PublicDate: 2008-03-27 10:44:00 UTC Candidate: CVE-2008-1238 References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1238 https://ubuntu.com/security/notices/USN-592-1 Description: Mozilla Firefox before 2.0.0.13 and SeaMonkey before 1.1.9, when generating the HTTP Referer header, does not list the entire URL when it contains Basic Authentication credentials without a username, which makes it easier for remote attackers to bypass application protection mechanisms that rely on Referer headers, such as with some Cross-Site Request Forgery (CSRF) mechanisms. Ubuntu-Description: Notes: Bugs: Priority: low Discovered-by: Assigned-to: CVSS: Patches_firefox: upstream_firefox: released (2.0.0.13) dapper_firefox: released (1.5.dfsg+1.5.0.15~prepatch080323a-0ubuntu1) edgy_firefox: released (2.0.0.13+0nobinonly-0ubuntu0.6.10) feisty_firefox: released (2.0.0.13+0nobinonly-0ubuntu0.7.4) gutsy_firefox: released (2.0.0.13+1nobinonly-0ubuntu0.7.10) hardy_firefox: released (2.0.0.13+1nobinonly-0ubuntu1) intrepid_firefox: DNE devel_firefox: DNE Patches_xulrunner: upstream_xulrunner: needs-triage dapper_xulrunner: DNE edgy_xulrunner: needed (reached end-of-life) feisty_xulrunner: needed (reached end-of-life) gutsy_xulrunner: released (1.8.1.18+nobinonly.b308.cvs20090331t155113-0ubuntu0.7.10.1) hardy_xulrunner: released (1.8.1.13+nobinonly-0ubuntu1) intrepid_xulrunner: released (1.8.1.13+nobinonly-0ubuntu1) devel_xulrunner: released (1.8.1.13+nobinonly-0ubuntu1) Patches_iceape: upstream_iceape: released (1.1.9) dapper_iceape: DNE edgy_iceape: DNE feisty_iceape: DNE gutsy_iceape: needed (reached end-of-life) hardy_iceape: DNE intrepid_iceape: DNE devel_iceape: DNE Patches_iceweasel: upstream_iceweasel: needs-triage dapper_iceweasel: DNE edgy_iceweasel: DNE feisty_iceweasel: DNE gutsy_iceweasel: DNE hardy_iceweasel: DNE intrepid_iceweasel: DNE devel_iceweasel: DNE Patches_seamonkey: upstream_seamonkey: released (1.1.9) dapper_seamonkey: DNE edgy_seamonkey: DNE feisty_seamonkey: DNE gutsy_seamonkey: DNE hardy_seamonkey: released (1.1.9+nobinonly-0ubuntu1) intrepid_seamonkey: released (1.1.9+nobinonly-0ubuntu1) devel_seamonkey: released (1.1.9+nobinonly-0ubuntu1)