CVE-2009-1308

NameCVE-2009-1308
DescriptionCross-site scripting (XSS) vulnerability in Mozilla Firefox before 3.0.9, Thunderbird, and SeaMonkey allows remote attackers to inject arbitrary web script or HTML via vectors involving XBL JavaScript bindings and remote stylesheets, as exploited in the wild by a March 2009 eBay listing.
SourceCVE (at NVD; oss-sec, fulldisc, OSVDB, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, more)
ReferencesDSA-1797-1
NVD severitymedium (attack range: remote, user-initiated)
Debian/oldoldstablenot known to be vulnerable.
Debian/oldstablenot vulnerable.
Debian/stablenot known to be vulnerable.
Debian/testingnot known to be vulnerable.
Debian/unstablenot known to be vulnerable.

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
xulrunner (PTS)wheezy (security), wheezy24.8.1esr-2~deb7u1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
xulrunnersource(unstable)1.9.0.9-1medium
xulrunnersourceetch(unfixed)end-of-life
xulrunnersourcelenny1.9.0.9-0lenny2mediumDSA-1797-1

Notes

[etch] - xulrunner <end-of-life> (Etch Packages no longer covered by security support)

Search for package or bug name: Reporting problems