CVE-2009-1308
Description
Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 3.0.9, Thunderbird, and SeaMonkey allows remote attackers to inject arbitrary web script or HTML via vectors involving XBL JavaScript bindings and remote stylesheets, as exploited in the wild by a March 2009 eBay listing.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting in Firefox, Thunderbird, and SeaMonkey via XBL JavaScript bindings and remote stylesheets, exploited in the wild in March 2009.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in Mozilla Firefox before 3.0.9, Thunderbird, and SeaMonkey. The flaw allows remote attackers to inject arbitrary web script or HTML through vectors involving XBL (XML Binding Language) JavaScript bindings and remote stylesheets. This was exploited in the wild by a March 2009 eBay listing [2].
Exploitation
An attacker can craft a malicious web page that leverages XBL bindings and remote stylesheets to bypass security restrictions. By hosting such content on a site that accepts user-generated content (like eBay at the time), the attacker can inject arbitrary script into the context of a trusted domain. No authentication or special network position is required; the victim only needs to view the crafted page in a vulnerable browser with JavaScript enabled [2].
Impact
Successful exploitation enables the attacker to execute arbitrary JavaScript in the victim's browser within the security context of the target website. This can lead to data theft, session hijacking, or injection of fraudulent content (e.g., fake email links and changing auction item numbers to evade detection) [2].
Mitigation
Mozilla Firefox upgraded to 3.0.9 to address this flaw. The issue is also fixed in Thunderbird via updates such as USN-782-1 (June 2009) and in Red Hat Enterprise Linux through RHSA-2009:0436 and RHSA-2009:1126 [1] [3] [4]. Users should apply the latest patches from their respective vendors. No workaround is available for unpatched versions; disabling JavaScript reduces but does not fully eliminate risk.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
107cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*+ 100 more
- cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*range: <=3.0.8
- cpe:2.3:a:mozilla:firefox:0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:0.10:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:0.10.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:0.3:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:0.4:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:0.5:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:0.6:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:0.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:0.7:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:0.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:0.8:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:0.9:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:0.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:0.9.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:0.9.3:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:0.9:rc:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:0.9_rc:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.0.6:*:linux:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.0:preview_release:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.5:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.5.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.5.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.5.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.5.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.5.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.5.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.5.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.5.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.5.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.5.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.5.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.5.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.5.6:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.5.7:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.5.8:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.5:beta1:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.5:beta2:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.8:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.13:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.15:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.16:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.17:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.18:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.19:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.20:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.21:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0_.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0_.10:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0_.4:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0_.5:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0_.6:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0_.7:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0_8:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0_.9:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0:beta_1:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.0:alpha:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.0:beta5:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.0beta5:*:*:*:*:*:*:*
- (no CPE)range: <3.0.9
cpe:2.3:a:mozilla:seamonkey:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:mozilla:seamonkey:*:*:*:*:*:*:*:*
- (no CPE)
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
- (no CPE)
- osv-coords2 versionspkg:rpm/opensuse/firefox-esr&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/MozillaFirefox&distro=openSUSE%20Tumbleweed
< 128.5.1-1.1+ 1 more
- (no CPE)range: < 128.5.1-1.1
- (no CPE)range: < 50.1.0-1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
28- bugzilla.mozilla.org/show_bug.cginvdExploit
- www.mozilla.org/security/announce/2009/mfsa2009-18.htmlnvdVendor Advisory
- lists.opensuse.org/opensuse-security-announce/2009-05/msg00000.htmlnvd
- secunia.com/advisories/34758nvd
- secunia.com/advisories/34780nvd
- secunia.com/advisories/34843nvd
- secunia.com/advisories/34894nvd
- secunia.com/advisories/35042nvd
- secunia.com/advisories/35065nvd
- secunia.com/advisories/35536nvd
- sunsolve.sun.com/search/document.donvd
- www.debian.org/security/2009/dsa-1797nvd
- www.mandriva.com/security/advisoriesnvd
- www.mandriva.com/security/advisoriesnvd
- www.redhat.com/support/errata/RHSA-2009-0436.htmlnvd
- www.redhat.com/support/errata/RHSA-2009-1126.htmlnvd
- www.securityfocus.com/bid/34656nvd
- www.securitytracker.com/idnvd
- www.theregister.co.uk/2009/03/08/ebay_scam_wizardy/nvd
- www.ubuntu.com/usn/usn-782-1nvd
- www.vupen.com/english/advisories/2009/1125nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10428nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6173nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6185nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6296nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7285nvd
- usn.ubuntu.com/764-1/nvd
- www.redhat.com/archives/fedora-package-announce/2009-April/msg00683.htmlnvd
News mentions
0No linked articles in our index yet.