Vulnerability CVE-2007-1092

Vulnerability Name:

CVE-2007-1092 (CCN-32648)

Assigned:

2007-02-23

Published:

2007-02-23

Updated:

2018-10-16

Summary:

Mozilla Firefox 1.5.0.9 and 2.0.0.1, and SeaMonkey before 1.0.8 allow remote attackers to execute arbitrary code via JavaScript onUnload handlers that modify the structure of a document, wich triggers memory corruption due to the lack of a finalize hook on DOM window objects.

CVSS v3 Severity:

9.0 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

CVSS v2 Severity:

9.3 High (CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C)
6.6 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:UR)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

7.6 High (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C)
5.3 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:UR)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Athentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

Vulnerability Type:

CWE-Other

Vulnerability Consequences:

Gain Access

References:

Source: SGI
Type: UNKNOWN
20070202-01-P

Source: SGI
Type: UNKNOWN
20070301-01-P

Source: FULLDISC
Type: UNKNOWN
20070222 Firefox onUnload + document.write() memory corruption vulnerability (MSIE7 null ptr)

Source: CCN
Type: Full-Disclosure Mailing List, Fri Feb 23 2007 - 06:49:41 CST
[Full-disclosure] Firefox: onUnload tailgating (MSIE7 entrapment bug variant)

Source: MITRE
Type: CNA
CVE-2007-1092

Source: HP
Type: UNKNOWN
HPSBUX02153

Source: SUSE
Type: UNKNOWN
SUSE-SA:2007:019

Source: OSVDB
Type: UNKNOWN
32103

Source: CCN
Type: RHSA-2007-0077
Critical: seamonkey security update

Source: CCN
Type: RHSA-2007-0078
Critical: thunderbird security update

Source: CCN
Type: RHSA-2007-0079
Critical: Firefox security update

Source: SECUNIA
Type: UNKNOWN
24333

Source: SECUNIA
Type: UNKNOWN
24343

Source: SECUNIA
Type: UNKNOWN
24384

Source: SECUNIA
Type: UNKNOWN
24395

Source: SECUNIA
Type: UNKNOWN
24457

Source: SECUNIA
Type: UNKNOWN
24650

Source: SREASON
Type: UNKNOWN
2302

Source: CCN
Type: SECTRACK ID: 1017701
Mozilla Firefox onUnload Event and document.write() Race Condition May Let Remote Users Execute Arbitrary Code

Source: SLACKWARE
Type: UNKNOWN
SSA:2007-066-05

Source: CCN
Type: ASA-2007-095
thunderbird security update (RHSA-2007-0078)

Source: CCN
Type: US-CERT VU#393921
Mozilla Firefox fails to properly handle JavaScript onUnload events

Source: CERT-VN
Type: US Government Resource
VU#393921

Source: MANDRIVA
Type: UNKNOWN
MDKSA-2007:050

Source: CCN
Type: MFSA 2007-08
onUnload + document.write() memory corruption

Source: CONFIRM
Type: UNKNOWN
http://www.mozilla.org/security/announce/2007/mfsa2007-08.html

Source: SUSE
Type: UNKNOWN
SUSE-SA:2007:022

Source: CCN
Type: OSVDB ID: 32103
Mozilla Multiple Products onUnload document.write() Memory Corruption

Source: REDHAT
Type: UNKNOWN
RHSA-2007:0078

Source: BUGTRAQ
Type: UNKNOWN
20070223 Firefox onUnload + document.write() memory corruption vulnerability (MSIE7 null ptr)

Source: BID
Type: Exploit, Patch
22679

Source: CCN
Type: BID-22679
Mozilla Firefox OnUnload Memory Corruption Vulnerability

Source: SECTRACK
Type: UNKNOWN
1017701

Source: CCN
Type: USN-428-1
Firefox vulnerabilities

Source: UBUNTU
Type: UNKNOWN
USN-428-1

Source: CCN
Type: USN-428-2
Firefox regression

Source: CCN
Type: Mozilla Bugzilla Bug 371321
memory corruption when onUnload is mixed with document.write()s

