VYPR
Unrated severityNVD Advisory· Published Aug 31, 2009· Updated Jun 16, 2026

CVE-2009-3010

CVE-2009-3010

Description

Mozilla Firefox 3.0.13 and earlier, 3.5, 3.6 a1 pre, and 3.7 a1 pre; SeaMonkey 1.1.17; and Mozilla 1.7.x and earlier do not properly block data: URIs in Refresh headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header that contains JavaScript sequences in a data:text/html URI or (2) entering a data:text/html URI with JavaScript sequences when specifying the content of a Refresh header. NOTE: in some product versions, the JavaScript executes outside of the context of the HTTP site.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

9
  • cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*+ 4 more
    • cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*range: <=3.0.13
    • cpe:2.3:a:mozilla:firefox:3.5:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:3.6:a1_prerelease:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:3.7:a1_prerelease:*:*:*:*:*:*
    • (no CPE)range: <=3.0.13, 3.5, 3.6a1pre, 3.7a1pre
  • cpe:2.3:a:mozilla:mozilla:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:mozilla:mozilla:*:*:*:*:*:*:*:*range: <=1.7.12
    • (no CPE)range: <=1.7.x
  • cpe:2.3:a:mozilla:seamonkey:1.1.17:*:*:*:*:*:*:*
  • Range: =1.1.17

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.