NVD Vulnerability Detail

CVE-2008-4582

Summary	Mozilla Firefox 3.0.1 through 3.0.3, Firefox 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13, when running on Windows, do not properly identify the context of Windows .url shortcut files, which allows user-assisted remote attackers to bypass the Same Origin Policy and obtain sensitive information via an HTML document that is directly accessible through a filesystem, as demonstrated by documents in (1) local folders, (2) Windows share folders, and (3) RAR archives, and as demonstrated by IFRAMEs referencing shortcuts that point to (a) about:cache?device=memory and (b) about:cache?device=disk, a variant of CVE-2008-2810.
Publication Date	Oct. 16, 2008, 5:08 a.m.
Registration Date	Jan. 29, 2021, 1:43 p.m.
Last Update	Oct. 31, 2018, 1:25 a.m.

CVSS2.0 : MEDIUM
Score	4.3
Vector	AV:N/AC:M/Au:N/C:P/I:N/A:N
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	中
攻撃前の認証要否(Au)	不要
機密性への影響(C)	低
完全性への影響(I)	なし
可用性への影響(A)	なし
Get all privileges.	いいえ
Get user privileges	いいえ
Get other privileges	いいえ
User operation required	はい

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:o:debian:debian_linux:4.0:::::::*

Configuration2		or higher	or less	more than	less than
cpe:2.3:a:mozilla:firefox:3.0.1:::::::*
cpe:2.3:a:mozilla:firefox:3.0.2:::::::*
cpe:2.3:a:mozilla:firefox:3.0.3:::::::*
execution environment
1	cpe:2.3:o:microsoft:windows::::::::

Configuration3		or higher	or less	more than	less than
cpe:2.3:a:mozilla:firefox:2.0:::::::*
cpe:2.3:a:mozilla:firefox:2.0.0.1:::::::*
cpe:2.3:a:mozilla:firefox:2.0.0.10:::::::*
cpe:2.3:a:mozilla:firefox:2.0.0.11:::::::*
cpe:2.3:a:mozilla:firefox:2.0.0.12:::::::*
cpe:2.3:a:mozilla:firefox:2.0.0.13:::::::*
cpe:2.3:a:mozilla:firefox:2.0.0.14:::::::*
cpe:2.3:a:mozilla:firefox:2.0.0.15:::::::*
cpe:2.3:a:mozilla:firefox:2.0.0.16:::::::*
cpe:2.3:a:mozilla:firefox:2.0.0.17:::::::*
execution environment
1	cpe:2.3:o:microsoft:windows::::::::

Configuration4	or higher	or less	more than	less than
cpe:2.3:o:canonical:ubuntu_linux:6.06::::lts:::
cpe:2.3:o:canonical:ubuntu_linux:7.10:::::::*
cpe:2.3:o:canonical:ubuntu_linux:8.04::::lts:::
cpe:2.3:o:canonical:ubuntu_linux:8.10:::::::*

