CVE-2007-3656

NameCVE-2007-3656
DescriptionMozilla Firefox before 1.8.0.13 and 1.8.1.x before 1.8.1.5 does not perform a security zone check when processing a wyciwyg URI, which allows remote attackers to obtain sensitive information, poison the browser cache, and possibly enable further attack vectors via (1) HTTP 302 redirect controls, (2) XMLHttpRequest, or (3) view-source URIs.
SourceCVE (at NVD; oss-sec, fulldisc, OSVDB, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, more)
ReferencesDSA-1337-1, DSA-1338-1, DSA-1339-1, DTSA-45-1, DTSA-47-1, DTSA-51-1
NVD severitymedium (attack range: remote, user-initiated)
Debian/oldoldstablenot vulnerable.
Debian/oldstablenot vulnerable.
Debian/stablenot vulnerable.
Debian/testingnot vulnerable.
Debian/unstablenot vulnerable.

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
iceape (PTS)squeeze (security)2.0.11-17fixed
iceweasel (PTS)squeeze, squeeze (security)3.5.16-20fixed
wheezy31.3.0esr-1~deb7u1fixed
wheezy (security)31.8.0esr-1~deb7u1fixed
jessie31.6.0esr-1fixed
jessie (security)31.8.0esr-1~deb8u1fixed
stretch, sid38.1.0esr-3fixed
xulrunner (PTS)wheezy, wheezy (security)24.8.1esr-2~deb7u1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
iceapesource(unstable)1.1.3-1high
iceapesourceetch1.0.10~pre070720-0etch1mediumDSA-1339-1
iceapesourcelenny1.0.10~pre070720-0etch1+lenny1mediumDTSA-47-1
iceweaselsource(unstable)2.0.0.5-1high
iceweaselsourceetch2.0.0.5-0etch1mediumDSA-1338-1
iceweaselsourcelenny2.0.0.5-0etch1+lenny1mediumDTSA-45-1
xulrunnersource(unstable)1.8.1.5-1high
xulrunnersourceetch1.8.0.13~pre070720-0etch1mediumDSA-1337-1
xulrunnersourcelenny1.8.0.13~pre070720-0etch3+lenny1mediumDTSA-51-1

Notes

MFSA2007-24

Search for package or bug name: Reporting problems