CVE-2009-2477 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	9.3 UNKNOWN	NETWORK	MEDIUM		AV:N/AC:M/Au:N/C:C/I:C/A:C

Base Score

CVSS 3.x

EPSS Score

Percentile: 99%

Affected Products (NVD)

Vendor	Product	Version
mozilla	firefox	3.5

𝑥

= Vulnerable software versions

Ubuntu Releases

Ubuntu Product

Codename

firefox-3.5

dapper	dne
hardy	dne
intrepid	dne
jaunty	Fixed 3.5.1+build1+nobinonly-0ubuntu0.9.04.1 released

xulrunner-1.9.1

dapper	dne
hardy	dne
intrepid	dne
jaunty	Fixed 1.9.1.1+build1+nobinonly-0ubuntu0.9.04.1 released

Known Exploits!

Common Weakness Enumeration

CWE-94 - Improper Control of Generation of Code ('Code Injection')
The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References

http://blog.mozilla.com/security/2009/07/14/critical-javascript-vulnerability-in-firefox-35/

http://isc.sans.org/diary.html?storyid=6796

http://secunia.com/advisories/35798

http://sunsolve.sun.com/search/document.do?assetkey=1-66-266148-1

http://voices.washingtonpost.com/securityfix/2009/07/stopgap_fix_for_critical_firef.html

http://www.exploit-db.com/exploits/9137

http://www.exploit-db.com/exploits/9181

http://www.h-online.com/security/First-Zero-Day-Exploit-for-Firefox-3-5--/news/113761

http://www.kb.cert.org/vuls/id/443060

http://www.mozilla.org/security/announce/2009/mfsa2009-41.html

http://www.securityfocus.com/bid/35660

http://www.vupen.com/english/advisories/2009/1868

https://bugzilla.mozilla.org/show_bug.cgi?id=503286

https://www.exploit-db.com/exploits/40936/

https://www.redhat.com/archives/fedora-package-announce/2009-July/msg00909.html