CVE-2008-4582

Description

Mozilla Firefox 3.0.1 through 3.0.3, Firefox 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13, when running on Windows, do not properly identify the context of Windows .url shortcut files, which allows user-assisted remote attackers to bypass the Same Origin Policy and obtain sensitive information via an HTML document that is directly accessible through a filesystem, as demonstrated by documents in (1) local folders, (2) Windows share folders, and (3) RAR archives, and as demonstrated by IFRAMEs referencing shortcuts that point to (a) about:cache?device=memory and (b) about:cache?device=disk, a variant of CVE-2008-2810.

References

Link	Tags
https://exchange.xforce.ibmcloud.com/vulnerabilities/45740	vdb entry
http://www.debian.org/security/2009/dsa-1697	third party advisory vendor advisory
http://www.securitytracker.com/id?1021190	third party advisory vdb entry
http://www.debian.org/security/2008/dsa-1671	third party advisory vendor advisory
https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00366.html	vendor advisory not applicable
http://www.vupen.com/english/advisories/2009/0977	vdb entry not applicable
https://bugzilla.mozilla.org/show_bug.cgi?id=455311	issue tracking
http://secunia.com/advisories/32192	third party advisory permissions required
http://www.mozilla.org/security/announce/2008/mfsa2008-47.html	vendor advisory
http://securitytracker.com/alerts/2008/Nov/1021212.html	third party advisory vdb entry
http://www.debian.org/security/2008/dsa-1669	third party advisory vendor advisory
http://secunia.com/advisories/32778	third party advisory permissions required
https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00385.html	vendor advisory not applicable
http://secunia.com/advisories/33433	third party advisory permissions required
http://www.vupen.com/english/advisories/2008/2818	vdb entry not applicable
http://www.securityfocus.com/archive/1/497091/100/0/threaded	mailing list
http://sunsolve.sun.com/search/document.do?assetkey=1-26-256408-1	vendor advisory broken link
http://securityreason.com/securityalert/4416	third party advisory
http://secunia.com/advisories/32721	third party advisory permissions required
http://www.us-cert.gov/cas/techalerts/TA08-319A.html	third party advisory us government resource
http://secunia.com/advisories/32853	third party advisory permissions required
http://www.debian.org/security/2009/dsa-1696	third party advisory vendor advisory
http://secunia.com/advisories/32693	third party advisory permissions required
http://secunia.com/advisories/32845	third party advisory permissions required
http://secunia.com/advisories/33434	third party advisory permissions required
http://secunia.com/advisories/32684	third party advisory permissions required
http://ubuntu.com/usn/usn-667-1	third party advisory vendor advisory
http://www.securityfocus.com/bid/31747	third party advisory vdb entry
http://liudieyu0.blog124.fc2.com/blog-entry-6.html	broken link
http://secunia.com/advisories/32714	third party advisory permissions required
http://www.securityfocus.com/bid/31611	third party advisory vdb entry
http://secunia.com/advisories/34501	third party advisory permissions required

Frequently Asked Questions

What is the severity of CVE-2008-4582?: CVE-2008-4582 has been scored as a medium severity vulnerability.
How to fix CVE-2008-4582?: To fix CVE-2008-4582, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2008-4582 being actively exploited in the wild?: It is possible that CVE-2008-4582 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~36% probability that this vulnerability will be exploited by malicious actors in the next 30 days.

Description

Category

CWE-264 – Permissions, Privileges, and Access Controls

References

Frequently Asked Questions