CVE-2008-2800
Description
Mozilla Firefox before 2.0.0.15 and SeaMonkey before 1.1.10 allow remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via vectors involving (1) an event handler attached to an outer window, (2) a SCRIPT element in an unloaded document, or (3) the onreadystatechange handler in conjunction with an XMLHttpRequest.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Mozilla Firefox before 2.0.0.15 and SeaMonkey before 1.1.10 allow same-origin policy bypass via event handlers, script in unloaded documents, or XMLHttpRequest onreadystatechange.
Vulnerability
The Same Origin Policy (SOP) enforcement in Mozilla Firefox before version 2.0.0.15 and SeaMonkey before 1.1.10 can be bypassed through three distinct vectors [1][2][3][4]. An attacker can exploit (1) an event handler attached to an outer window, (2) a SCRIPT element in an unloaded document, or (3) the onreadystatechange handler in conjunction with an XMLHttpRequest to conduct cross-site scripting (XSS) attacks.
Exploitation
The attacker requires no special privileges beyond the ability to serve a malicious web page or inject content into a trusted site. By crafting a page that triggers one of the three vectors, the attacker can execute arbitrary script in the context of a different origin, bypassing the SOP [1][2][3][4].
Impact
Successful exploitation results in cross-site scripting (XSS), allowing the attacker to read or modify data in the target origin, steal session cookies, or perform actions on behalf of the victim user within the affected origin [1][2][3][4].
Mitigation
Mozilla addressed these vulnerabilities in Firefox 2.0.0.15 and SeaMonkey 1.1.10, released on July 16, 2008. Red Hat issued updates for affected products via RHSA-2008-0616, RHSA-2008-0569, RHSA-2008-0547, and RHSA-2008-0549 [1][2][3][4]. Users should apply the latest updates from their vendor.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
26cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*+ 15 more
- cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*range: <=2.0.0.14
- cpe:2.3:a:mozilla:firefox:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.13:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.9:*:*:*:*:*:*:*
- (no CPE)range: < 2.0.0.15
cpe:2.3:a:mozilla:seamonkey:*:*:*:*:*:*:*:*+ 9 more
- cpe:2.3:a:mozilla:seamonkey:*:*:*:*:*:*:*:*range: <=1.1.9
- cpe:2.3:a:mozilla:seamonkey:1.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:seamonkey:1.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:seamonkey:1.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:seamonkey:1.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:seamonkey:1.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:seamonkey:1.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:seamonkey:1.1.7:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:seamonkey:1.1.8:*:*:*:*:*:*:*
- (no CPE)range: < 1.1.10
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
48- secunia.com/advisories/30911nvdVendor Advisory
- lists.opensuse.org/opensuse-security-announce/2008-07/msg00004.htmlnvd
- rhn.redhat.com/errata/RHSA-2008-0616.htmlnvd
- secunia.com/advisories/30878nvd
- secunia.com/advisories/30898nvd
- secunia.com/advisories/30903nvd
- secunia.com/advisories/30949nvd
- secunia.com/advisories/31005nvd
- secunia.com/advisories/31008nvd
- secunia.com/advisories/31021nvd
- secunia.com/advisories/31023nvd
- secunia.com/advisories/31069nvd
- secunia.com/advisories/31076nvd
- secunia.com/advisories/31183nvd
- secunia.com/advisories/31195nvd
- secunia.com/advisories/31377nvd
- secunia.com/advisories/33433nvd
- secunia.com/advisories/34501nvd
- security.gentoo.org/glsa/glsa-200808-03.xmlnvd
- slackware.com/security/viewer.phpnvd
- slackware.com/security/viewer.phpnvd
- sunsolve.sun.com/search/document.donvd
- wiki.rpath.com/Advisories:rPSA-2008-0216nvd
- www.debian.org/security/2008/dsa-1607nvd
- www.debian.org/security/2008/dsa-1615nvd
- www.debian.org/security/2009/dsa-1697nvd
- www.mandriva.com/security/advisoriesnvd
- www.mozilla.org/projects/security/known-vulnerabilities.htmlnvd
- www.mozilla.org/security/announce/2008/mfsa2008-22.htmlnvd
- www.redhat.com/support/errata/RHSA-2008-0547.htmlnvd
- www.redhat.com/support/errata/RHSA-2008-0549.htmlnvd
- www.redhat.com/support/errata/RHSA-2008-0569.htmlnvd
- www.securityfocus.com/archive/1/494080/100/0/threadednvd
- www.securityfocus.com/bid/30038nvd
- www.securitytracker.com/idnvd
- www.ubuntu.com/usn/usn-619-1nvd
- www.vupen.com/english/advisories/2008/1993/referencesnvd
- www.vupen.com/english/advisories/2009/0977nvd
- bugzilla.mozilla.org/show_bug.cginvd
- bugzilla.mozilla.org/show_bug.cginvd
- bugzilla.mozilla.org/show_bug.cginvd
- bugzilla.mozilla.org/show_bug.cginvd
- bugzilla.mozilla.org/show_bug.cginvd
- issues.rpath.com/browse/RPL-2646nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9386nvd
- www.redhat.com/archives/fedora-package-announce/2008-July/msg00207.htmlnvd
- www.redhat.com/archives/fedora-package-announce/2008-July/msg00288.htmlnvd
- www.redhat.com/archives/fedora-package-announce/2008-July/msg00295.htmlnvd
News mentions
0No linked articles in our index yet.