CVE-2007-3845 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2007-3845

CVE-2007-3845

August 08, 2007

Mozilla Firefox before 2.0.0.6, Thunderbird before 1.5.0.13 and 2.x before 2.0.0.6, and SeaMonkey before 1.1.4 allow remote attackers to execute arbitrary commands via certain vectors associated with launching "a file handling program based on the file extension at the end of the URI," a variant of CVE-2007-4041. NOTE: the vendor states that "it is still possible to launch a filetype handler based on extension rather than the registered protocol handler."

Related Resources (35)

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00771742

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00774579

http://www.ubuntu.com/usn/usn-493-1

http://secunia.com/advisories/26393

http://secunia.com/advisories/26335

http://www.vupen.com/english/advisories/2008/0082

http://www.vupen.com/english/advisories/2007/4256

http://sunsolve.sun.com/search/document.do?assetkey=1-26-103177-1

http://bugzilla.mozilla.org/show_bug.cgi?id=389580

http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.010101

http://www.mandriva.com/security/advisories?name=MDVSA-2008:047

http://www.mandriva.com/security/advisories?name=MDKSA-2007:152

http://secunia.com/advisories/26303

http://www.debian.org/security/2007/dsa-1345

http://www.debian.org/security/2007/dsa-1344

http://secunia.com/advisories/26234

http://secunia.com/advisories/27414

http://secunia.com/advisories/28135

http://www.debian.org/security/2007/dsa-1391

http://www.ubuntu.com/usn/usn-503-1

http://secunia.com/advisories/27326

https://issues.rpath.com/browse/RPL-1600

http://sunsolve.sun.com/search/document.do?assetkey=1-66-201516-1

http://www.mandriva.com/security/advisories?name=MDVSA-2007:047

http://www.mozilla.org/security/announce/2007/mfsa2007-27.html

http://secunia.com/advisories/26309

http://www.securityfocus.com/bid/25053

http://secunia.com/advisories/26258

https://people.canonical.com/~ubuntu-security/cve/CVE-2007-3845

http://secunia.com/advisories/26572

http://www.debian.org/security/2007/dsa-1346

http://www.securityfocus.com/archive/1/475265/100/200/threaded

http://www.securityfocus.com/archive/1/475450/30/5550/threaded

http://secunia.com/advisories/26331

https://bugzilla.mozilla.org/show_bug.cgi?id=389106

Do you need more information?

CVSS v4

Base Score:

8.7

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

PASSIVE

Vulnerable System Confidentiality

HIGH

Vulnerable System Integrity

HIGH

Vulnerable System Availability

HIGH

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

CVSS v2

Base Score:

9.3

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

EPSS

Base Score:

43.23