Vulnerability Name: CVE-2008-3837 (CCN-45348) Assigned: 2008-09-23 Published: 2008-09-23 Updated: 2018-11-01 Summary: Mozilla Firefox before 2.0.0.17 and 3.x before 3.0.2, and SeaMonkey before 1.1.12, allow user-assisted remote attackers to move a window during a mouse click, and possibly force a file download or unspecified other drag-and-drop action, via a crafted onmousedown action that calls window.moveBy, a variant of CVE-2003-0823 . CVSS v3 Severity: 5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): NoneIntegrity (I): LowAvailibility (A): None
CVSS v2 Severity: 9.3 High (CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C 6.9 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): MediumAuthentication (Au): NoneImpact Metrics: Confidentiality (C): CompleteIntegrity (I): CompleteAvailibility (A): Complete
4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N 3.2 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): MediumAthentication (Au): NoneImpact Metrics: Confidentiality (C): NoneIntegrity (I): PartialAvailibility (A): None
Vulnerability Type: CWE-Other Vulnerability Consequences: Other References: Source: MITRECVE-2008-3837 http://download.novell.com/Download?buildid=WZXONb-tqBw~ SUSE-SA:2008:050 Critical: firefox security update Critical: seamonkey security update Mozilla Firefox 2 Multiple Vulnerabilities 31984 31985 31987 Mozilla SeaMonkey Multiple Vulnerabilities 32010 Mozilla Firefox 3 Multiple Vulnerabilities 32011 32012 32042 32044 32089 32095 32096 32144 32185 32196 32845 33433 Sun Solaris Firefox Multiple Vulnerabilities 34501 Mozilla Firefox May Let Remote Users Hijack User Clicks to Perform Certain Actions SSA:2008-269-02 SSA:2008-269-01 256408 Multiple Security Vulnerabilities in Firefox Versions Before 2.0.0.19 May Allow Execution of Arbitrary Code or Access to Unauthorized Data seamonkey security update (RHSA-2008-0882) firefox security update (RHSA-2008-0879) Multiple Security Vulnerabilities in Firefox Versions Before 2.0.0.19 May Allow Execution of Arbitrary Code or Access to unauthorized Data (Sun 256408) Nortel Response to Sun Alert 256408 - Solaris 10 - Vulnerabilities in Firefox May Allow Execution of Arbitrary Code DSA-1649 DSA-1669 DSA-1697 iceweasel -- several vulnerabilities xulrunner -- several vulnerabilities iceape -- several vulnerabilities MDVSA-2008:205 Forced mouse drag http://www.mozilla.org/security/announce/2008/mfsa2008-40.html RHSA-2008:0879 RHSA-2008:0882 31346 Mozilla Firefox/SeaMonkey/Thunderbird Multiple Remote Vulnerabilities 1020922 Firefox and xulrunner vulnerabilities USN-645-1 Firefox vulnerabilities USN-645-2 Firefox and xulrunner regression ADV-2008-2661 ADV-2009-0977 Attacker can force mouse drag https://bugzilla.mozilla.org/show_bug.cgi?id=329385 firefox-draganddrop-weak-security(45348) firefox-draganddrop-weak-security(45348) oval:org.mitre.oval:def:9950 FEDORA-2008-8425 FEDORA-2008-8401 FEDORA-2008-8429 Mozilla security problems Vulnerable Configuration: Configuration 1 :cpe:/a:mozilla:firefox:*:*:*:*:*:*:*:* (Version < 2.0.0.17)OR cpe:/a:mozilla:firefox:*:*:*:*:*:*:*:* (Version >= 3.0 and < 3.0.2) OR cpe:/a:mozilla:seamonkey:*:*:*:*:*:*:*:* (Version < 