Vulnerability Name:

CVE-2006-4568 (CCN-28961)

Assigned:2006-09-15
Published:2006-09-15
Updated:2018-10-17
Summary:Mozilla Firefox before 1.5.0.7 and SeaMonkey before 1.0.5 allows remote attackers to bypass the security model and inject content into the sub-frame of another site via targetWindow.frames[n].document.open(), which facilitates spoofing and other attacks.
CVSS v3 Severity:3.7 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.2 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
2.6 Low (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:P/A:N)
1.9 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-79
Vulnerability Consequences:Gain Access
References:Source: SGI
Type: UNKNOWN
20060901-01-P

Source: MITRE
Type: CNA
CVE-2006-4568

Source: CCN
Type: RHSA-2006-0675
firefox security update

Source: CCN
Type: RHSA-2006-0676
seamonkey security update

Source: CCN
Type: SA21906
Mozilla Firefox Multiple Vulnerabilities

Source: SECUNIA
Type: Patch, Vendor Advisory
21906

Source: SECUNIA
Type: UNKNOWN
21915

Source: CCN
Type: SA21940
Mozilla SeaMonkey Multiple Vulnerabilities

Source: SECUNIA
Type: UNKNOWN
21940

Source: SECUNIA
Type: Patch, Vendor Advisory
21949

Source: SECUNIA
Type: UNKNOWN
21950

Source: SECUNIA
Type: UNKNOWN
22001

Source: SECUNIA
Type: UNKNOWN
22025

Source: SECUNIA
Type: UNKNOWN
22036

Source: SECUNIA
Type: UNKNOWN
22056

Source: SECUNIA
Type: UNKNOWN
22066

Source: SECUNIA
Type: UNKNOWN
22195

Source: SECUNIA
Type: UNKNOWN
22210

Source: SECUNIA
Type: UNKNOWN
22247

Source: SECUNIA
Type: UNKNOWN
22299

Source: SECUNIA
Type: UNKNOWN
22342

Source: SECUNIA
Type: UNKNOWN
22391

Source: CCN
Type: SA22422
Avaya Products Firefox Multiple Vulnerabilities

Source: SECUNIA
Type: UNKNOWN
22422

Source: SECUNIA
Type: UNKNOWN
22849

Source: CCN
Type: SA24711
Netscape Multiple Vulnerabilities

Source: SECUNIA
Type: UNKNOWN
24711

Source: GENTOO
Type: UNKNOWN
GLSA-200609-19

Source: GENTOO
Type: UNKNOWN
GLSA-200610-04

Source: CCN
Type: SECTRACK ID: 1016855
Mozilla Seamonkey document.open() Function Lets Remote Users Inject HTML into Frames

Source: SECTRACK
Type: UNKNOWN
1016855

Source: CCN
Type: SECTRACK ID: 1016856
Mozilla Firefox document.open() Function Lets Remote Users Inject HTML into Frames

Source: SECTRACK
Type: UNKNOWN
1016856

Source: CCN
Type: ASA-2006-196
seamonkey security update (RHSA-2006-0676)

Source: CONFIRM
Type: UNKNOWN
http://support.avaya.com/elmodocs2/security/ASA-2006-224.htm

Source: CCN
Type: ASA-2006-224
firefox security update (RHSA-2006-0675)

Source: CCN
Type: ASA-2007-097
HP-UX Running Firefox Remote Unauthorized Access or Elevation of Privileges or Denial of Service (DoS) (HPSBUX02153)

Source: DEBIAN
Type: UNKNOWN
DSA-1192

Source: DEBIAN
Type: UNKNOWN
DSA-1210

Source: DEBIAN
Type: DSA-1191
mozilla-thunderbird -- several vulnerabilities

Source: DEBIAN
Type: DSA-1192
mozilla -- several vulnerabilities

Source: DEBIAN
Type: DSA-1210
mozilla-firefox -- several vulnerabilities

Source: CCN
Type: GLSA-200609-19
Mozilla Firefox: Multiple vulnerabilities

Source: CCN
Type: GLSA-200610-04
Seamonkey: Multiple vulnerabilities

Source: MANDRIVA
Type: UNKNOWN
MDKSA-2006:168

Source: CCN
Type: MFSA 2006-61
Frame spoofing using document.open()

Source: CONFIRM
Type: Vendor Advisory
http://www.mozilla.org/security/announce/2006/mfsa2006-61.html

Source: SUSE
Type: UNKNOWN
SUSE-SA:2006:054

Source: REDHAT
Type: UNKNOWN
RHSA-2006:0675

Source: REDHAT
Type: Patch, Vendor Advisory
RHSA-2006:0676

Source: BUGTRAQ
Type: UNKNOWN
20060915 rPSA-2006-0169-1 firefox thunderbird

Source: BID
Type: UNKNOWN
20042

Source: CCN
Type: BID-20042
Mozilla Firefox/Thunderbird/Seamonkey Multiple Remote Vulnerabilities

Source: CCN
Type: USN-351-1
Firefox vulnerabilities

Source: UBUNTU
Type: UNKNOWN
USN-351-1

Source: CCN
Type: USN-354-1
Firefox vulnerabilities

Source: UBUNTU
Type: UNKNOWN
USN-354-1

Source: CCN
Type: USN-361-1
Mozilla vulnerabilities

Source: UBUNTU
Type: UNKNOWN
USN-361-1

Source: DEBIAN
Type: UNKNOWN
DSA-1191

Source: VUPEN
Type: UNKNOWN
ADV-2006-3617

Source: VUPEN
Type: UNKNOWN
ADV-2006-3748

Source: VUPEN
Type: UNKNOWN
ADV-2007-1198

Source: VUPEN
Type: UNKNOWN
ADV-2008-0083

Source: HP
Type: UNKNOWN
SSRT061181

Source: CONFIRM
Type: UNKNOWN
https://bugzilla.mozilla.org/show_bug.cgi?id=343168

