Unrated severityNVD Advisory· Published Aug 3, 2009· Updated Apr 23, 2026
CVE-2009-2654
CVE-2009-2654
Description
Mozilla Firefox before 3.0.13, and 3.5.x before 3.5.2, allows remote attackers to spoof the address bar, and possibly conduct phishing attacks, via a crafted web page that calls window.open with an invalid character in the URL, makes document.write calls to the resulting object, and then calls the stop method during the loading of the error page.
Affected products
108cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*+ 107 more
- cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*range: <=3.5.1
- cpe:2.3:a:mozilla:firefox:0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:0.10:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:0.10.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:0.3:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:0.4:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:0.5:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:0.6:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:0.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:0.7:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:0.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:0.8:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:0.9:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:0.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:0.9.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:0.9.3:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:0.9:rc:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:0.9_rc:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.0:preview_release:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.5:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.5.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.5.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.5.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.5.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.5.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.5.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.5.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.5.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.5.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.5.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.5.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.5.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.5.6:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.5.7:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.5.8:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.5:beta1:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.5:beta2:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.8:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.13:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.15:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.16:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.17:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.18:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.19:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.20:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.21:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0_.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0_.10:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0_.4:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0_.5:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0_.6:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0_.7:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0_8:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0_.9:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0:beta_1:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:2.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.0:beta5:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.1:beta1:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.2:beta1:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.2:beta2:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.2:beta3:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.5:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
26- blog.mozilla.com/security/2009/07/28/url-bar-spoofing-vulnerability/nvdPatchVendor Advisory
- www.mozilla.org/security/announce/2009/mfsa2009-44.htmlnvdPatchVendor Advisory
- www.vupen.com/english/advisories/2009/2006nvdPatchVendor Advisory
- www.vupen.com/english/advisories/2009/2142nvdPatchVendor Advisory
- www.securityfocus.com/archive/1/505242/30/0/threadednvdExploit
- www.securityfocus.com/bid/35803nvdExploitPatch
- secunia.com/advisories/36001nvdVendor Advisory
- secunia.com/advisories/36126nvdVendor Advisory
- secunia.com/advisories/36141nvdVendor Advisory
- secunia.com/advisories/36435nvdVendor Advisory
- es.geocities.com/jplopezy/firefoxspoofing.htmlnvd
- osvdb.org/56717nvd
- secunia.com/advisories/36669nvd
- secunia.com/advisories/36670nvd
- sunsolve.sun.com/search/document.donvd
- www.debian.org/security/2009/dsa-1873nvd
- www.redhat.com/support/errata/RHSA-2009-1430.htmlnvd
- www.redhat.com/support/errata/RHSA-2009-1431.htmlnvd
- www.redhat.com/support/errata/RHSA-2009-1432.htmlnvd
- www.securityfocus.com/archive/1/505265nvd
- www.securitytracker.com/idnvd
- bugzilla.mozilla.org/show_bug.cginvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9686nvd
- usn.ubuntu.com/811-1/nvd
- www.redhat.com/archives/fedora-package-announce/2009-August/msg00198.htmlnvd
- www.redhat.com/archives/fedora-package-announce/2009-August/msg00261.htmlnvd
News mentions
0No linked articles in our index yet.