Unrated severityNVD Advisory· Published Dec 28, 2007· Updated Apr 23, 2026

CVE-2007-6589

Description

The jar protocol handler in Mozilla Firefox before 2.0.0.10 and SeaMonkey before 1.1.7 does not update the origin domain when retrieving the inner URL parameter yields an HTTP redirect, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a jar: URI, a different vulnerability than CVE-2007-5947.

Affected products

Mozilla Corporation/Firefox
cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
Range: <=2.0.0.9
Mozilla Corporation/Seamonkey
cpe:2.3:a:mozilla:seamonkey:*:*:*:*:*:*:*:*
Range: <=1.1.6

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

blog.beford.orgnvd
h20000.www2.hp.com/bizsupport/TechSupport/Document.jspnvd
osvdb.org/43477nvd
www.mozilla.org/security/announce/2007/mfsa2007-37.htmlnvd
www.vupen.com/english/advisories/2008/0083nvd
bugzilla.mozilla.org/show_bug.cginvd
bugzilla.mozilla.org/show_bug.cginvd
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6033nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000