Source: XF
Type: UNKNOWN
mozilla-documentopen-frame-spoofing(28961)

Source: XF
Type: UNKNOWN
mozilla-documentopen-frame-spoofing(28961)

Source: CONFIRM
Type: UNKNOWN
https://issues.rpath.com/browse/RPL-640

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:9843

Source: SUSE
Type: SUSE-SA:2006:054
Mozilla Firefox security update

Vulnerable Configuration:Configuration 1:
  • cpe:/a:mozilla:firefox:*:*:*:*:*:*:*:* (Version <= 1.5.0.6)
  • OR cpe:/a:mozilla:seamonkey:*:*:*:*:*:*:*:* (Version <= 1.0.4)

    • Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:4:*:*:*:*:*:*:*

    • Configuration RedHat 2:
  • cpe:/o:redhat:enterprise_linux:4::as:*:*:*:*:*

    • Configuration RedHat 3:
  • cpe:/o:redhat:enterprise_linux:4::desktop:*:*:*:*:*

    • Configuration RedHat 4:
  • cpe:/o:redhat:enterprise_linux:4::es:*:*:*:*:*

    • Configuration RedHat 5:
  • cpe:/o:redhat:enterprise_linux:4::ws:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:mozilla:firefox:1.5:beta1:*:*:*:*:*:*
  • OR cpe:/a:mozilla:seamonkey:1.0::dev:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:1.5:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:1.5.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:1.5.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:1.5.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:1.5.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:seamonkey:1.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:seamonkey:1.0:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:seamonkey:1.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:seamonkey:1.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:seamonkey:1.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:1.5.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:1.5.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:1.5:beta2:*:*:*:*:*:*
  • OR cpe:/a:mozilla:seamonkey:1.0::alpha:*:*:*:*:*
  • OR cpe:/a:mozilla:seamonkey:1.0::beta:*:*:*:*:*
  • AND
  • cpe:/o:gentoo:linux:*:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:2.1:*:as:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:2.1:*:es:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:2.1:*:ws:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:3::ws:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:3::es:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:3::as:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:3::desktop:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:9.2:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:2.1::as:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:3.0:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4::as:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4::desktop:*:*:*:*:*
  • OR cpe:/o:novell:linux_desktop:9:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4::es:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4::ws:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:3.1:*:*:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:10.0::oss:*:*:*:*:*
  • OR cpe:/o:redhat:linux_advanced_workstation:2.1::itanium:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:2006:*:*:*:*:*:*:*
  • OR cpe:/o:canonical:ubuntu:6.06::lts:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:10.1::personal:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:2.1::es:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:2.1::ws:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:2006::x86-64:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:4.0:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:4.0::x86_64:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:3.0::x86_64:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:9.3:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20064568
    V
    		CVE-2006-4568
    2015-11-16
    oval:org.mitre.oval:def:9843
    V
    		Mozilla Firefox before 1.5.0.7 and SeaMonkey before 1.0.5 allows remote attackers to bypass the security model and inject content into the sub-frame of another site via targetWindow.frames[n].document.open(), which facilitates spoofing and other attacks.
    2013-04-29
    oval:org.debian:def:1210
    V
    		several vulnerabilities
    2006-11-14
    oval:org.debian:def:1192
    V
    		several vulnerabilities
    2006-10-06
    oval:org.debian:def:1191
    V
    		several vulnerabilities
    2006-10-05
    oval:com.redhat.rhsa:def:20060675
    P
    		RHSA-2006:0675: firefox security update (Critical)
    2006-09-15
    oval:com.redhat.rhsa:def:20060676
    P
    		RHSA-2006:0676: seamonkey security update (Critical)
    2006-09-15
    BACK
    mozilla firefox *
    mozilla seamonkey *
    mozilla firefox 1.5 beta1
    mozilla seamonkey 1.0
    mozilla firefox 1.5
    mozilla firefox 1.5.0.2
    mozilla firefox 1.5.0.3
    mozilla firefox 1.5.0.4
    mozilla firefox 1.5.0.6
    mozilla seamonkey 1.0.2
    mozilla seamonkey 1.0
    mozilla seamonkey 1.0.1
    mozilla seamonkey 1.0.3
    mozilla seamonkey 1.0.4
    mozilla firefox 1.5.0.1
    mozilla firefox 1.5.0.5
    mozilla firefox 1.5 beta2
    mozilla seamonkey 1.0
    mozilla seamonkey 1.0
    gentoo linux *
    redhat enterprise linux 2.1
    redhat enterprise linux 2.1
    redhat enterprise linux 2.1
    redhat enterprise linux 3
    redhat enterprise linux 3
    redhat enterprise linux 3
    redhat enterprise linux 3
    suse suse linux 9.2
    redhat enterprise linux 2.1
    mandrakesoft mandrake linux corporate server 3.0
    redhat enterprise linux 4
    redhat enterprise linux 4
    novell linux desktop 9
    redhat enterprise linux 4
    redhat enterprise linux 4
    debian debian linux 3.1
    suse suse linux 10.0
    redhat linux advanced workstation 2.1
    mandrakesoft mandrake linux 2006
    canonical ubuntu 6.06
    suse suse linux 10.1
    redhat enterprise linux 2.1
    redhat enterprise linux 2.1
    mandrakesoft mandrake linux 2006
    mandrakesoft mandrake linux corporate server 4.0
    mandrakesoft mandrake linux corporate server 4.0
    mandrakesoft mandrake linux corporate server 3.0
    suse suse linux 9.3