Red Hat Customer Portal

Skip to main content

CVE-2007-3844

Impact:
Moderate
Public Date:
2007-07-31
Bugzilla:
250648: CVE-2007-3844 Privilege escalation through chrome-loaded about:blank windows

The MITRE CVE dictionary describes this issue as:

Mozilla Firefox 2.0.0.5, Thunderbird 2.0.0.5 and before 1.5.0.13, and SeaMonkey 1.1.3 allows remote attackers to conduct cross-site scripting (XSS) attacks with chrome privileges via an addon that inserts a (1) javascript: or (2) data: link into an about:blank document loaded by chrome via (a) the window.open function or (b) a content.location assignment, aka "Cross Context Scripting." NOTE: this issue is caused by a CVE-2007-3089 regression.

Find out more about CVE-2007-3844 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=250648

The Red Hat Security Response Team has rated this issue as having moderate security impact, a future update may address this flaw.

Red Hat Security Errata

Platform Errata Release Date
Red Hat Enterprise Linux 5 (thunderbird) RHSA-2007:0981 2007-10-19
Red Hat Enterprise Linux 4 (seamonkey) RHSA-2007:0980 2007-10-19
Red Hat Enterprise Linux 4 (thunderbird) RHSA-2007:0981 2007-10-19
Red Hat Enterprise Linux 4 (firefox) RHSA-2007:0979 2007-10-19
Red Hat Enterprise Linux 3 (seamonkey) RHSA-2007:0980 2007-10-19
Red Hat Enterprise Linux 5 (firefox) RHSA-2007:0979 2007-10-19
Red Hat Enterprise Linux 2.1 (seamonkey) RHSA-2007:0980 2007-10-19
Red Hat Enterprise Linux Optional Productivity Applications (v. 5 server) (thunderbird) RHSA-2007:0981 2007-10-19

Affected Packages State

Platform Package State
Red Hat Enterprise Linux Optional Productivity Applications (v. 5 server) thunderbird 1.5.0.12-5.el5 Fixed

Last Modified