| Vulnerability Name: | CVE-2007-4038 (CCN-38326) | ||||||||
| Assigned: | 2007-07-25 | ||||||||
| Published: | 2007-07-25 | ||||||||
| Updated: | 2018-10-15 | ||||||||
| Summary: | Argument injection vulnerability in Mozilla Firefox before 2.0.0.5, when running on systems with Thunderbird 1.5 installed and certain URIs registered, allows remote attackers to conduct cross-browser scripting attacks and execute arbitrary commands via shell metacharacters in a mailto URI, which are inserted into the command line that is created when invoking Thunderbird.exe, a similar issue to CVE-2007-3670. | ||||||||
| CVSS v3 Severity: | 9.0 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
| ||||||||
| CVSS v2 Severity: | 4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N) 3.4 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C)
6.0 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C)
| ||||||||
| Vulnerability Type: | CWE-94 | ||||||||
| Vulnerability Consequences: | Gain Access | ||||||||
| References: | Source: MITRE Type: CNA CVE-2007-4038 Source: MISC Type: UNKNOWN http://larholm.com/2007/07/25/mozilla-protocol-abuse/ Source: CCN Type: Full-Disclosure Mailing List, Wed, 25 Jul 2007 20:48:23 +0200 Mozilla protocol abuse Source: FULLDISC Type: UNKNOWN 20070725 Mozilla protocol abuse Source: CCN Type: Mozilla Web site Mozilla Download Source: BUGTRAQ Type: UNKNOWN 20070725 Mozilla protocol abuse Source: BUGTRAQ Type: UNKNOWN 20070726 Re: Mozilla protocol abuse Source: XF Type: UNKNOWN mozilla-uri-mailto-command-execution(38326) | ||||||||
| Vulnerable Configuration: | Configuration 1: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||
| BACK | |||||||||