Configuration5		or higher	or less	more than	less than
cpe:2.3:a:mozilla:seamonkey:1.0:::::::*
cpe:2.3:a:mozilla:seamonkey:1.0:alpha::::::
cpe:2.3:a:mozilla:seamonkey:1.0:beta::::::
cpe:2.3:a:mozilla:seamonkey:1.0.1:::::::*
cpe:2.3:a:mozilla:seamonkey:1.0.2:::::::*
cpe:2.3:a:mozilla:seamonkey:1.0.3:::::::*
cpe:2.3:a:mozilla:seamonkey:1.0.4:::::::*
cpe:2.3:a:mozilla:seamonkey:1.0.5:::::::*
cpe:2.3:a:mozilla:seamonkey:1.0.6:::::::*
cpe:2.3:a:mozilla:seamonkey:1.0.7:::::::*
cpe:2.3:a:mozilla:seamonkey:1.0.8:::::::*
cpe:2.3:a:mozilla:seamonkey:1.0.9:::::::*
cpe:2.3:a:mozilla:seamonkey:1.1:::::::*
cpe:2.3:a:mozilla:seamonkey:1.1:alpha::::::
cpe:2.3:a:mozilla:seamonkey:1.1:beta::::::
cpe:2.3:a:mozilla:seamonkey:1.1.1:::::::*
cpe:2.3:a:mozilla:seamonkey:1.1.2:::::::*
cpe:2.3:a:mozilla:seamonkey:1.1.3:::::::*
cpe:2.3:a:mozilla:seamonkey:1.1.4:::::::*
cpe:2.3:a:mozilla:seamonkey:1.1.5:::::::*
cpe:2.3:a:mozilla:seamonkey:1.1.6:::::::*
cpe:2.3:a:mozilla:seamonkey:1.1.7:::::::*
cpe:2.3:a:mozilla:seamonkey:1.1.8:::::::*
cpe:2.3:a:mozilla:seamonkey:1.1.9:::::::*
cpe:2.3:a:mozilla:seamonkey:1.1.10:::::::*
cpe:2.3:a:mozilla:seamonkey:1.1.11:::::::*
cpe:2.3:a:mozilla:seamonkey:1.1.12:::::::*
execution environment
1	cpe:2.3:o:microsoft:windows::::::::

Related information, measures and tools

No	URL	refsource	タグ
1	http://liudieyu0.blog124.fc2.com/blog-entry-6.html	MISC	Broken Link
2	http://secunia.com/advisories/32192	SECUNIA	Permissions Required Third Party Advisory
3	http://secunia.com/advisories/32684	SECUNIA	Permissions Required Third Party Advisory
4	http://secunia.com/advisories/32693	SECUNIA	Permissions Required Third Party Advisory
5	http://secunia.com/advisories/32714	SECUNIA	Permissions Required Third Party Advisory
6	http://secunia.com/advisories/32721	SECUNIA	Permissions Required Third Party Advisory
7	http://secunia.com/advisories/32778	SECUNIA	Permissions Required Third Party Advisory
8	http://secunia.com/advisories/32845	SECUNIA	Permissions Required Third Party Advisory
9	http://secunia.com/advisories/32853	SECUNIA	Permissions Required Third Party Advisory
10	http://secunia.com/advisories/33433	SECUNIA	Permissions Required Third Party Advisory
11	http://secunia.com/advisories/33434	SECUNIA	Permissions Required Third Party Advisory
12	http://secunia.com/advisories/34501	SECUNIA	Permissions Required Third Party Advisory
13	http://securityreason.com/securityalert/4416	SREASON	Third Party Advisory
14	http://securitytracker.com/alerts/2008/Nov/1021212.html	SECTRACK	Third Party Advisory VDB Entry
15	http://sunsolve.sun.com/search/document.do?assetkey=1-26-256408-1	SUNALERT	Broken Link
16	http://ubuntu.com/usn/usn-667-1	UBUNTU	Third Party Advisory
17	http://www.debian.org/security/2008/dsa-1669	DEBIAN	Third Party Advisory
18	http://www.debian.org/security/2008/dsa-1671	DEBIAN	Third Party Advisory
19	http://www.debian.org/security/2009/dsa-1696	DEBIAN	Third Party Advisory
20	http://www.debian.org/security/2009/dsa-1697	DEBIAN	Third Party Advisory
21	http://www.mozilla.org/security/announce/2008/mfsa2008-47.html	CONFIRM	Vendor Advisory
22	http://www.securityfocus.com/archive/1/497091/100/0/threaded	BUGTRAQ
23	http://www.securityfocus.com/bid/31611	BID	Third Party Advisory VDB Entry
24	http://www.securityfocus.com/bid/31747	BID	Third Party Advisory VDB Entry
25	http://www.securitytracker.com/id?1021190	SECTRACK	Third Party Advisory VDB Entry
26	http://www.us-cert.gov/cas/techalerts/TA08-319A.html	CERT	Third Party Advisory US Government Resource
27	http://www.vupen.com/english/advisories/2008/2818	VUPEN	Not Applicable
28	http://www.vupen.com/english/advisories/2009/0977	VUPEN	Not Applicable
29	https://bugzilla.mozilla.org/show_bug.cgi?id=455311	MISC	Issue Tracking
30	https://exchange.xforce.ibmcloud.com/vulnerabilities/45740	XF
31	https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00366.html	FEDORA	Not Applicable
32	https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00385.html	FEDORA	Not Applicable