Source: CONFIRM
Type: UNKNOWN
https://bugzilla.mozilla.org/show_bug.cgi?id=371321

Source: XF
Type: UNKNOWN
ie-mozilla-onunload-dos(32647)

Source: XF
Type: UNKNOWN
mozilla-onunload-code-execution(32648)

Source: XF
Type: UNKNOWN
mozilla-onunload-code-execution(32648)

Source: CONFIRM
Type: UNKNOWN
https://issues.rpath.com/browse/RPL-1103

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:11158

Source: SUSE
Type: SUSE-SA:2007:019
MozillaFirefox security update 1.5.0.10/2.0.0.2

Source: SUSE
Type: SUSE-SA:2007:022
Mozilla security problems

Vulnerable Configuration:

Configuration 1:

cpe:/a:mozilla:firefox:1.5.0.9:*:*:*:*:*:*:*

OR cpe:/a:mozilla:firefox:2.0.0.1:*:*:*:*:*:*:*

OR cpe:/a:mozilla:seamonkey:*:*:*:*:*:*:*:* (Version <= 1.0.7)

Configuration RedHat 1:

cpe:/o:redhat:enterprise_linux:4:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/o:redhat:enterprise_linux:4::as:*:*:*:*:*

Configuration RedHat 3:

cpe:/o:redhat:enterprise_linux:4::desktop:*:*:*:*:*

Configuration RedHat 4:

cpe:/o:redhat:enterprise_linux:4::es:*:*:*:*:*

Configuration RedHat 5:

cpe:/o:redhat:enterprise_linux:4::ws:*:*:*:*:*

Configuration CCN 1:

cpe:/a:mozilla:firefox:2.0.0.1:*:*:*:*:*:*:*

AND

cpe:/o:suse:linux_enterprise_server:8:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:2.1:*:as:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:2.1:*:es:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:2.1:*:ws:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:3::ws:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:3::es:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:3::as:*:*:*:*:*

OR cpe:/a:suse:suse_linux_school_server:-:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:3::desktop:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:3.0:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:4::as:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:4::desktop:*:*:*:*:*

OR cpe:/o:novell:linux_desktop:9:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:4::es:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:4::ws:*:*:*:*:*

OR cpe:/a:novell:open_enterprise_server:*:*:*:*:*:*:*:*

OR cpe:/o:suse:suse_linux:10.0::oss:*:*:*:*:*

OR cpe:/o:redhat:linux_advanced_workstation:2.1::itanium:*:*:*:*:*

OR cpe:/o:canonical:ubuntu:6.06::lts:*:*:*:*:*

OR cpe:/o:suse:suse_linux:10.1::personal:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:2007:*:*:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:2007::x86_64:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:4.0:*:*:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:4.0::x86_64:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:3.0::x86_64:*:*:*:*:*

OR cpe:/a:novell:open_enterprise_server:*:*:*:*:*:*:*:*

OR cpe:/o:opensuse:opensuse:10.2:*:*:*:*:*:*:*

OR cpe:/o:suse:suse_linux:9.3:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.mitre.oval:def:11158	V	Mozilla Firefox 1.5.0.9 and 2.0.0.1, and SeaMonkey before 1.0.8 allow remote attackers to execute arbitrary code via JavaScript onUnload handlers that modify the structure of a document, wich triggers memory corruption due to the lack of a finalize hook on DOM window objects.	2013-04-29
oval:com.redhat.rhsa:def:20070077	P	RHSA-2007:0077: seamonkey security update (Critical)	2008-03-20
oval:com.redhat.rhsa:def:20070078	P	RHSA-2007:0078: thunderbird security update (Critical)	2007-04-10
oval:com.redhat.rhsa:def:20070079	P	RHSA-2007:0079: Firefox security update (Critical)	2007-02-23

BACK