1.1.12) Configuration 2 :cpe:/o:debian:debian_linux:4.0:*:*:*:*:*:*:* Configuration 3 :cpe:/o:canonical:ubuntu_linux:6.06:*:*:*:lts:*:*:* OR cpe:/o:canonical:ubuntu_linux:7.04:*:*:*:*:*:*:* OR cpe:/o:canonical:ubuntu_linux:7.10:*:*:*:*:*:*:* OR cpe:/o:canonical:ubuntu_linux:8.04:*:*:*:lts:*:*:* Configuration RedHat 1 :cpe:/o:redhat:enterprise_linux:4:*:*:*:*:*:*:* Configuration RedHat 2 :cpe:/o:redhat:enterprise_linux:4::as:*:*:*:*:* Configuration RedHat 3 :cpe:/o:redhat:enterprise_linux:4::desktop:*:*:*:*:* Configuration RedHat 4 :cpe:/o:redhat:enterprise_linux:4::es:*:*:*:*:* Configuration RedHat 5 :cpe:/o:redhat:enterprise_linux:4::ws:*:*:*:*:* Configuration RedHat 6 :cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:* Configuration RedHat 7 :cpe:/o:redhat:enterprise_linux:5::client:*:*:*:*:* Configuration RedHat 8 :cpe:/o:redhat:enterprise_linux:5::client_workstation:*:*:*:*:* Configuration RedHat 9 :cpe:/o:redhat:enterprise_linux:5::server:*:*:*:*:* Configuration CCN 1 :cpe:/a:mozilla:firefox:2.0:*:*:*:*:*:*:* OR cpe:/a:mozilla:firefox:2.0.0.1:*:*:*:*:*:*:* OR cpe:/a:mozilla:firefox:2.0.0.2:*:*:*:*:*:*:* OR cpe:/a:mozilla:firefox:2.0.0.3:*:*:*:*:*:*:* OR cpe:/a:mozilla:firefox:2.0.0.4:*:*:*:*:*:*:* OR cpe:/a:mozilla:firefox:2.0.0.5:*:*:*:*:*:*:* OR cpe:/a:mozilla:seamonkey:1.1.3:*:*:*:*:*:*:* OR cpe:/a:mozilla:firefox:2.0.0.6:*:*:*:*:*:*:* OR cpe:/a:mozilla:firefox:2.0.0.9:*:*:*:*:*:*:* OR cpe:/a:mozilla:seamonkey:1.1.2:*:*:*:*:*:*:* OR cpe:/a:mozilla:seamonkey:1.1.1:*:*:*:*:*:*:* OR cpe:/a:mozilla:firefox:2.0.0.7:*:*:*:*:*:*:* OR cpe:/a:mozilla:seamonkey:1.1.4:*:*:*:*:*:*:* OR cpe:/a:mozilla:firefox:2.0.0.8:*:*:*:*:*:*:* OR cpe:/a:mozilla:seamonkey:1.1.5:*:*:*:*:*:*:* OR cpe:/a:mozilla:seamonkey:1.1.6:*:*:*:*:*:*:* OR cpe:/a:mozilla:firefox:2.0.0.11:*:*:*:*:*:*:* OR cpe:/a:mozilla:firefox:2.0.0.12:*:*:*:*:*:*:* OR cpe:/a:mozilla:firefox:2.0.0.10:*:*:*:*:*:*:* OR cpe:/a:mozilla:firefox:2.0.0.13:*:*:*:*:*:*:* OR cpe:/a:mozilla:seamonkey:1.1.7:*:*:*:*:*:*:* OR cpe:/a:mozilla:seamonkey:1.1.8:*:*:*:*:*:*:* OR cpe:/a:mozilla:seamonkey:1.1.9:*:*:*:*:*:*:* OR cpe:/a:mozilla:firefox:2.0.0.14:*:*:*:*:*:*:* OR cpe:/a:mozilla:firefox:3.0:*:*:*:*:*:*:* OR cpe:/a:mozilla:firefox:2.0.0.15:*:*:*:*:*:*:* OR cpe:/a:mozilla:firefox:3.0.1:*:*:*:*:*:*:* OR cpe:/a:mozilla:seamonkey:1.1.10:*:*:*:*:*:*:* OR cpe:/a:mozilla:seamonkey:1.1.11:*:*:*:*:*:*:* AND cpe:/o:redhat:enterprise_linux:2.1:*:as:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:2.1:*:es:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:2.1:*:ws:*:*:*:*:* OR cpe:/o:suse:suse_linux:9.0:*:*:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:3::ws:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:3::es:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:3::as:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:3::desktop:*:*:*:*:* OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:3.0:*:*:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:4::as:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:4::desktop:*:*:*:*:* OR cpe:/o:novell:linux_desktop:9:*:*:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:4::es:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:4::ws:*:*:*:*:* OR