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-264	認可・権限・アクセス制御	https://cwe.mitre.org/data/definitions/264.html

Configuration3		or higher	or less	more than	less than
cpe:2.3:a:mozilla:firefox:2.0:::::::*
cpe:2.3:a:mozilla:firefox:2.0.0.1:::::::*
cpe:2.3:a:mozilla:firefox:2.0.0.10:::::::*
cpe:2.3:a:mozilla:firefox:2.0.0.11:::::::*
cpe:2.3:a:mozilla:firefox:2.0.0.12:::::::*
cpe:2.3:a:mozilla:firefox:2.0.0.13:::::::*
cpe:2.3:a:mozilla:firefox:2.0.0.14:::::::*
cpe:2.3:a:mozilla:firefox:2.0.0.15:::::::*
cpe:2.3:a:mozilla:firefox:2.0.0.16:::::::*
cpe:2.3:a:mozilla:firefox:2.0.0.17:::::::*
execution environment
1	cpe:2.3:o:microsoft:windows::::::::

Configuration5		or higher	or less	more than	less than
cpe:2.3:a:mozilla:seamonkey:1.0:::::::*
cpe:2.3:a:mozilla:seamonkey:1.0:alpha::::::
cpe:2.3:a:mozilla:seamonkey:1.0:beta::::::
cpe:2.3:a:mozilla:seamonkey:1.0.1:::::::*
cpe:2.3:a:mozilla:seamonkey:1.0.2:::::::*
cpe:2.3:a:mozilla:seamonkey:1.0.3:::::::*
cpe:2.3:a:mozilla:seamonkey:1.0.4:::::::*
cpe:2.3:a:mozilla:seamonkey:1.0.5:::::::*
cpe:2.3:a:mozilla:seamonkey:1.0.6:::::::*
cpe:2.3:a:mozilla:seamonkey:1.0.7:::::::*
cpe:2.3:a:mozilla:seamonkey:1.0.8:::::::*
cpe:2.3:a:mozilla:seamonkey:1.0.9:::::::*
cpe:2.3:a:mozilla:seamonkey:1.1:::::::*
cpe:2.3:a:mozilla:seamonkey:1.1:alpha::::::
cpe:2.3:a:mozilla:seamonkey:1.1:beta::::::
cpe:2.3:a:mozilla:seamonkey:1.1.1:::::::*
cpe:2.3:a:mozilla:seamonkey:1.1.2:::::::*
cpe:2.3:a:mozilla:seamonkey:1.1.3:::::::*
cpe:2.3:a:mozilla:seamonkey:1.1.4:::::::*
cpe:2.3:a:mozilla:seamonkey:1.1.5:::::::*
cpe:2.3:a:mozilla:seamonkey:1.1.6:::::::*
cpe:2.3:a:mozilla:seamonkey:1.1.7:::::::*
cpe:2.3:a:mozilla:seamonkey:1.1.8:::::::*
cpe:2.3:a:mozilla:seamonkey:1.1.9:::::::*
cpe:2.3:a:mozilla:seamonkey:1.1.10:::::::*
cpe:2.3:a:mozilla:seamonkey:1.1.11:::::::*
cpe:2.3:a:mozilla:seamonkey:1.1.12:::::::*
execution environment
1	cpe:2.3:o:microsoft:windows::::::::