VYPR
← All advisories
Unrated severityNVD Advisory· Published Sep 24, 2008· Updated Apr 23, 2026

CVE-2008-4065

CVE-2008-4065

Description

Mozilla Firefox before 2.0.0.17 and 3.x before 3.0.2, Thunderbird before 2.0.0.17, and SeaMonkey before 1.1.12 allow remote attackers to bypass cross-site scripting (XSS) protection mechanisms and conduct XSS attacks via byte order mark (BOM) characters that are removed from JavaScript code before execution, aka "Stripped BOM characters bug."

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Mozilla browser and email products allow XSS attacks via byte order mark characters stripped from JavaScript before execution.

Vulnerability

Mozilla Firefox before 2.0.0.17 and 3.x before 3.0.2, Thunderbird before 2.0.0.17, and SeaMonkey before 1.1.12 contain a vulnerability that allows remote attackers to bypass cross-site scripting (XSS) protection mechanisms. The issue involves byte order mark (BOM) characters that are removed from JavaScript code before execution, enabling XSS attacks via stripped BOM characters [4].

Exploitation

An attacker can craft JavaScript code containing BOM characters that are stripped during processing. This bypasses XSS filters because the BOM removal occurs after the filter check, allowing the malicious script to execute. The attacker can deliver the payload through a crafted web page or email, requiring no special privileges beyond the ability to serve content.

Impact

Successful exploitation leads to arbitrary script execution in the context of the affected application. This can result in information disclosure, session hijacking, or other actions that compromise the confidentiality, integrity, and availability of user data within the application's security context.

Mitigation

Fixed versions have been released: Firefox 2.0.0.17 and 3.0.2, Thunderbird 2.0.0.17, and SeaMonkey 1.1.12. Users should update to these versions or apply patches provided by vendors such as Red Hat [1][2][3] and Slackware [4]. No workarounds are mentioned in the available references.

References
  1. Support
  2. Support
  3. Support
  4. The Slackware Linux Project: Slackware Security Advisories

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

12
  • Mozilla Corporation/Firefox2 versions
    cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*range: <2.0.0.17
    • (no CPE)range: before 2.0.0.17, before 3.0.2 (3.x)
  • Mozilla Corporation/Seamonkey2 versions
    cpe:2.3:a:mozilla:seamonkey:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:mozilla:seamonkey:*:*:*:*:*:*:*:*range: <1.1.12
    • (no CPE)range: before 1.1.12
  • Mozilla Corporation/Thunderbird2 versions
    cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*range: <2.0.0.17
    • (no CPE)range: before 2.0.0.17
  • Canonical/Ubuntu Linux4 versions
    cpe:2.3:o:canonical:ubuntu_linux:6.06:*:*:*:lts:*:*:*+ 3 more
    • cpe:2.3:o:canonical:ubuntu_linux:6.06:*:*:*:lts:*:*:*
    • cpe:2.3:o:canonical:ubuntu_linux:7.04:*:*:*:*:*:*:*
    • cpe:2.3:o:canonical:ubuntu_linux:7.10:*:*:*:*:*:*:*
    • cpe:2.3:o:canonical:ubuntu_linux:8.04:*:*:*:lts:*:*:*
  • Debian/Debian Linux
    cpe:2.3:o:debian:debian_linux:4.0:*:*:*:*:*:*:*
  • osv-coords
    pkg:rpm/opensuse/MozillaThunderbird&distro=openSUSE%20Tumbleweed
    Range: < 91.1.1-1.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

51

News mentions

0

No linked articles in our index yet.