VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 31, 2004· Updated Apr 16, 2026

CVE-2004-0908

CVE-2004-0908

Description

Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and Thunderbird before 0.8 allows untrusted Javascript code to read and write to the clipboard, and possibly obtain sensitive information, via script-generated events such as Ctrl-Ins.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Members only

The AI Insight narrative is available to signed-in members. Sign in or create a free account to read it.

Affected products

56
  • Mozilla Corporation/Mozilla45 versions
    cpe:2.3:a:mozilla:mozilla:0.8:*:*:*:*:*:*:*+ 44 more
    • cpe:2.3:a:mozilla:mozilla:0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:0.9.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:0.9.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:0.9.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:0.9.35:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:0.9.4:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:0.9.4.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:0.9.48:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:0.9.5:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:0.9.6:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:0.9.7:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:0.9.8:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:0.9.9:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.0:rc1:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.0:rc2:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.1:alpha:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.1:beta:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.2:alpha:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.2:beta:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.3.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.4:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.4.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.4.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.4.4:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.4:alpha:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.4:beta:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.5:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.5.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.6:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.7:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.7.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.7.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.7:alpha:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.7:beta:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.7:rc1:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.7:rc2:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.7:rc3:*:*:*:*:*:*
    • (no CPE)range: < 1.7.3
  • Mozilla Corporation/Thunderbird10 versions
    cpe:2.3:a:mozilla:thunderbird:0.1:*:*:*:*:*:*:*+ 9 more
    • cpe:2.3:a:mozilla:thunderbird:0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:thunderbird:0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:thunderbird:0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:thunderbird:0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:thunderbird:0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:thunderbird:0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:thunderbird:0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:thunderbird:0.7.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:thunderbird:0.7.2:*:*:*:*:*:*:*
    • (no CPE)range: < 0.8
  • Mozilla Corporation/Firefoxllm-fuzzy
    Range: < Preview Release

Patches

Members only

Discovered fix commits and diffs is available to signed-in members. Sign in or create a free account to read it.

Vulnerability mechanics

Root cause

"Missing access control on JavaScript-generated events allows untrusted scripts to read and write the system clipboard."

Attack vector

An attacker lures a user to a malicious web page that contains untrusted JavaScript code. By generating synthetic keyboard events (e.g., Ctrl-Ins, commonly mapped to copy), the script can read from and write to the system clipboard without user awareness. The advisory describes the flaw as 'script-generated events such as Ctrl-Ins' enabling clipboard access. This allows exfiltration of sensitive data previously copied by the user or injection of malicious content onto the clipboard.

Affected code

The vulnerability is in the JavaScript engine of Mozilla, Firefox, and Thunderbird, specifically in how they handle clipboard access via script-generated events such as Ctrl-Ins. [ref_id=1] notes that 'Wladimir Palant discovered a flaw in the way javascript interacts with the clipboard' and 'It is possible that an attacker could use malicious javascript code to steal sensitive data which has been copied into the clipboard.' No patch diff is present in the bundle to identify exact function names.

What the fix does

The advisory does not include a patch or specific fix description, but it directs users to update Mozilla to version 1.7.3, Firefox to the Preview Release, and Thunderbird to version 0.8. The fix presumably restricts JavaScript-initiated events from accessing the clipboard, requiring explicit user action or confirmation before clipboard reads or writes can occur.

Preconditions

  • inputUser must visit a web page controlled by the attacker that runs untrusted JavaScript.
  • inputUser must have previously copied sensitive data to the clipboard, or the attacker seeks to write data to the clipboard.

Reproduction

Reference write-ups and PoC links are present but do not include detailed reproduction steps. The Bugzilla link (http://bugzilla.mozilla.org/show_bug.cgi?id=257523) and SecurityFocus entry (http://www.securityfocus.com/bid/11179) are provided but not extracted as write-ups. Therefore no reproduction steps can be included.

Generated on Jun 16, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

11

News mentions

0

No linked articles in our index yet.