Vulnerability Name:

CVE-2004-1156 (CCN-18397)

Assigned:2004-12-08
Published:2004-12-08
Updated:2017-10-11
Summary:Mozilla before 1.7.6, and Firefox before 1.0.1, allows remote attackers to spoof arbitrary web sites by injecting content from one window into a target window whose name is known but resides in a different domain, as demonstrated using a pop-up window on a trusted web site, aka the "window injection" vulnerability.
CVSS v3 Severity:7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): Low
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
7.5 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Type:CWE-Other
Vulnerability Consequences:Other
References:Source: CCN
Type: Microsoft Security Response Center Blog, Tuesday, October 31, 2006 2:05
Information on New Address Bar Issue

Source: MITRE
Type: CNA
CVE-2004-1122

Source: MITRE
Type: CNA
CVE-2004-1155

Source: MITRE
Type: CNA
CVE-2004-1156

Source: MITRE
Type: CNA
CVE-2004-1157

Source: MITRE
Type: CNA
CVE-2004-1158

Source: MITRE
Type: CNA
CVE-2004-1160

Source: MITRE
Type: CNA
CVE-2004-1314

Source: CCN
Type: RHSA-2005-009
kdelibs

Source: CCN
Type: RHSA-2005-176
firefox security update

Source: CCN
Type: RHSA-2005-384
Mozilla security update

Source: CCN
Type: SA12892
Safari Dialog Box Spoofing Vulnerability

Source: CCN
Type: SA13129
Mozilla / Mozilla Firefox Window Injection Vulnerability

Source: SECUNIA
Type: Vendor Advisory
13129

Source: CCN
Type: SA13251
Microsoft Internet Explorer Window Injection Vulnerability

Source: CCN
Type: SA13252
Safari Window Injection Vulnerability

Source: CCN
Type: SA13253
Opera Window Injection Vulnerability

Source: CCN
Type: SA13254
Konqueror Window Injection Vulnerability

Source: CCN
Type: SA13402
Netscape Window Injection Vulnerability

Source: CCN
Type: SA22628
Internet Explorer 7 Window Injection Vulnerability

Source: MISC
Type: UNKNOWN
http://secunia.com/multiple_browsers_window_injection_vulnerability_test/

Source: MISC
Type: Vendor Advisory
http://secunia.com/secunia_research/2004-13/advisory/

Source: CCN
Type: CIAC INFORMATION BULLETIN P-149
Firefox Security Update

Source: CCN
Type: GLSA-200412-16
kdelibs, kdebase: Multiple vulnerabilities

Source: CCN
Type: GLSA-200502-17
Opera: Multiple vulnerabilities

Source: CCN
Type: GLSA-200503-10
Mozilla Firefox: Various vulnerabilities

Source: GENTOO
Type: UNKNOWN
GLSA-200503-10

Source: CCN
Type: GLSA-200503-30
Mozilla Suite: Multiple vulnerabilities

Source: GENTOO
Type: UNKNOWN
GLSA-200503-30

Source: CCN
Type: Fedora Update Notification FEDORA-2004-548
Fedora: kdelibs-3.2.2-10.FC2 update

Source: CCN
Type: Fedora Update Notification FEDORA-2004-549
kdebase-3.2.2-8.FC2 update

Source: CCN
Type: Fedora Update Notification FEDORA-2004-550
kdelibs-3.3.1-2.4.FC3 update

Source: CCN
Type: Fedora Update Notification FEDORA-2004-551
kdebase-3.3.1-4.3.FC3 update

Source: CONFIRM
Type: UNKNOWN
http://www.mozilla.org/security/announce/mfsa2005-13.html

Source: CCN
Type: OSVDB ID: 12313
Microsoft IE Cross-domain Browser Window Injection Content Spoofing

Source: CCN
Type: OSVDB ID: 13183
Apple Safari Cross-domain Browser Window Injection Content Spoofing

Source: CCN
Type: OSVDB ID: 59844
Opera Cross-domain Browser Window Injection Content Spoofing

