Vulnerability Name:

CVE-2004-0718 (CCN-1598)

Assigned:1998-12-23
Published:1998-12-23
Updated:2017-10-11
Summary:The (1) Mozilla 1.6, (2) Firebird 0.7, (3) Firefox 0.8, and (4) Netscape 7.1 web browsers do not properly prevent a frame in one domain from injecting content into a frame that belongs to another domain, which facilitates web site spoofing and other attacks, aka the frame injection vulnerability.
CVSS v3 Severity:3.7 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
2.6 Low (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-Other
Vulnerability Consequences:Obtain Information
References:Source: SCO
Type: UNKNOWN
SCOSA-2005.49

Source: CCN
Type: BugTraq Mailing List, Tue Nov 30 1999 - 11:53:44 CST
Default IE 5.0 security settings allow frame spoofing

Source: CONFIRM
Type: UNKNOWN
http://bugzilla.mozilla.org/show_bug.cgi?id=246448

Source: MITRE
Type: CNA
CVE-1999-0827

Source: MITRE
Type: CNA
CVE-1999-0869

Source: MITRE
Type: CNA
CVE-2004-0717

Source: MITRE
Type: CNA
CVE-2004-0718

Source: MITRE
Type: CNA
CVE-2004-0719

Source: MITRE
Type: CNA
CVE-2004-0720

Source: MITRE
Type: CNA
CVE-2004-0721

Source: MITRE
Type: CNA
CVE-2005-1937

Source: CCN
Type: Conectiva Linux Security Announcement CLSA-2004:864
Fix for multiple security vulnerabilities

Source: CCN
Type: Conectiva Linux Security Announcement CLSA-2004:877
New upstream for mozilla

Source: CCN
Type: Apple Security Update 2004-09-07
Component: Safari

Source: CCN
Type: Netscape Security Notes
The Frame-Spoofing Vulnerability

Source: FEDORA
Type: UNKNOWN
FLSA:2089

Source: CCN
Type: RHSA-2004-412
kdelibs

Source: CCN
Type: RHSA-2004-421
mozilla security update

Source: CCN
Type: RHSA-2005-586
firefox security update

Source: CCN
Type: RHSA-2005-587
mozilla security update

Source: CCN
Type: SA11966
Internet Explorer Frame Injection Vulnerability

Source: CCN
Type: SA11978
Multiple Browsers Frame Injection Vulnerability

Source: SECUNIA
Type: Vendor Advisory
11978

Source: CCN
Type: SA15601
Mozilla / Mozilla Firefox Frame Injection Vulnerability

Source: MISC
Type: Vendor Advisory
http://secunia.com/multiple_browsers_frame_injection_vulnerability_test/

Source: CCN
Type: Slackware Security Advisories Fri, 3 Sep 2004 22:01:35 -0700 (PDT)
[slackware-security] kde (SSA:2004-247-01)

Source: CCN
Type: Slackware Security Advisories Tue, 10 Aug 2004 14:17:12 -0700 (PDT)
[slackware-security] Mozilla (SSA:2004-223-01)

Source: CCN
Type: Sun Alert ID: 57701
Multiple Security Vulnerabilities in Mozilla

Source: CCN
Type: CIAC Information Bulletin O-195
Mozilla Updated Security Packages

Source: CCN
Type: CIAC Information Bulletin O-212
Apple Security Update

Source: CCN
Type: CIAC Information Bulletin P-069
Sun - Multiple Mozilla Vulnerabilities

Source: CCN
Type: CIAC INFORMATION BULLETIN P-251
Mozilla Security Updates

Source: CCN
Type: CIAC INFORMATION BULLETIN P-252
Firefox Security Updates

Source: DEBIAN
Type: UNKNOWN
DSA-777

Source: DEBIAN
Type: UNKNOWN
DSA-810

Source: DEBIAN
Type: DSA-775
mozilla-firefox -- frame injection spoofing

Source: DEBIAN
Type: DSA-777
mozilla -- frame injection spoofing

Source: DEBIAN
Type: DSA-810
mozilla -- several vulnerabilities

Source: CCN
Type: KDE Security Advisory advisory-20040811-3
Konqueror Frame Injection Vulnerability

