Vulnerability Name:

CVE-2005-2703 (CCN-22376)

Assigned:2005-09-21
Published:2005-09-21
Updated:2017-10-11
Summary:Firefox before 1.0.7 and Mozilla Suite before 1.7.12 allows remote attackers to modify HTTP headers of XML HTTP requests via XMLHttpRequest, and possibly use the client to exploit vulnerabilities in servers or proxies, including HTTP request smuggling and HTTP request splitting.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-94
Vulnerability Consequences:Obtain Information
References:Source: SCO
Type: UNKNOWN
SCOSA-2005.49

Source: MITRE
Type: CNA
CVE-2005-2703

Source: CCN
Type: RHSA-2005-785
firefox security update

Source: CCN
Type: RHSA-2005-789
mozilla security update

Source: CCN
Type: RHSA-2005-791
thunderbird security update

Source: CCN
Type: SA16911
Firefox Multiple Vulnerabilities

Source: SECUNIA
Type: Vendor Advisory
16911

Source: CCN
Type: SA16917
Mozilla Multiple Vulnerabilities

Source: SECUNIA
Type: Vendor Advisory
16917

Source: SECUNIA
Type: Vendor Advisory
16977

Source: SECUNIA
Type: Vendor Advisory
17014

Source: SECUNIA
Type: Vendor Advisory
17026

Source: SECUNIA
Type: Vendor Advisory
17042

Source: SECUNIA
Type: Vendor Advisory
17090

Source: SECUNIA
Type: Vendor Advisory
17149

Source: SECUNIA
Type: Vendor Advisory
17263

Source: SECUNIA
Type: Vendor Advisory
17284

Source: CCN
Type: SECTRACK ID: 1014954
Mozilla Firefox Integer/Buffer Overflows, Spoofing Bugs, and Access Control Errors Let Remote Users Execute Arbitrary Code

Source: SECTRACK
Type: UNKNOWN
1014954

Source: CCN
Type: CIAC INFORMATION BULLETIN P-310
Firefox Security Update

Source: CCN
Type: CIAC INFORMATION BULLETIN P-311
Mozilla Security Update

Source: DEBIAN
Type: UNKNOWN
DSA-838

Source: DEBIAN
Type: UNKNOWN
DSA-866

Source: DEBIAN
Type: UNKNOWN
DSA-868

Source: DEBIAN
Type: DSA-838
mozilla-firefox -- multiple vulnerabilities

Source: DEBIAN
Type: DSA-866
mozilla -- several vulnerabilities

Source: DEBIAN
Type: DSA-868
mozilla-thunderbird -- several vulnerabilities

Source: CCN
Type: GLSA-200509-11
Mozilla Suite, Mozilla Firefox: Multiple vulnerabilities

Source: MANDRIVA
Type: UNKNOWN
MDKSA-2005:169

Source: MANDRIVA
Type: UNKNOWN
MDKSA-2005:170

Source: MANDRIVA
Type: UNKNOWN
MDKSA-2005:174

Source: CCN
Type: Mozilla Firefox Download Web page
Firefox - Rediscover the web

Source: CCN
Type: Mozilla Suite Download Web page
Mozilla Suite- The All-in-One Internet Application Suite

Source: CCN
Type: MFSA 2005-58
Firefox, Mozilla Suite

Source: CONFIRM
Type: UNKNOWN
http://www.mozilla.org/security/announce/mfsa2005-58.html

Source: CCN
Type: MFSA 2005-59
Command-line handling on Linux allows shell execution

Source: SUSE
Type: UNKNOWN
SUSE-SA:2005:058

Source: FEDORA
Type: UNKNOWN
FLSA-2006:168375

Source: REDHAT
Type: UNKNOWN
RHSA-2005:785

Source: REDHAT
Type: UNKNOWN
RHSA-2005:789

Source: REDHAT
Type: UNKNOWN
RHSA-2005:791

Source: BID
Type: UNKNOWN
14923

Source: CCN
Type: BID-14923
Mozilla Browser/Firefox Arbitrary HTTP Request Injection Vulnerability

Source: BID
Type: UNKNOWN
15495

Source: CCN
Type: BID-15495
SCO OpenServer Release 5.0.7 Maintenance Pack 4 Released - Multiple Vulnerabilities Fixed

Source: CCN
Type: USN-186-1
Mozilla and Firefox vulnerabilities

Source: CCN
Type: USN-186-2
Ubuntu 4.10 packages for USN-186-1 Firefox security update

Source: CCN
Type: USN-200-1
Thunderbird vulnerabilities

Source: UBUNTU
Type: UNKNOWN
USN-200-1

Source: VUPEN
Type: UNKNOWN
ADV-2005-1824

Source: XF
Type: UNKNOWN
mozilla-xmlhttprequest-spoofing(22376)

Source: XF
Type: UNKNOWN
mozilla-xmlhttprequest-spoofing(22376)

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:10767

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:1089

Source: SUSE
Type: SUSE-SA:2005:058
mozillaMozillaFirefox: remote command execution