Source: CCN
Type: OSVDB ID: 59845
Netscape Cross-domain Browser Window Injection Content Spoofing

Source: REDHAT
Type: UNKNOWN
RHSA-2005:176

Source: REDHAT
Type: UNKNOWN
RHSA-2005:384

Source: CCN
Type: BID-11852
Netscape Remote Window Hijacking Vulnerability

Source: CCN
Type: BID-11853
KDE Konqueror Remote Window Hijacking Vulnerability

Source: CCN
Type: BID-11854
Mozilla Browser and Mozilla Firefox Remote Window Hijacking Vulnerability

Source: CCN
Type: BID-11855
Microsoft Internet Explorer Remote Window Hijacking Vulnerability

Source: CCN
Type: BID-11856
Opera Web Browser Remote Window Hijacking Vulnerability

Source: CCN
Type: BID-11857
Apple Safari Remote Window Hijacking Vulnerability

Source: CCN
Type: BID-11875
Omni Group OmniWeb Browser Remote Window Hijacking Vulnerability

Source: CCN
Type: BID-11876
ICab Web Browser Remote Window Hijacking Vulnerability

Source: CCN
Type: USN-149-3
Ubuntu 4.10 update for Firefox vulnerabilities

Source: XF
Type: UNKNOWN
web-browser-popup-spoofing(18397)

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:100045

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:10117

Source: SUSE
Type: SUSE-SA:2005:034
opera: various problems

Source: SUSE
Type: SUSE-SR:2004:004
SUSE Security Summary Report

Source: SUSE
Type: SUSE-SR:2004:005
SUSE Security Summary Report

Source: SUSE
Type: SUSE-SR:2005:001
SUSE Security Summary Report

Source: SUSE
Type: SUSE-SR:2005:003
SUSE Security Summary Report

Vulnerable Configuration:Configuration 1:
  • cpe:/a:mozilla:firefox:0.8:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:0.9:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:0.9:rc:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:0.9.1:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:0.9.2:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:0.9.3:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:0.10:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:0.10.1:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:1.0:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:0.8:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:0.9.2:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:0.9.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:0.9.3:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:0.9.4:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:0.9.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:0.9.5:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:0.9.6:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:0.9.7:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:0.9.8:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:0.9.9:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:0.9.35:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:0.9.48:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.0:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.0:rc1:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.0:rc2:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.1:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.1:alpha:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.1:beta:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.2:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.2:alpha:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.2:beta:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.3:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.4:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.4:alpha:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.4:beta:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.4.2:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.5:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.5.1:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.6:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.7:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.7:alpha:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.7:beta:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.7:rc1:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.7:rc2:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.7:rc3:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.7.1:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.7.2:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.7.3:*:*:*:*:*:*:*

    • Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:*:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:microsoft:internet_explorer:6.0:*:*:*:*:*:*:*
  • OR cpe:/a:netscape:navigator:7.2:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.7.3:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:1.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:1.0:*:*:*:*:*:*:*
  • OR cpe:/a:opera:opera_browser:7.54:*:*:*:*:*:*:*
  • AND
  • cpe:/o:gentoo:linux:*:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_xp:-:sp1:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:2.1:*:as:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:2.1:*:es:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:2.1:*:ws:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:8.2:*:*:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:9.0:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:3::ws:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:3::es:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:3::as:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:10.0:*:*:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:9.1:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:3::desktop:*:*:*:*:*
  • OR cpe:/o:fedoraproject:fedora_core:2:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows:xp:sp2:*:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:9.2:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:10.1:*:*:*:*:*:*:*
  • OR cpe:/o:fedoraproject:fedora_core:3:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4::as:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4::desktop:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4::es:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4::ws:*:*:*:*:*
  • OR cpe:/o:redhat:linux_advanced_workstation:2.1::itanium:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:10.1::x86-64:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:10.0::amd64:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:9.3:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.mitre.oval:def:10117
    V
    		Mozilla before 1.7.6, and Firefox before 1.0.1, allows remote attackers to spoof arbitrary web sites by injecting content from one window into a target window whose name is known but resides in a different domain, as demonstrated using a pop-up window on a trusted web site, aka the "window injection" vulnerability.
    2013-04-29
    oval:org.mitre.oval:def:100045
    V
    		Mozilla Popup Content Spoofing Vulnerability
    2007-05-09
    oval:com.redhat.rhsa:def:20050384
    P
    		RHSA-2005:384: Mozilla security update (Important)
    2005-04-28
    oval:com.redhat.rhsa:def:20050176
    P
    		RHSA-2005:176: firefox security update (Critical)
    2005-03-01
    BACK
    mozilla firefox 0.8
    mozilla firefox 0.9
    mozilla firefox 0.9 rc
    mozilla firefox 0.9.1
    mozilla firefox 0.9.2
    mozilla firefox 0.9.3
    mozilla firefox 0.10
    mozilla firefox 0.10.1
    mozilla firefox 1.0
    mozilla mozilla 0.8
    mozilla mozilla 0.9.2
    mozilla mozilla 0.9.2.1
    mozilla mozilla 0.9.3
    mozilla mozilla 0.9.4
    mozilla mozilla 0.9.4.1
    mozilla mozilla 0.9.5
    mozilla mozilla 0.9.6
    mozilla mozilla 0.9.7
    mozilla mozilla 0.9.8
    mozilla mozilla 0.9.9
    mozilla mozilla 0.9.35
    mozilla mozilla 0.9.48
    mozilla mozilla 1.0
    mozilla mozilla 1.0 rc1
    mozilla mozilla 1.0 rc2
    mozilla mozilla 1.0.1
    mozilla mozilla 1.0.2
    mozilla mozilla 1.1
    mozilla mozilla 1.1 alpha
    mozilla mozilla 1.1 beta
    mozilla mozilla 1.2
    mozilla mozilla 1.2 alpha
    mozilla mozilla 1.2 beta
    mozilla mozilla 1.2.1
    mozilla mozilla 1.3
    mozilla mozilla 1.3.1
    mozilla mozilla 1.4
    mozilla mozilla 1.4 alpha
    mozilla mozilla 1.4 beta
    mozilla mozilla 1.4.1
    mozilla mozilla 1.4.2
    mozilla mozilla 1.5
    mozilla mozilla 1.5.1
    mozilla mozilla 1.6
    mozilla mozilla 1.7
    mozilla mozilla 1.7 alpha
    mozilla mozilla 1.7 beta
    mozilla mozilla 1.7 rc1
    mozilla mozilla 1.7 rc2
    mozilla mozilla 1.7 rc3
    mozilla mozilla 1.7.1
    mozilla mozilla 1.7.2
    mozilla mozilla 1.7.3
    microsoft ie 6.0
    netscape navigator 7.2
    mozilla mozilla 1.7.3
    apple safari 1.2.4
    mozilla firefox 1.0
    opera opera browser 7.54
    gentoo linux *
    microsoft windows xp - sp1
    redhat enterprise linux 2.1
    redhat enterprise linux 2.1
    redhat enterprise linux 2.1
    suse suse linux 8.2
    suse suse linux 9.0
    redhat enterprise linux 3
    redhat enterprise linux 3
    redhat enterprise linux 3
    mandrakesoft mandrake linux 10.0
    suse suse linux 9.1
    redhat enterprise linux 3
    fedoraproject fedora core 2
    microsoft windows xp sp2
    suse suse linux 9.2
    mandrakesoft mandrake linux 10.1
    fedoraproject fedora core 3
    redhat enterprise linux 4
    redhat enterprise linux 4
    redhat enterprise linux 4
    redhat enterprise linux 4
    redhat linux advanced workstation 2.1
    mandrakesoft mandrake linux 10.1
    mandrakesoft mandrake linux 10.0
    suse suse linux 9.3