CVE-2009-1312
CVE-2009-1312
Mozilla Firefox before 3.0.9 and SeaMonkey 1.1.17 do not block javascript: URIs in Refresh headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header or (2) specifying the content of a Refresh header. NOTE: it was later reported that Firefox 3.6 a1 pre and Mozilla 1.7.x and earlier are also affected.
Affected products
n/a · n/apublic PoCs found — 1
exploitdbwww.exploit-db.com/exploits/32942unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://ha.ckers.org/blog/20070309/firefox-header-redirection-javascript-execution/http://lists.opensuse.org/opensuse-security-announce/2009-05/msg00000.htmlhttp://rhn.redhat.com/errata/RHSA-2009-0437.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=475636http://secunia.com/advisories/34758http://secunia.com/advisories/34843http://secunia.com/advisories/34844http://secunia.com/advisories/34894http://secunia.com/advisories/35065https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6064https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6131https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6731