Vulnerability CVE-2008-5915 - CERT Civis.Net

Vulnerability Name:

CVE-2008-5915 (CCN-48173)

Assigned:

2008-01-29

Published:

2008-01-29

Updated:

2021-11-15

Summary:

An unspecified function in the JavaScript implementation in Google Chrome creates and exposes a "temporary footprint" when there is a current login to a web site, which makes it easier for remote attackers to trick a user into acting upon a spoofed pop-up message, aka an "in-session phishing attack."
Note: as of 20090116, the only disclosure is a vague pre-advisory with no actionable information. However, because it is from a well-known researcher, it is being assigned a CVE identifier for tracking purposes.

CVSS v3 Severity:

4.8 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

2.1 Low (CVSS v2 Vector: AV:N/AC:H/Au:S/C:N/I:P/A:N)
1.6 Low (Temporal CVSS v2 Vector: AV:N/AC:H/Au:S/C:N/I:P/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Authentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

4.0 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:N)
3.0 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): None

Vulnerability Type:

Vulnerability Consequences:

Other

References:

Source: CCN
Type: ars technica Web site
New in-session phishing attack could fool experienced users

Source: MISC
Type: Third Party Advisory
http://arstechnica.com/news.ars/post/20090113-new-method-of-phishmongering-could-fool-experienced-users.html

Source: MITRE
Type: CNA
CVE-2008-5912

Source: MITRE
Type: CNA
CVE-2008-5913

Source: MITRE
Type: CNA
CVE-2008-5914

Source: MITRE
Type: CNA
CVE-2008-5915

Source: CCN
Type: RHSA-2010-0500
Critical: firefox security, bug fix, and enhancement update

Source: CCN
Type: RHSA-2010-0501
Critical: firefox security, bug fix, and enhancement update

Source: CCN
Type: SA40309
Mozilla Firefox Multiple Vulnerabilities

Source: CCN
Type: SA40326
Mozilla SeaMonkey Multiple Vulnerabilities

Source: CCN
Type: Apple Web site
Safari

Source: CCN
Type: darkREADING Web site
New Phishing Attack Targets Online Banking Sessions With Phony Popups

Source: MISC
Type: Third Party Advisory
http://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=212900161

Source: CCN
Type: Google Chrome Web site
Google Chrome

Source: CCN
Type: InfoWorld Web site
Browser bug could allow phishing without e-mail

Source: MISC
Type: Broken Link
http://www.infoworld.com/article/09/01/13/Browser_bug_could_allow_phishing_without_email_1.html

Source: CCN
Type: Microsoft Internet Explorer Web site
Internet Explorer

Source: CCN
Type: Mozilla Firefox Web site
Firefox web browser | Faster, more secure, & customizable

Source: CCN
Type: MFSA 2010-33
User tracking across sites using Math.random()

Source: CCN
Type: OSVDB ID: 53340
Microsoft IE JavaScript Implementation Web Site Temporary Footprint Spoofing Weakness

Source: CCN
Type: OSVDB ID: 53341
Mozilla Firefox JavaScript Implementation Web Site Temporary Footprint Spoofing Weakness

Source: CCN
Type: OSVDB ID: 53342
Apple Safari JavaScript Implementation Web Site Temporary Footprint Spoofing Weakness

Source: CCN
Type: OSVDB ID: 53343
Google Chrome JavaScript Implementation Web Site Temporary Footprint Spoofing Weakness

Source: CCN
Type: OSVDB ID: 68048
Mozilla Multiple Products JavaScript Implementation js_InitRandom Function Multiple Pointer RNG Seeding Weakness

Source: BID
Type: Third Party Advisory, VDB Entry
33276

Source: CCN
Type: BID-33276
Multiple Browser JavaScript Engine 'Math.Random()' Cross Domain Information Disclosure Vulnerability

Source: CCN
Type: BID-41050
RETIRED: Mozilla Firefox/Thunderbird/SeaMonkey MFSA 2010-26/27/28/29/30/32 Remote Vulnerabilities

Source: CCN
Type: Trusteer Web site
In Session Phishing Attacks

Source: MISC
Type: Third Party Advisory
http://www.trusteer.com/files/In-session-phishing-advisory-2.pdf

Source: XF
Type: UNKNOWN
multiple-browser-js-weak-security(48173)

Source: SUSE
Type: SUSE-SA:2010:030
Mozilla Firefox security update

Vulnerable Configuration:

Configuration 1:

cpe:/a:google:chrome:-:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:microsoft:ie:*:*:*:*:*:*:*:*