Source: MANDRAKE
Type: UNKNOWN
MDKSA-2004:082

Source: CCN
Type: Microsoft Security Bulletin MS98-020
Patch Available for "Frame Spoof" Vulnerability

Source: SUSE
Type: UNKNOWN
SUSE-SA:2004:036

Source: CCN
Type: OSVDB ID: 59836
Opera Cross-domain Frame Injection Content Spoofing

Source: CCN
Type: OSVDB ID: 59837
Apple Safari Cross-domain Frame Injection Content Spoofing

Source: CCN
Type: OSVDB ID: 7296
Microsoft IE Cross-domain Frame Injection Content Spoofing

Source: CCN
Type: OSVDB ID: 7866
Microsoft IE Frame Spoofing Content Injection

Source: CCN
Type: OSVDB ID: 7874
Microsoft IE Cross Domain Sub-frame Navigation Content Spoofing

Source: REDHAT
Type: UNKNOWN
RHSA-2004:421

Source: CCN
Type: BID-10763
Opera Web Browser Cross-Domain Frame Loading Vulnerability

Source: CCN
Type: BID-10877
Mozilla Cross-Domain Frame Loading Vulnerability

Source: CCN
Type: BID-10921
KDE Konqueror Cross-Domain Frame Loading Vulnerability

Source: CCN
Type: BID-11140
Apple Safari Cross-Domain Frame Loading Vulnerability

Source: CCN
Type: BID-14242
Mozilla Suite, Firefox And Thunderbird Multiple Vulnerabilities

Source: BID
Type: UNKNOWN
15495

Source: CCN
Type: BID-15495
SCO OpenServer Release 5.0.7 Maintenance Pack 4 Released - Multiple Vulnerabilities Fixed

Source: CCN
Type: BID-855
Internet Explorer Subframe Spoofing Vulnerability

Source: CCN
Type: USN-149-1
Firefox vulnerabilities

Source: CCN
Type: USN-149-2
Fixed Firefox packages for USN-149-1

Source: CCN
Type: USN-149-3
Ubuntu 4.10 update for Firefox vulnerabilities

Source: CCN
Type: USN-155-1
Mozilla vulnerabilities

Source: CCN
Type: USN-155-2
Updated Epiphany packages to match Mozilla security update

Source: CCN
Type: USN-155-3
Fixed mozilla locale packages

Source: XF
Type: UNKNOWN
http-frame-spoof(1598)

Source: XF
Type: UNKNOWN
http-frame-spoof(1598)

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:4756

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:9997

Source: CCN
Type: Microsoft Knowledge Base Article 167614
Update Available For "Frame Spoof" Security Issue

Source: CCN
Type: SUSE-SA:2004:030
apache2: remote DoS condition

Source: CCN
Type: SUSE-SA:2004:031
cups: remote code execution

Source: CCN
Type: SUSE-SA:2004:032
apache2: remote denial-of-service

Source: CCN
Type: SUSE-SA:2004:033
gtk2 gdk-pixbuf: remote code execution

Source: CCN
Type: SUSE-SA:2004:034
XFree86-libs xshared: remote command execution

Source: CCN
Type: SUSE-SA:2004:035
samba: remote file disclosure

Source: CCN
Type: SUSE-SA:2004:036
mozilla: various vulnerabilities

Source: CCN
Type: SUSE-SA:2005:045
mozilla MozillaFirefox epiphany galeon: information leak

Vulnerable Configuration:Configuration 1:
  • cpe:/a:firebirdsql:firebird:0.7:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.6:*:*:*:*:*:*:*
  • OR cpe:/a:netscape:navigator:7.1:*:*:*:*:*:*:*

    • Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:*:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:microsoft:internet_explorer:3.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:3.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:4.0:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:4.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:netscape:navigator:*:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:*:*:*:*:*:*:*:*
  • OR cpe:/a:opera:opera_browser:7.51:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:1.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla_suite:1.7.7:*:*:*:*:*:*:*
  • OR cpe:/a:opera:opera_browser:7.50:*:*:*:*:*:*:*
  • AND
  • cpe:/o:sun:sunos:5.8:*:*:*:*:*:*:*
  • OR cpe:/o:sun:sunos:5.9:*:*:*:*:*:*:*
  • OR cpe:/o:gentoo:linux:*:*:*:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:8.1:*:*:*:*:*:*:*
  • OR cpe:/o:suse:linux_enterprise_server:8:*:*:*:*:*:*:*
  • OR cpe:/o:slackware:slackware_linux:current:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:2.1:*:as:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:2.1:*:es:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:2.1:*:ws:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:8.2:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:2.1:*:aw:*:*:*:*:*
  • OR cpe:/o:conectiva:linux:9.0:*:*:*:*:*:*:*
  • OR cpe:/o:slackware:slackware_linux:9.1:*:*:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:9.0:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:9.2:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:3::ws:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:3::es:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:3::as:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:10.0:*:*:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:9.1:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:3::desktop:*:*:*:*:*
  • OR cpe:/o:conectiva:linux:10:*:*:*:*:*:*:*
  • OR cpe:/o:slackware:slackware_linux:10.0:*:*:*:*:*:*:*
  • OR cpe:/o:kde:kde:3.2.3:*:*:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:9.2:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:10.1:*:*:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:1.0:*:desktop:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:3.0:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4::as:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4::desktop:*:*:*:*:*
  • OR cpe:/o:novell:linux_desktop:9:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4::es:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4::ws:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:3.1:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:linux_advanced_workstation:2.1:*:itanium:*:*:*:*:*
  • OR cpe:/o:suse:linux_enterprise_server:9:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:10.1:*:x86-64:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:3.0:*:x86_64:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:9.2:*:amd64:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:10.0:*:amd64:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:9.3:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20040718
    V
    		CVE-2004-0718
    2015-11-16
    oval:org.mitre.oval:def:9997
    V
    		The (1) Mozilla 1.6, (2) Firebird 0.7, (3) Firefox 0.8, and (4) Netscape 7.1 web browsers do not properly prevent a frame in one domain from injecting content into a frame that belongs to another domain, which facilitates web site spoofing and other attacks, aka the frame injection vulnerability.
    2013-04-29
    oval:org.debian:def:810
    V
    		several vulnerabilities
    2005-09-13
    oval:org.debian:def:777
    V
    		frame injection spoofing
    2005-08-17
    oval:org.debian:def:775
    V
    		frame injection spoofing
    2005-08-15
    oval:org.mitre.oval:def:4756
    V
    		Mozilla, Firebird, Firefox Frame Injection Vulnerability
    2005-03-09
    oval:com.redhat.rhsa:def:20040421
    P
    		RHSA-2004:421: mozilla security update (Critical)
    2004-08-04
    BACK
    firebirdsql firebird 0.7
    mozilla mozilla 1.6
    netscape navigator 7.1
    microsoft ie 3.0.1
    microsoft ie 3.0.2
    microsoft ie 4.0
    microsoft ie 4.0.1
    netscape navigator *
    apple safari *
    opera opera browser 7.51
    mozilla firefox 1.0.3
    mozilla mozilla suite 1.7.7
    opera opera browser 7.50
    sun solaris 8
    sun solaris 9
    gentoo linux *
    suse suse linux 8.1
    suse linux enterprise server 8
    slackware slackware linux current
    redhat enterprise linux 2.1
    redhat enterprise linux 2.1
    redhat enterprise linux 2.1
    suse suse linux 8.2
    redhat enterprise linux 2.1
    conectiva linux 9.0
    slackware slackware linux 9.1
    suse suse linux 9.0
    mandrakesoft mandrake linux 9.2
    redhat enterprise linux 3
    redhat enterprise linux 3
    redhat enterprise linux 3
    mandrakesoft mandrake linux 10.0
    suse suse linux 9.1
    redhat enterprise linux 3
    conectiva linux 10
    slackware slackware linux 10.0
    kde kde 3.2.3
    suse suse linux 9.2
    mandrakesoft mandrake linux 10.1
    suse suse linux 1.0
    mandrakesoft mandrake linux corporate server 3.0
    redhat enterprise linux 4
    redhat enterprise linux 4
    novell linux desktop 9
    redhat enterprise linux 4
    redhat enterprise linux 4
    debian debian linux 3.1
    redhat linux advanced workstation 2.1
    suse linux enterprise server 9
    mandrakesoft mandrake linux 10.1
    mandrakesoft mandrake linux corporate server 3.0
    mandrakesoft mandrake linux 9.2
    mandrakesoft mandrake linux 10.0
    suse suse linux 9.3