cpe:/o:redhat:linux_advanced_workstation:2.1::itanium:*:*:*:*:* OR cpe:/o:canonical:ubuntu:6.06::lts:*:*:*:*:* OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:4.0:*:*:*:*:*:*:* OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:4.0::x86_64:*:*:*:*:* OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:3.0::x86_64:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:5:*:client_workstation:*:*:*:*:* OR cpe:/o:mandrakesoft:mandrake_linux:2008.0::x86-64:*:*:*:*:* OR cpe:/o:debian:debian_linux:4.0:*:*:*:*:*:*:* OR cpe:/o:canonical:ubuntu:7.04:*:*:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:5:*:client:*:*:*:*:* OR cpe:/o:canonical:ubuntu:7.10:*:*:*:*:*:*:* OR cpe:/o:mandrakesoft:mandrake_linux:2008.0:*:*:*:*:*:*:* OR cpe:/o:mandrakesoft:mandrake_linux:2008.1:x86_64:*:*:*:*:*:* OR cpe:/a:novell:open_enterprise_server:*:*:*:*:*:*:*:* OR cpe:/o:opensuse:opensuse:10.2:*:*:*:*:*:*:* OR cpe:/o:opensuse:opensuse:10.3:*:*:*:*:*:*:* OR cpe:/o:mandrakesoft:mandrake_linux:2008.1:*:*:*:*:*:*:* OR cpe:/o:canonical:ubuntu:8.04::lts:*:*:*:*:* OR cpe:/o:opensuse:opensuse:11.0:*:*:*:*:*:*:* OR cpe:/o:novell:suse_linux_enterprise_server:10:sp2:itanium_ia64:*:*:*:*:* Oval Definitions BACK
mozilla firefox *
mozilla firefox *
mozilla seamonkey *
debian debian linux 4.0
canonical ubuntu linux 6.06
canonical ubuntu linux 7.04
canonical ubuntu linux 7.10
canonical ubuntu linux 8.04
mozilla firefox 2.0
mozilla firefox 2.0.0.1
mozilla firefox 2.0.0.2
mozilla firefox 2.0.0.3
mozilla firefox 2.0.0.4
mozilla firefox 2.0.0.5
mozilla seamonkey 1.1.3
mozilla firefox 2.0.0.6
mozilla firefox 2.0.0.9
mozilla seamonkey 1.1.2
mozilla seamonkey 1.1.1
mozilla firefox 2.0.0.7
mozilla seamonkey 1.1.4
mozilla firefox 2.0.0.8
mozilla seamonkey 1.1.5
mozilla seamonkey 1.1.6
mozilla firefox 2.0.0.11
mozilla firefox 2.0.0.12
mozilla firefox 2.0.0.10
mozilla firefox 2.0.0.13
mozilla seamonkey 1.1.7
mozilla seamonkey 1.1.8
mozilla seamonkey 1.1.9
mozilla firefox 2.0.0.14
mozilla firefox 3.0
mozilla firefox 2.0.0.15
mozilla firefox 3.0.1
mozilla seamonkey 1.1.10
mozilla seamonkey 1.1.11
redhat enterprise linux 2.1
redhat enterprise linux 2.1
redhat enterprise linux 2.1
suse suse linux 9.0
redhat enterprise linux 3
redhat enterprise linux 3
redhat enterprise linux 3
redhat enterprise linux 3
mandrakesoft mandrake linux corporate server 3.0
redhat enterprise linux 4
redhat enterprise linux 4
novell linux desktop 9
redhat enterprise linux 4
redhat enterprise linux 4
redhat linux advanced workstation 2.1
canonical ubuntu 6.06
mandrakesoft mandrake linux corporate server 4.0
mandrakesoft mandrake linux corporate server 4.0
mandrakesoft mandrake linux corporate server 3.0
redhat enterprise linux 5
redhat enterprise linux 5
mandrakesoft mandrake linux 2008.0
debian debian linux 4.0
canonical ubuntu 7.04
redhat enterprise linux 5
canonical ubuntu 7.10
mandrakesoft mandrake linux 2008.0
mandrakesoft mandrake linux 2008.1 x86_64
novell open enterprise server *
novell opensuse 10.2
novell opensuse 10.3
mandrakesoft mandrake linux 2008.1
canonical ubuntu 8.04
novell opensuse 11.0
novell suse linux enterprise server 10 sp2
Denotes that component is vulnerable