CVE-2007-6589

Publication date 28 December 2007

Last updated 24 July 2024

Description

The jar protocol handler in Mozilla Firefox before 2.0.0.10 and SeaMonkey before 1.1.7 does not update the origin domain when retrieving the inner URL parameter yields an HTTP redirect, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a jar: URI, a different vulnerability than CVE-2007-5947.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
firefox	8.10 intrepid	Not in release
	8.04 LTS hardy	Not affected
	7.10 gutsy	Not affected
	7.04 feisty	Not affected
	6.10 edgy	Not affected
	6.06 LTS dapper	Not affected
iceape	8.10 intrepid	Not in release
	8.04 LTS hardy	Not in release
	7.10 gutsy	Ignored end of life, was needed
	7.04 feisty	Not in release
	6.10 edgy	Not in release
	6.06 LTS dapper	Not in release
seamonkey	8.10 intrepid	Fixed 1.1.9+nobinonly-0ubuntu1
	8.04 LTS hardy	Fixed 1.1.9+nobinonly-0ubuntu1
	7.10 gutsy	Not in release
	7.04 feisty	Not in release
	6.10 edgy	Not in release
	6.06 LTS dapper	Not in release
xulrunner	8.10 intrepid	Fixed 1.8.1.13+nobinonly-0ubuntu1
	8.04 LTS hardy	Fixed 1.8.1.13+nobinonly-0ubuntu1
	7.10 gutsy	Fixed 1.8.1.18+nobinonly.b308.cvs20090331t155113-0ubuntu0.7.10.1
	7.04 feisty	Ignored end of life, was needed
	6.10 edgy	Ignored end of life, was needed
	6.06 LTS dapper	Not in release

Notes

jdstrand

notified asac (asked if backported code from MFSA-37 fixes this on Dapper) per asac, dapper is fixed

References

Other references

https://www.cve.org/CVERecord?id=CVE-2007-6589