Vulnerability Name:

CVE-2007-2871 (CCN-34606)

Assigned:2007-05-31
Published:2007-05-31
Updated:2018-10-16
Summary:Mozilla Firefox 1.5.x before 1.5.0.12 and 2.x before 2.0.0.4, and SeaMonkey 1.0.9 and 1.1.2, allows remote attackers to spoof or hide the browser chrome, such as the location bar, by placing XUL popups outside of the browser's content pane.
Note: this issue can be leveraged for phishing and other attacks.
CVSS v3 Severity:3.7 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.2 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
2.6 Low (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:P/A:N)
1.9 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-Other
Vulnerability Consequences:Bypass Security
References:Source: MITRE
Type: CNA
CVE-2007-2871

Source: HP
Type: UNKNOWN
HPSBUX02153

Source: CCN
Type: DSA 1308-1
New iceweasel packages fix several vulnerabilities

Source: OSVDB
Type: UNKNOWN
35137

Source: CCN
Type: RHSA-2007-0400
Critical: firefox security update

Source: CCN
Type: RHSA-2007-0401
Critical: thunderbird security update

Source: CCN
Type: RHSA-2007-0402
Critical: seamonkey security update

Source: CCN
Type: SA25469
Mozilla Firefox Multiple Vulnerabilities

Source: SECUNIA
Type: UNKNOWN
25469

Source: SECUNIA
Type: UNKNOWN
25476

Source: CCN
Type: SA25488
Mozilla SeaMonkey Multiple Vulnerabilities

Source: SECUNIA
Type: UNKNOWN
25488

Source: SECUNIA
Type: UNKNOWN
25490

Source: SECUNIA
Type: UNKNOWN
25491

Source: SECUNIA
Type: UNKNOWN
25533

Source: SECUNIA
Type: UNKNOWN
25534

Source: SECUNIA
Type: UNKNOWN
25559

Source: SECUNIA
Type: UNKNOWN
25635

Source: SECUNIA
Type: UNKNOWN
25647

Source: SECUNIA
Type: UNKNOWN
25685

Source: SECUNIA
Type: UNKNOWN
25750

Source: SECUNIA
Type: UNKNOWN
25858

Source: GENTOO
Type: UNKNOWN
GLSA-200706-06

Source: CCN
Type: SECTRACK ID: 1018155
Mozilla Firefox XUL Popups Let Remote Users Spoof Portions of the Browser Chrome

Source: CCN
Type: SECTRACK ID: 1018156
Mozilla Seamonkey XUL Popups Let Remote Users Spoof Portions of the Browser Chrome

Source: SLACKWARE
Type: UNKNOWN
SSA:2007-152-02

Source: CCN
Type: ASA-2007-218
thunderbird security update (RHSA-2007-0401)

Source: CCN
Type: ASA-2007-291
Firefox security update (RHSA-2007-0400)

Source: CCN
Type: ASA-2007-295
SeaMonkey security update (RHSA-2007-0402)

Source: CCN
Type: ASA-2008-008
Multiple Security Vulnerabilities in Firefox and Thunderbird for Solaris 10 May Allow Execution of Arbitrary Code and Access to Unauthorized Data (Sun 103177)

Source: DEBIAN
Type: UNKNOWN
DSA-1300

Source: DEBIAN
Type: UNKNOWN
DSA-1306

Source: DEBIAN
Type: UNKNOWN
DSA-1308

Source: DEBIAN
Type: DSA-1300
iceape -- several vulnerabilities

Source: DEBIAN
Type: DSA-1306
xulrunner -- several vulnerabilities

Source: DEBIAN
Type: DSA-1308
iceweasel -- several vulnerabilities

Source: CCN
Type: GLSA-200706-06
Mozilla products: Multiple vulnerabilities

Source: MANDRIVA
Type: UNKNOWN
MDKSA-2007:120

Source: MANDRIVA
Type: UNKNOWN
MDKSA-2007:126

Source: CCN
Type: MFSA 2007-17
XUL Popup Spoofing

Source: CONFIRM
Type: Vendor Advisory
http://www.mozilla.org/security/announce/2007/mfsa2007-17.html

