33799
http://secunia.com/advisories/33808
http://secunia.com/advisories/33809
http://secunia.com/advisories/33816
http://secunia.com/advisories/33831
http://secunia.com/advisories/33841
http://secunia.com/advisories/33846
http://secunia.com/advisories/33869
http://secunia.com/advisories/34324
http://secunia.com/advisories/34417
http://support.avaya.com/elmodocs2/security/ASA-2009-040.htm
http://www.mandriva.com/security/advisories?name=MDVSA-2009:044
http://www.mozilla.org/security/announce/2009/mfsa2009-03.html
http://www.redhat.com/support/errata/RHSA-2009-0257.html
http://www.redhat.com/support/errata/RHSA-2009-0258.html
http://www.securityfocus.com/bid/33598
http://www.securitytracker.com/id?1021665
http://www.ubuntu.com/usn/usn-717-1
http://www.ubuntu.com/usn/usn-717-2
http://www.vupen.com/english/advisories/2009/0313
https://bugzilla.mozilla.org/show_bug.cgi?id=466937
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9161
https://www.redhat.com/archives/fedora-package-announce/2009-February/msg00240.html
https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00769.html
https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00771.html