VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 31, 2004· Updated Apr 16, 2026

CVE-2004-0909

CVE-2004-0909

Description

Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and Thunderbird before 0.8 may allow remote attackers to trick users into performing unexpected actions, including installing software, via signed scripts that request enhanced abilities using the enablePrivilege parameter, then modify the meaning of certain security-relevant dialog messages.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Members only

The AI Insight narrative is available to signed-in members. Sign in or create a free account to read it.

Affected products

56
  • Mozilla Corporation/Mozilla45 versions
    cpe:2.3:a:mozilla:mozilla:0.8:*:*:*:*:*:*:*+ 44 more
    • cpe:2.3:a:mozilla:mozilla:0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:0.9.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:0.9.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:0.9.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:0.9.35:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:0.9.4:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:0.9.4.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:0.9.48:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:0.9.5:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:0.9.6:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:0.9.7:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:0.9.8:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:0.9.9:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.0:rc1:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.0:rc2:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.1:alpha:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.1:beta:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.2:alpha:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.2:beta:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.3.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.4:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.4.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.4.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.4.4:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.4:alpha:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.4:beta:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.5:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.5.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.6:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.7:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.7.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.7.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.7:alpha:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.7:beta:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.7:rc1:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.7:rc2:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.7:rc3:*:*:*:*:*:*
    • (no CPE)range: <1.7.3
  • Mozilla Corporation/Thunderbird10 versions
    cpe:2.3:a:mozilla:thunderbird:0.1:*:*:*:*:*:*:*+ 9 more
    • cpe:2.3:a:mozilla:thunderbird:0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:thunderbird:0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:thunderbird:0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:thunderbird:0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:thunderbird:0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:thunderbird:0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:thunderbird:0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:thunderbird:0.7.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:thunderbird:0.7.2:*:*:*:*:*:*:*
    • (no CPE)range: <0.8
  • Mozilla Corporation/Firefoxllm-fuzzy
    Range: < Preview Release

Patches

Members only

Discovered fix commits and diffs is available to signed-in members. Sign in or create a free account to read it.

Vulnerability mechanics

Root cause

"Signed scripts that request enhanced abilities via the enablePrivilege parameter can modify the meaning of security-relevant dialog messages, tricking users into approving unintended actions."

Attack vector

The advisory [ref_id=1] does not describe the specific attack vector beyond noting that signed scripts requesting enhanced abilities via the enablePrivilege parameter can modify the meaning of security-relevant dialog messages. An attacker hosting a malicious web page could deliver a signed script that asks for elevated privileges and then alters the text of the confirmation dialog to trick the user into approving the action, such as installing software.

What the fix does

The advisory [ref_id=1] states that the vulnerability is corrected in Mozilla 1.7.3, Firefox Preview Release, and Thunderbird 0.8. The exact code changes are not shown in the bundle, but the fix addresses the ability of signed scripts to modify security dialog messages after requesting enhanced privileges via enablePrivilege, ensuring that dialog text accurately reflects the action being confirmed.

Preconditions

  • inputAttacker must host a web page containing a signed script that calls enablePrivilege
  • configBrowser must support signed scripts and display security dialogs for privilege escalation

Generated on Jun 16, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.