Source: CCN
Type: MFSA 2007-32
File input focus stealing vulnerability

Source: SUSE
Type: UNKNOWN
SUSE-SA:2007:036

Source: CCN
Type: OSVDB ID: 35137
Mozilla Multiple Browser XUL Popup Spoofing

Source: REDHAT
Type: UNKNOWN
RHSA-2007:0400

Source: REDHAT
Type: UNKNOWN
RHSA-2007:0401

Source: REDHAT
Type: UNKNOWN
RHSA-2007:0402

Source: BUGTRAQ
Type: UNKNOWN
20070531 FLEA-2007-0023-1: firefox

Source: BID
Type: UNKNOWN
24242

Source: CCN
Type: BID-24242
Mozilla Products Multiple Remote Vulnerabilities

Source: SECTRACK
Type: UNKNOWN
1018155

Source: SECTRACK
Type: UNKNOWN
1018156

Source: CCN
Type: USN-468-1
Firefox vulnerabilities

Source: UBUNTU
Type: UNKNOWN
USN-468-1

Source: CERT
Type: US Government Resource
TA07-151A

Source: VUPEN
Type: UNKNOWN
ADV-2007-1994

Source: XF
Type: UNKNOWN
mozilla-xulpopups-spoofing(34606)

Source: XF
Type: UNKNOWN
mozilla-xulpopups-spoofing(34606)

Source: CONFIRM
Type: UNKNOWN
https://issues.rpath.com/browse/RPL-1424

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:11433

Source: SUSE
Type: SUSE-SA:2007:036
Mozilla security updates

Vulnerable Configuration:Configuration 1:
  • cpe:/a:mozilla:firefox:1.5:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:1.5.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:1.5.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:1.5.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:1.5.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:1.5.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:1.5.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:1.5.0.7:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:1.5.0.8:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:1.5.0.9:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:1.5.0.10:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:1.5.0.11:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:2.0:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:2.0.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:2.0.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:2.0.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:seamonkey:1.0.9:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:seamonkey:1.1.2:*:*:*:*:*:*:*

    • Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:4:*:*:*:*:*:*:*

    • Configuration RedHat 2:
  • cpe:/o:redhat:enterprise_linux:4::as:*:*:*:*:*

    • Configuration RedHat 3:
  • cpe:/o:redhat:enterprise_linux:4::desktop:*:*:*:*:*

    • Configuration RedHat 4:
  • cpe:/o:redhat:enterprise_linux:4::es:*:*:*:*:*

    • Configuration RedHat 5:
  • cpe:/o:redhat:enterprise_linux:4::ws:*:*:*:*:*

    • Configuration RedHat 6:
  • cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:*

    • Configuration RedHat 7:
  • cpe:/o:redhat:enterprise_linux:5::client:*:*:*:*:*

    • Configuration RedHat 8:
  • cpe:/o:redhat:enterprise_linux:5::client_workstation:*:*:*:*:*

