CVE-2009-1597
Publication date 11 May 2009
Last updated 24 July 2024
Ubuntu priority
Mozilla Firefox executes DOM calls in response to a javascript: URI in the target attribute of a submit element within a form contained in an inline PDF file, which might allow remote attackers to bypass intended Adobe Acrobat JavaScript restrictions on accessing the document object, as demonstrated by a web site that permits PDF uploads by untrusted users, and therefore has a shared document.domain between the web site and this javascript: URI. NOTE: the researcher reports that Adobe’s position is “a PDF file is active content.”
Status
Package | Ubuntu Release | Status |
---|---|---|
firefox | 9.10 karmic | Not in release |
9.04 jaunty | Not in release | |
8.10 intrepid | Not in release | |
8.04 LTS hardy | Ignored | |
6.06 LTS dapper | Ignored end of life | |
firefox-3.0 | 9.10 karmic | Not in release |
9.04 jaunty | Ignored | |
8.10 intrepid | Ignored | |
8.04 LTS hardy | Ignored | |
6.06 LTS dapper | Not in release | |
firefox-3.5 | 9.10 karmic | Ignored |
9.04 jaunty | Ignored | |
8.10 intrepid | Not in release | |
8.04 LTS hardy | Not in release | |
6.06 LTS dapper | Not in release | |
iceweasel | 9.10 karmic | Not in release |
9.04 jaunty | Not in release | |
8.10 intrepid | Not in release | |
8.04 LTS hardy | Not in release | |
6.06 LTS dapper | Not in release |
Notes
jdstrand
Requires inline PDF with acroread. PDF is active content, ignoring until upstream has more information.