Vulnerability Name:

CVE-2005-0401 (CCN-19801)

Assigned:2005-03-23
Published:2005-03-23
Updated:2018-05-03
Summary:FireFox 1.0.1 and Mozilla before 1.7.6 do not sufficiently address all attack vectors for loading chrome files and hijacking drag and drop events, which allows remote attackers to execute arbitrary XUL code by tricking a user into dragging a scrollbar, a variant of CVE-2005-0527, aka "Firescrolling 2."
CVSS v3 Severity:5.6 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): Low
CVSS v2 Severity:5.1 Medium (CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
5.1 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Type:CWE-Other
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2005-0401

Source: BUGTRAQ
Type: UNKNOWN
20050324 Firescrolling 2 [Firefox 1.0.1]

Source: MISC
Type: Exploit
http://mikx.de/firescrolling2/

Source: CCN
Type: RHSA-2005-335
mozilla security update

Source: CCN
Type: RHSA-2005-336
firefox security update

Source: CCN
Type: RHSA-2005-384
Mozilla security update

Source: CCN
Type: SA14654
Mozilla Firefox Three Vulnerabilities

Source: SECUNIA
Type: Vendor Advisory
14654

Source: CCN
Type: GLSA-200503-30
Mozilla Suite: Multiple vulnerabilities

Source: GENTOO
Type: Vendor Advisory
GLSA-200503-30

Source: CCN
Type: GLSA-200503-31
Mozilla Firefox: Multiple vulnerabilities

Source: CCN
Type: Mozilla Firefox Download Web page
Firefox - Rediscover the web

Source: CCN
Type: Mozilla Suite Download Web page
Mozilla Suite

Source: CCN
Type: MFSA 2005-32
Drag and drop loading of privileged XUL

Source: CONFIRM
Type: UNKNOWN
http://www.mozilla.org/security/announce/mfsa2005-32.html

Source: REDHAT
Type: Vendor Advisory
RHSA-2005:335

Source: REDHAT
Type: Vendor Advisory
RHSA-2005:336

Source: REDHAT
Type: UNKNOWN
RHSA-2005:384

Source: BID
Type: Exploit, Patch
12885

Source: CCN
Type: BID-12885
Mozilla Browser Remote Insecure XUL Start Up Script Loading Vulnerability

Source: CCN
Type: USN-149-3
Ubuntu 4.10 update for Firefox vulnerabilities

Source: VUPEN
Type: UNKNOWN
ADV-2005-0296

Source: XF
Type: UNKNOWN
mozilla-xul-bypass-security(19801)

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:100026

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:9650

Vulnerable Configuration:Configuration 1:
  • cpe:/a:mozilla:firefox:0.8:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:0.9:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:0.9:rc:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:0.9.1:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:0.9.2:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:0.9.3:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:0.10:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:0.10.1:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:1.0:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.3:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.4:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.4:alpha:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.5:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.5:alpha:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.5:rc1:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.5:rc2:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.5.1:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.6:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.6:alpha:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.6:beta:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.7:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.7:alpha:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.7:beta:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.7:rc1:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.7:rc2:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.7:rc3:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.7.1:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.7.2:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.7.3:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.7.5:*:*:*:*:*:*:*

    • Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:*:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:mozilla:mozilla:1.3:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.4:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.6:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.7:rc3:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:0.8:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:0.9:rc:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.7:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.7.1:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:0.9.2:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:0.9.1:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:0.9.3:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.7.2:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.7.3:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:0.10.1:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:1.0:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.7.5:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:1.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:0.10:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:0.9:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.4:alpha:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.5:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.5.1:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.5:alpha:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.5:rc1:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.5:rc2:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.6:alpha:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.6:beta:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.7.4:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.7:alpha:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.7:beta:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.7:rc1:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.7:rc2:*:*:*:*:*:*
  • AND
  • cpe:/o:gentoo:linux:*:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:2.1:*:as:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:2.1:*:es:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:2.1:*:ws:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:3::ws:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:3::es:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:3::as:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:3::desktop:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:10.1:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:3.0:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4::as:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4::desktop:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4::es:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4::ws:*:*:*:*:*
  • OR cpe:/o:redhat:linux_advanced_workstation:2.1::itanium:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:10.1::x86-64:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:3.0::x86_64:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.mitre.oval:def:9650
    V
    		The International Domain Name (IDN) support in Firefox 1.0, Camino .8.5, and Mozilla before 1.7.6 allows remote attackers to spoof domain names using punycode encoded domain names that are decoded in URLs and SSL certificates in a way that uses homograph characters from other character sets, which facilitates phishing attacks.
    2013-04-29
    oval:org.mitre.oval:def:100026
    V
    		Mozilla XUL Drag and Drop Security Bypass Vulnerability
    2007-05-09
    oval:com.redhat.rhsa:def:20050384
    P
    		RHSA-2005:384: Mozilla security update (Important)
    2005-04-28
    oval:com.redhat.rhsa:def:20050335
    P
    		RHSA-2005:335: mozilla security update (Critical)
    2005-03-23
    oval:com.redhat.rhsa:def:20050336
    P
    		RHSA-2005:336: firefox security update (Critical)
    2005-03-23
    BACK
    mozilla firefox 0.8
    mozilla firefox 0.9
    mozilla firefox 0.9 rc
    mozilla firefox 0.9.1
    mozilla firefox 0.9.2
    mozilla firefox 0.9.3
    mozilla firefox 0.10
    mozilla firefox 0.10.1
    mozilla firefox 1.0
    mozilla mozilla 1.3
    mozilla mozilla 1.4
    mozilla mozilla 1.4 alpha
    mozilla mozilla 1.4.1
    mozilla mozilla 1.5
    mozilla mozilla 1.5 alpha
    mozilla mozilla 1.5 rc1
    mozilla mozilla 1.5 rc2
    mozilla mozilla 1.5.1
    mozilla mozilla 1.6
    mozilla mozilla 1.6 alpha
    mozilla mozilla 1.6 beta
    mozilla mozilla 1.7
    mozilla mozilla 1.7 alpha
    mozilla mozilla 1.7 beta
    mozilla mozilla 1.7 rc1
    mozilla mozilla 1.7 rc2
    mozilla mozilla 1.7 rc3
    mozilla mozilla 1.7.1
    mozilla mozilla 1.7.2
    mozilla mozilla 1.7.3
    mozilla mozilla 1.7.5
    mozilla mozilla 1.3
    mozilla mozilla 1.4
    mozilla mozilla 1.6
    mozilla mozilla 1.7 rc3
    mozilla firefox 0.8
    mozilla firefox 0.9 rc
    mozilla mozilla 1.7
    mozilla mozilla 1.7.1
    mozilla firefox 0.9.2
    mozilla firefox 0.9.1
    mozilla firefox 0.9.3
    mozilla mozilla 1.7.2
    mozilla mozilla 1.7.3
    mozilla firefox 0.10.1
    mozilla firefox 1.0
    mozilla mozilla 1.7.5
    mozilla firefox 1.0.1
    mozilla firefox 0.10
    mozilla firefox 0.9
    mozilla mozilla 1.4.1
    mozilla mozilla 1.4 alpha
    mozilla mozilla 1.5
    mozilla mozilla 1.5.1
    mozilla mozilla 1.5 alpha
    mozilla mozilla 1.5 rc1
    mozilla mozilla 1.5 rc2
    mozilla mozilla 1.6 alpha
    mozilla mozilla 1.6 beta
    mozilla mozilla 1.7.4
    mozilla mozilla 1.7 alpha
    mozilla mozilla 1.7 beta
    mozilla mozilla 1.7 rc1
    mozilla mozilla 1.7 rc2
    gentoo linux *
    redhat enterprise linux 2.1
    redhat enterprise linux 2.1
    redhat enterprise linux 2.1
    redhat enterprise linux 3
    redhat enterprise linux 3
    redhat enterprise linux 3
    redhat enterprise linux 3
    mandrakesoft mandrake linux 10.1
    mandrakesoft mandrake linux corporate server 3.0
    redhat enterprise linux 4
    redhat enterprise linux 4
    redhat enterprise linux 4
    redhat enterprise linux 4
    redhat linux advanced workstation 2.1
    mandrakesoft mandrake linux 10.1
    mandrakesoft mandrake linux corporate server 3.0