    • Configuration RedHat 9:
  • cpe:/o:redhat:enterprise_linux:5::server:*:*:*:*:*

    • Configuration RedHat 10:
  • cpe:/a:redhat:rhel_productivity:5:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:mozilla:firefox:2.0:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:1.5:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:1.5.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:1.5.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:1.5.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:1.5.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:1.5.0.7:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:1.5.0.9:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:2.0.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:2.0.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:2.0.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:seamonkey:1.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:seamonkey:1.0.9:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:1.5.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:1.5.0.10:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:1.5.0.11:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:1.5.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:1.5.0.8:*:*:*:*:*:*:*
  • AND
  • cpe:/o:gentoo:linux:*:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:2.1:*:as:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:2.1:*:es:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:2.1:*:ws:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:3::ws:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:3::es:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:3::as:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:3::desktop:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:3.0:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4::as:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4::desktop:*:*:*:*:*
  • OR cpe:/o:novell:linux_desktop:9:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4::es:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4::ws:*:*:*:*:*
  • OR cpe:/a:novell:open_enterprise_server:*:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:linux_advanced_workstation:2.1::itanium:*:*:*:*:*
  • OR cpe:/o:canonical:ubuntu:6.06::lts:*:*:*:*:*
  • OR cpe:/o:novell:suse_linux_enterprise_server:10:sp2:itanium_ia64:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:2007:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:2007::x86_64:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:4.0:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:4.0::x86_64:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:3.0::x86_64:*:*:*:*:*
  • OR cpe:/o:turbolinux:turbolinux:fuji:*:*:*:*:*:*:*
  • OR cpe:/o:turbolinux:turbolinux:*:*:personal:*:*:*:*:*
  • OR cpe:/o:turbolinux:turbolinux:*:*:home:*:*:*:*:*
  • OR cpe:/o:turbolinux:turbolinux:*:*:multimedia:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_desktop:5.0:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:5:*:client_workstation:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:2007.1:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:4.0:*:*:*:*:*:*:*
  • OR cpe:/o:canonical:ubuntu:7.04:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:5:*:server:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:5:*:client:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:2007.1::x86-64:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4.5.z::as:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4.5.z::es:*:*:*:*:*
  • OR cpe:/a:novell:open_enterprise_server:*:*:*:*:*:*:*:*
  • OR cpe:/o:opensuse:opensuse:10.2:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20072871
    V
    		CVE-2007-2871
    2015-11-16
    oval:org.mitre.oval:def:18785
    P
    		DSA-1300-1 iceape
    2014-06-23
    oval:org.mitre.oval:def:18918
    P
    		DSA-1306-1 xulrunner
    2014-06-23
    oval:org.mitre.oval:def:18949
    P
    		DSA-1308-1 iceweasel - several vulnerabilities
    2014-06-23
    oval:org.mitre.oval:def:22350
    P
    		ELSA-2007:0401: thunderbird security update (Critical)
    2014-05-26
    oval:org.mitre.oval:def:22347
    P
    		ELSA-2007:0400: firefox security update (Critical)
    2014-05-26
    oval:org.mitre.oval:def:11433
    V
    		Mozilla Firefox 1.5.x before 1.5.0.12 and 2.x before 2.0.0.4, and SeaMonkey 1.0.9 and 1.1.2, allows remote attackers to spoof or hide the browser chrome, such as the location bar, by placing XUL popups outside of the browser's content pane. NOTE: this issue can be leveraged for phishing and other attacks.
    2013-04-29
    oval:org.debian:def:1308
    V
    		several vulnerabilities
    2007-06-14
    oval:org.debian:def:1306
    V
    		several vulnerabilities
    2007-06-12
    oval:org.debian:def:1300
    V
    		several vulnerabilities
    2007-06-07
    oval:com.redhat.rhsa:def:20070400
    P
    		RHSA-2007:0400: firefox security update (Critical)
    2007-05-31
    oval:com.redhat.rhsa:def:20070401
    P
    		RHSA-2007:0401: thunderbird security update (Critical)
    2007-05-31
    oval:com.redhat.rhsa:def:20070402
    P
    		RHSA-2007:0402: seamonkey security update (Critical)
    2007-05-31
    BACK
    mozilla firefox 1.5
    mozilla firefox 1.5.0.1
    mozilla firefox 1.5.0.2
    mozilla firefox 1.5.0.3
    mozilla firefox 1.5.0.4
    mozilla firefox 1.5.0.5
    mozilla firefox 1.5.0.6
    mozilla firefox 1.5.0.7
    mozilla firefox 1.5.0.8
    mozilla firefox 1.5.0.9
    mozilla firefox 1.5.0.10
    mozilla firefox 1.5.0.11
    mozilla firefox 2.0
    mozilla firefox 2.0.0.1
    mozilla firefox 2.0.0.2
    mozilla firefox 2.0.0.3
    mozilla seamonkey 1.0.9
    mozilla seamonkey 1.1.2
    mozilla firefox 2.0
    mozilla firefox 1.5
    mozilla firefox 1.5.0.2
    mozilla firefox 1.5.0.3
    mozilla firefox 1.5.0.4
    mozilla firefox 1.5.0.6
    mozilla firefox 1.5.0.7
    mozilla firefox 1.5.0.9
    mozilla firefox 2.0.0.1
    mozilla firefox 2.0.0.2
    mozilla firefox 2.0.0.3
    mozilla seamonkey 1.1.2
    mozilla seamonkey 1.0.9
    mozilla firefox 1.5.0.1
    mozilla firefox 1.5.0.10
    mozilla firefox 1.5.0.11
    mozilla firefox 1.5.0.5
    mozilla firefox 1.5.0.8
    gentoo linux *
    redhat enterprise linux 2.1
    redhat enterprise linux 2.1
    redhat enterprise linux 2.1
    redhat enterprise linux 3
    redhat enterprise linux 3
    redhat enterprise linux 3
    redhat enterprise linux 3
    mandrakesoft mandrake linux corporate server 3.0
    redhat enterprise linux 4
    redhat enterprise linux 4
    novell linux desktop 9
    redhat enterprise linux 4
    redhat enterprise linux 4
    novell open enterprise server *
    redhat linux advanced workstation 2.1
    canonical ubuntu 6.06
    novell suse linux enterprise server 10 sp2
    mandrakesoft mandrake linux 2007
    mandrakesoft mandrake linux 2007
    mandrakesoft mandrake linux corporate server 4.0
    mandrakesoft mandrake linux corporate server 4.0
    mandrakesoft mandrake linux corporate server 3.0
    turbolinux turbolinux fuji
    turbolinux turbolinux personal *
    turbolinux turbolinux home *
    turbolinux turbolinux multimedia *
    redhat enterprise linux desktop 5.0
    redhat enterprise linux 5
    redhat enterprise linux 5
    mandrakesoft mandrake linux 2007.1
    debian debian linux 4.0
    canonical ubuntu 7.04
    redhat enterprise linux 5
    redhat enterprise linux 5
    mandrakesoft mandrake linux 2007.1
    redhat enterprise linux 4.5.z
    redhat enterprise linux 4.5.z
    novell open enterprise server *
    novell opensuse 10.2