Vulnerable Configuration:Configuration 1:
  • cpe:/a:mozilla:firefox:1.0:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:1.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:1.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:1.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:1.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:1.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:*:*:*:*:*:*:*:* (Version <= 1.0.6)
  • OR cpe:/a:mozilla:mozilla_suite:1.7.6:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla_suite:1.7.7:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla_suite:1.7.8:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla_suite:1.7.10:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla_suite:*:*:*:*:*:*:*:* (Version <= 1.7.11)

  • Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:*:*:*:*:*:*:*:*

  • Configuration CCN 1:
  • cpe:/a:mozilla:firefox:1.0:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla_suite:1.7.6:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:1.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:1.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:1.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla_suite:1.7.7:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:1.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla_suite:1.7.8:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:1.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla_suite:1.7.11:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:1.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla_suite:1.7.10:*:*:*:*:*:*:*
  • AND
  • cpe:/o:gentoo:linux:*:*:*:*:*:*:*:*
  • OR cpe:/o:suse:linux_enterprise_server:8:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:2.1:*:as:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:2.1:*:es:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:2.1:*:ws:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:9.0:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:3::ws:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:3::es:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:3::as:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:9.1:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:3::desktop:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:9.2:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:10.1:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:2.1::as:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:3.0:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4::as:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4::desktop:*:*:*:*:*
  • OR cpe:/o:novell:linux_desktop:9:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4::es:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4::ws:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:3.1:*:*:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:10.0::oss:*:*:*:*:*
  • OR cpe:/o:redhat:linux_advanced_workstation:2.1::itanium:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:2006:*:*:*:*:*:*:*
  • OR cpe:/o:suse:linux_enterprise_server:9:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:10.1::x86-64:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:2006::x86-64:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:3.0::x86_64:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:9.3:*:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20052703
    V
    CVE-2005-2703
    2015-11-16
    oval:org.mitre.oval:def:10767
    V
    Firefox before 1.0.7 and Mozilla Suite before 1.7.12 allows remote attackers to modify HTTP headers of XML HTTP requests via XMLHttpRequest, and possibly use the client to exploit vulnerabilities in servers or proxies, including HTTP request smuggling and HTTP request splitting.
    2013-04-29
    oval:org.mitre.oval:def:1089
    V
    XMLHttpRequest Header Spoofing Vulnerability
    2007-05-09
    oval:org.debian:def:866
    V
    several vulnerabilities
    2005-10-20
    oval:org.debian:def:868
    V
    several vulnerabilities
    2005-10-20
    oval:com.redhat.rhsa:def:20050791
    P
    RHSA-2005:791: thunderbird security update (Important)
    2005-10-06
    oval:org.debian:def:838
    V
    multiple vulnerabilities
    2005-10-02
    oval:com.redhat.rhsa:def:20050785
    P
    RHSA-2005:785: firefox security update (Critical)
    2005-09-22
    oval:com.redhat.rhsa:def:20050789
    P
    RHSA-2005:789: mozilla security update (Critical)
    2005-09-22
    BACK
    mozilla firefox 1.0
    mozilla firefox 1.0.1
    mozilla firefox 1.0.2
    mozilla firefox 1.0.3
    mozilla firefox 1.0.4
    mozilla firefox 1.0.5
    mozilla firefox *
    mozilla mozilla suite 1.7.6
    mozilla mozilla suite 1.7.7
    mozilla mozilla suite 1.7.8
    mozilla mozilla suite 1.7.10
    mozilla mozilla suite *
    mozilla firefox 1.0
    mozilla mozilla suite 1.7.6
    mozilla firefox 1.0.1
    mozilla firefox 1.0.2
    mozilla firefox 1.0.3
    mozilla mozilla suite 1.7.7
    mozilla firefox 1.0.4
    mozilla mozilla suite 1.7.8
    mozilla firefox 1.0.6
    mozilla mozilla suite 1.7.11
    mozilla firefox 1.0.5
    mozilla mozilla suite 1.7.10
    gentoo linux *
    suse linux enterprise server 8
    redhat enterprise linux 2.1
    redhat enterprise linux 2.1
    redhat enterprise linux 2.1
    suse suse linux 9.0
    redhat enterprise linux 3
    redhat enterprise linux 3
    redhat enterprise linux 3
    suse suse linux 9.1
    redhat enterprise linux 3
    suse suse linux 9.2
    mandrakesoft mandrake linux 10.1
    redhat enterprise linux 2.1
    mandrakesoft mandrake linux corporate server 3.0
    redhat enterprise linux 4
    redhat enterprise linux 4
    novell linux desktop 9
    redhat enterprise linux 4
    redhat enterprise linux 4
    debian debian linux 3.1
    suse suse linux 10.0
    redhat linux advanced workstation 2.1
    mandrakesoft mandrake linux 2006
    suse linux enterprise server 9
    mandrakesoft mandrake linux 10.1
    mandrakesoft mandrake linux 2006
    mandrakesoft mandrake linux corporate server 3.0
    suse suse linux 9.3