CVE-2008-2808
Description
Mozilla Firefox before 2.0.0.15 and SeaMonkey before 1.1.10 do not properly escape HTML in file:// URLs in directory listings, which allows remote attackers to conduct cross-site scripting (XSS) attacks or have unspecified other impact via a crafted filename.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Mozilla Firefox and SeaMonkey fail to escape HTML in file:// directory listings, allowing XSS via crafted filenames.
Vulnerability
Mozilla Firefox before version 2.0.0.15 and SeaMonkey before version 1.1.10 do not properly escape HTML in file:// URLs when rendering directory listings. A crafted filename containing HTML or JavaScript can be injected into the listing page without sanitization, leading to cross-site scripting (XSS) [1].
Exploitation
An attacker must have the ability to create a file with a malicious filename on a filesystem accessible via a file:// URL. The victim then needs to browse to a directory containing that file (e.g., by opening a local folder in the browser). No additional authentication or network position is required beyond local file creation. The browser renders the directory listing with the unescaped filename, executing the embedded script in the context of the file:// origin.
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the file:// origin. This can lead to disclosure of local file contents, theft of cookies or credentials, or further attacks against the local system. The impact is limited to the privileges of the user running the browser.
Mitigation
Mozilla fixed this issue in Firefox 2.0.0.15 and SeaMonkey 1.1.10. Red Hat provided updated packages via RHSA-2008-0616 [1] for Red Hat Enterprise Linux. Users should upgrade to the patched versions. No workaround is available other than avoiding browsing untrusted directories with file:// URLs.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
36cpe:2.3:a:mozilla:firefox:2.0:*:*:*:*:*:*:*+ 17 more
- cpe:2.3:a:mozilla:firefox:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.13:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0_.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0_.10:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0_.4:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0_.5:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0_.6:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0_8:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0_.9:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0:beta_1:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0:rc3:*:*:*:*:*:*
- (no CPE)range: before 2.0.0.15
cpe:2.3:a:mozilla:seamonkey:1.1.1:*:*:*:*:*:*:*+ 9 more
- cpe:2.3:a:mozilla:seamonkey:1.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:seamonkey:1.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:seamonkey:1.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:seamonkey:1.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:seamonkey:1.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:seamonkey:1.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:seamonkey:1.1.7:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:seamonkey:1.1.8:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:seamonkey:1.1.9:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:seamonkey:1.1:beta:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:2.0_.12:*:*:*:*:*:*:*+ 7 more
- cpe:2.3:a:mozilla:thunderbird:2.0_.12:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:2.0_.13:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:2.0_.14:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:2.0_.4:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:2.0_.5:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:2.0_.6:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:2.0_8:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:2.0_.9:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
44- secunia.com/advisories/30911nvdVendor Advisory
- lists.opensuse.org/opensuse-security-announce/2008-07/msg00004.htmlnvd
- rhn.redhat.com/errata/RHSA-2008-0616.htmlnvd
- secunia.com/advisories/30878nvd
- secunia.com/advisories/30898nvd
- secunia.com/advisories/30903nvd
- secunia.com/advisories/30949nvd
- secunia.com/advisories/31005nvd
- secunia.com/advisories/31008nvd
- secunia.com/advisories/31021nvd
- secunia.com/advisories/31023nvd
- secunia.com/advisories/31069nvd
- secunia.com/advisories/31076nvd
- secunia.com/advisories/31183nvd
- secunia.com/advisories/31195nvd
- secunia.com/advisories/31377nvd
- secunia.com/advisories/33433nvd
- secunia.com/advisories/34501nvd
- security.gentoo.org/glsa/glsa-200808-03.xmlnvd
- slackware.com/security/viewer.phpnvd
- slackware.com/security/viewer.phpnvd
- sunsolve.sun.com/search/document.donvd
- wiki.rpath.com/Advisories:rPSA-2008-0216nvd
- www.debian.org/security/2008/dsa-1607nvd
- www.debian.org/security/2008/dsa-1615nvd
- www.debian.org/security/2009/dsa-1697nvd
- www.mandriva.com/security/advisoriesnvd
- www.mozilla.org/projects/security/known-vulnerabilities.htmlnvd
- www.mozilla.org/security/announce/2008/mfsa2008-30.htmlnvd
- www.redhat.com/support/errata/RHSA-2008-0547.htmlnvd
- www.redhat.com/support/errata/RHSA-2008-0549.htmlnvd
- www.redhat.com/support/errata/RHSA-2008-0569.htmlnvd
- www.securityfocus.com/archive/1/494080/100/0/threadednvd
- www.securityfocus.com/bid/30038nvd
- www.securitytracker.com/idnvd
- www.ubuntu.com/usn/usn-619-1nvd
- www.vupen.com/english/advisories/2008/1993/referencesnvd
- www.vupen.com/english/advisories/2009/0977nvd
- bugzilla.mozilla.org/show_bug.cginvd
- issues.rpath.com/browse/RPL-2646nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9668nvd
- www.redhat.com/archives/fedora-package-announce/2008-July/msg00207.htmlnvd
- www.redhat.com/archives/fedora-package-announce/2008-July/msg00288.htmlnvd
- www.redhat.com/archives/fedora-package-announce/2008-July/msg00295.htmlnvd
News mentions
0No linked articles in our index yet.