OR cpe:/a:apple:safari:*:*:*:*:*:*:*:*

OR cpe:/a:mozilla:firefox:*:*:*:*:*:*:*:*

OR cpe:/a:mozilla:seamonkey:1.0.5:*:*:*:*:*:*:*

OR cpe:/a:mozilla:seamonkey:1.0.7:*:*:*:*:*:*:*

OR cpe:/a:mozilla:seamonkey:1.0.2:*:*:*:*:*:*:*

OR cpe:/a:mozilla:seamonkey:1.1.3:*:*:*:*:*:*:*

OR cpe:/a:mozilla:seamonkey:1.1.2:*:*:*:*:*:*:*

OR cpe:/a:mozilla:seamonkey:1.1.1:*:*:*:*:*:*:*

OR cpe:/a:mozilla:seamonkey:1.1.4:*:*:*:*:*:*:*

OR cpe:/a:mozilla:seamonkey:1.1.5:*:*:*:*:*:*:*

OR cpe:/a:mozilla:seamonkey:1.1.6:*:*:*:*:*:*:*

OR cpe:/a:mozilla:seamonkey:1.0:*:*:*:*:*:*:*

OR cpe:/a:mozilla:seamonkey:1.0.1:*:*:*:*:*:*:*

OR cpe:/a:mozilla:seamonkey:1.0.3:*:*:*:*:*:*:*

OR cpe:/a:mozilla:seamonkey:1.0.4:*:*:*:*:*:*:*

OR cpe:/a:mozilla:seamonkey:1.0.6:*:*:*:*:*:*:*

OR cpe:/a:mozilla:seamonkey:1.0.8:*:*:*:*:*:*:*

OR cpe:/a:mozilla:seamonkey:1.0.9:*:*:*:*:*:*:*

OR cpe:/a:mozilla:seamonkey:1.1:*:*:*:*:*:*:*

OR cpe:/a:mozilla:seamonkey:1.1.7:*:*:*:*:*:*:*

OR cpe:/a:mozilla:seamonkey:1.1.8:*:*:*:*:*:*:*

OR cpe:/a:mozilla:seamonkey:1.1.9:*:*:*:*:*:*:*

OR cpe:/a:mozilla:seamonkey:1.1::beta:*:*:*:*:*

OR cpe:/a:mozilla:seamonkey:1.0::alpha:*:*:*:*:*

OR cpe:/a:mozilla:seamonkey:1.1.10:*:*:*:*:*:*:*

OR cpe:/a:mozilla:seamonkey:1.1.11:*:*:*:*:*:*:*

OR cpe:/a:mozilla:seamonkey:1.1.12:*:*:*:*:*:*:*

OR cpe:/a:mozilla:seamonkey:1.1.13:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:*:*:*:*:*:*:*:*

OR cpe:/a:mozilla:seamonkey:1.1.14:*:*:*:*:*:*:*

OR cpe:/a:mozilla:seamonkey:1.1.15:*:*:*:*:*:*:*

OR cpe:/a:mozilla:seamonkey:1.1::alpha:*:*:*:*:*

OR cpe:/a:mozilla:firefox:3.5:*:*:*:*:*:*:*

OR cpe:/a:mozilla:firefox:3.5.1:*:*:*:*:*:*:*

OR cpe:/a:mozilla:firefox:3.5.2:*:*:*:*:*:*:*

OR cpe:/a:mozilla:firefox:3.5.3:*:*:*:*:*:*:*

OR cpe:/a:mozilla:firefox:3.5.4:*:*:*:*:*:*:*

OR cpe:/a:mozilla:seamonkey:1.0::beta:*:*:*:*:*

OR cpe:/a:mozilla:seamonkey:1.0::dev:*:*:*:*:*

OR cpe:/a:mozilla:seamonkey:1.0.99:*:*:*:*:*:*:*

OR cpe:/a:mozilla:seamonkey:1.5.0.8:*:*:*:*:*:*:*

OR cpe:/a:mozilla:seamonkey:1.5.0.9:*:*:*:*:*:*:*

OR cpe:/a:mozilla:seamonkey:1.5.0.10:*:*:*:*:*:*:*

OR cpe:/a:mozilla:firefox:3.5.5:*:*:*:*:*:*:*

OR cpe:/a:mozilla:seamonkey:2.0:*:*:*:*:*:*:*

OR cpe:/a:mozilla:seamonkey:2.0.1:*:*:*:*:*:*:*

OR cpe:/a:mozilla:seamonkey:2.0.2:*:*:*:*:*:*:*

OR cpe:/a:mozilla:firefox:3.6:*:*:*:*:*:*:*

OR cpe:/a:mozilla:seamonkey:2.0.3:*:*:*:*:*:*:*

OR cpe:/a:mozilla:seamonkey:2.0.4:*:*:*:*:*:*:*

AND

cpe:/o:redhat:enterprise_linux:4::as:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:4::desktop:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:4::es:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:4::ws:*:*:*:*:*

OR cpe:/o:novell:suse_linux_enterprise_server:10:sp2:itanium_ia64:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:5:*:client_workstation:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:2008.0::x86-64:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:5:*:client:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:2008.0:*:*:*:*:*:*:*

OR cpe:/o:opensuse:opensuse:11.0:*:*:*:*:*:*:*

OR cpe:/o:mandriva:linux:2009.0:*:*:*:*:*:*:*

OR cpe:/o:mandriva:linux:2009.0:-:x86_64:*:*:*:*:*

OR cpe:/o:mandriva:linux:2009.1:*:*:*:*:*:*:*

OR cpe:/o:mandriva:linux:2009.1:*:*:*:x86_64:*:*:*

OR cpe:/o:mandriva:enterprise_server:5:*:*:*:*:*:*:*

OR cpe:/o:mandriva:enterprise_server:5:*:*:*:x86_64:*:*:*

OR cpe:/o:mandriva:linux:2010:*:*:*:x86_64:*:*:*

OR cpe:/o:mandriva:linux:2010:*:*:*:*:*:*:*

Denotes that component is vulnerable