CVE Database

CVE-2007-3844

Impact: Moderate
Public: 2007-07-31
Bugzilla: 250648: CVE-2007-3844 Privilege escalation through chrome-loaded about:blank windows

Details

The MITRE CVE dictionary describes this issue as:

Mozilla Firefox 2.0.0.5, Thunderbird 2.0.0.5 and before 1.5.0.13, and SeaMonkey 1.1.3 allows remote attackers to conduct cross-site scripting (XSS) attacks with chrome privileges via an addon that inserts a (1) javascript: or (2) data: link into an about:blank document loaded by chrome via (a) the window.open function or (b) a content.location assignment, aka "Cross Context Scripting." NOTE: this issue is caused by a CVE-2007-3089 regression.

Find out more about CVE-2007-3844 from the MITRE CVE dictionary and NIST NVD.

Statement

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=250648
The Red Hat Security Response Team has rated this issue as having moderate security impact, a future update may address this flaw.

Red Hat security errata

Platform Errata Release Date
Red Hat Enterprise Linux Desktop version 5 (thunderbird) RHSA-2007:0981 October 19, 2007
Red Hat Enterprise Linux version 2.1 (seamonkey) RHSA-2007:0980 October 19, 2007
Red Hat Enterprise Linux version 3 (seamonkey) RHSA-2007:0980 October 19, 2007
Red Hat Enterprise Linux version 4 (firefox) RHSA-2007:0979 October 19, 2007
Red Hat Enterprise Linux version 4 (seamonkey) RHSA-2007:0980 October 19, 2007
Red Hat Enterprise Linux version 4 (thunderbird) RHSA-2007:0981 October 19, 2007
Red Hat Enterprise Linux version 5 (firefox) RHSA-2007:0979 October 19, 2007

External References

This page is generated automatically and has not been checked for errors or omissions.

For clarification or corrections please contact the Red Hat Security Response Team.