XSS in Mozilla Firefox

CVE-2008-2808

Mozilla Firefox before 2.0.0.15 and SeaMonkey before 1.1.10 do not properly escape HTML in file:// URLs in directory listings, which allows remote attackers to conduct cross-site scripting (XSS) attacks or have unspecified other impact via…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.013 (67.8th percentile) — read the EPSS interpretation.

Affected products

Mozilla Firefox — versions 2.0, 2.0.0.2, 2.0.0.3
Mozilla Seamonkey — versions 1.1, 1.1.1, 1.1.2
Mozilla Thunderbird — versions 2.0_.4, 2.0_.5, 2.0_.6
Redhat Advanced_workstation_for_the_itanium_processor — versions 2.1
Redhat Desktop — versions 3.0, 4.0
Redhat Enterprise_linux — versions 5_server, as_2.1, as_3
Redhat Enterprise_linux_desktop — versions 5_client
Redhat Enterprise_linux_desktop_workstation — versions 5_client
Redhat Fedora — versions 8
Ubuntu Ubuntu_linux — versions 6.06, 7.04, 7.10

Weakness classification (CWE)

CWE-79 — Cross-site Scripting

References

secalert@redhat.com (vendor-advisory, x_refsource_SUSE)
secalert@redhat.com (x_refsource_REDHAT, vendor-advisory)
secalert@redhat.com (vendor-advisory, x_refsource_DEBIAN)
secalert@redhat.com (x_refsource_SECUNIA, third-party-advisory)
secalert@redhat.com (signature, x_refsource_OVAL, vdb-entry)
secalert@redhat.com (x_refsource_SECUNIA, third-party-advisory)
secalert@redhat.com (x_refsource_CONFIRM)
secalert@redhat.com (x_refsource_CONFIRM)
secalert@redhat.com (x_refsource_SECUNIA, third-party-advisory)
secalert@redhat.com (vendor-advisory, x_refsource_SLACKWARE)