Unrated severityNVD Advisory· Published Aug 31, 2009· Updated Jun 16, 2026
CVE-2009-3010
CVE-2009-3010
Description
Mozilla Firefox 3.0.13 and earlier, 3.5, 3.6 a1 pre, and 3.7 a1 pre; SeaMonkey 1.1.17; and Mozilla 1.7.x and earlier do not properly block data: URIs in Refresh headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header that contains JavaScript sequences in a data:text/html URI or (2) entering a data:text/html URI with JavaScript sequences when specifying the content of a Refresh header. NOTE: in some product versions, the JavaScript executes outside of the context of the HTTP site.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
9cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*+ 4 more
- cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*range: <=3.0.13
- cpe:2.3:a:mozilla:firefox:3.5:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.6:a1_prerelease:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:3.7:a1_prerelease:*:*:*:*:*:*
- (no CPE)range: <=3.0.13, 3.5, 3.6a1pre, 3.7a1pre
cpe:2.3:a:mozilla:mozilla:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:mozilla:mozilla:*:*:*:*:*:*:*:*range: <=1.7.12
- (no CPE)range: <=1.7.x
- cpe:2.3:a:mozilla:seamonkey:1.1.17:*:*:*:*:*:*:*
Patches
Vulnerability mechanics
References
3- websecurity.com.ua/3315/nvdExploit
- websecurity.com.ua/3386/nvdExploit
- exchange.xforce.ibmcloud.com/vulnerabilities/52999nvdThird Party AdvisoryVDB Entry
News mentions
0No linked articles in our index yet.