Netscape
Products by Netscape Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2024 there have been 0 vulnerabilities in Netscape . Netscape did not have any published security vulnerabilities last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2024 | 0 | 0.00 |
| 2023 | 0 | 0.00 |
| 2022 | 0 | 0.00 |
| 2021 | 0 | 0.00 |
| 2020 | 0 | 0.00 |
| 2019 | 1 | 6.10 |
| 2018 | 0 | 0.00 |
It may take a day or so for new Netscape vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Netscape Security Vulnerabilities
servlet/SnoopServlet (a servlet installed by default) in Netscape Enterprise 3.63 has reflected XSS
CVE-2018-18940
6.1 - Medium
- January 31, 2019
servlet/SnoopServlet (a servlet installed by default) in Netscape Enterprise 3.63 has reflected XSS via an arbitrary parameter=[XSS] in the query string. A remote unauthenticated attacker could potentially exploit this vulnerability to supply malicious HTML or JavaScript code to a vulnerable web application, which is then reflected back to the victim and executed by the web browser. NOTE: this product is discontinued.
XSS
Argument injection vulnerability in Microsoft Internet Explorer, when running on systems with Netscape installed and certain URIs registered, allows remote attackers to conduct cross-browser scripting attacks and execute arbitrary commands via shell metacharacters in a -chrome argument to the navigatorurl URI, which are inserted into the command line
CVE-2007-3924
- July 21, 2007
Argument injection vulnerability in Microsoft Internet Explorer, when running on systems with Netscape installed and certain URIs registered, allows remote attackers to conduct cross-browser scripting attacks and execute arbitrary commands via shell metacharacters in a -chrome argument to the navigatorurl URI, which are inserted into the command line that is created when invoking netscape.exe, a related issue to CVE-2007-3670. NOTE: there has been debate about whether the issue is in Internet Explorer or Netscape. As of 20070713, it is CVE's opinion that IE appears to not properly delimit the URL argument when invoking Netscape; this issue could arise with other protocol handlers in IE.
AcroPDF.DLL in Adobe Reader 8.0, when accessed from Mozilla Firefox, Netscape, or Opera, allows remote attackers to cause a denial of service (unspecified resource consumption) via a .pdf URL with an anchor identifier
CVE-2007-1377
- March 10, 2007
AcroPDF.DLL in Adobe Reader 8.0, when accessed from Mozilla Firefox, Netscape, or Opera, allows remote attackers to cause a denial of service (unspecified resource consumption) via a .pdf URL with an anchor identifier that begins with search= followed by many %n sequences, a different vulnerability than CVE-2006-6027 and CVE-2006-6236.
Resource Exhaustion
Concurrency vulnerability in Mozilla Firefox 1.5.0.6 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via multiple Javascript timed events
CVE-2006-4253
- August 21, 2006
Concurrency vulnerability in Mozilla Firefox 1.5.0.6 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via multiple Javascript timed events that load a deeply nested XML file, followed by redirecting the browser to another page, which leads to a concurrency failure that causes structures to be freed incorrectly, as demonstrated by (1) ffoxdie and (2) ffoxdie3. NOTE: it has been reported that Netscape 8.1 and K-Meleon 1.0.1 are also affected by ffoxdie. Mozilla confirmed to CVE that ffoxdie and ffoxdie3 trigger the same underlying vulnerability. NOTE: it was later reported that Firefox 2.0 RC2 and 1.5.0.7 are also affected.
Permissions, Privileges, and Access Controls
The Javascript "Same Origin Policy" (SOP), as implemented in (1) Netscape, (2) Mozilla, and (3) Internet Explorer
CVE-2002-0815
- August 12, 2002
The Javascript "Same Origin Policy" (SOP), as implemented in (1) Netscape, (2) Mozilla, and (3) Internet Explorer, allows a remote web server to access HTTP and SOAP/XML content from restricted sites by mapping the malicious server's parent DNS domain name to the restricted site, loading a page from the restricted site into one frame, and passing the information to the attacker-controlled frame, which is allowed because the document.domain of the two frames matches on the parent domain.
Netscape Enterprise 3.5.1 and FastTrack 3.01 servers
CVE-1999-0758
- March 12, 2001
Netscape Enterprise 3.5.1 and FastTrack 3.01 servers allow a remote attacker to view source code to scripts by appending a %20 to the script's URL.
Buffer overflow in Netscape Communicator before 4.7
CVE-1999-0892
- December 24, 1999
Buffer overflow in Netscape Communicator before 4.7 via a dynamic font whose length field is less than the size of the font.
Netscape 4.7 records user passwords in the preferences.js file during an IMAP or POP session
CVE-2000-0034
- December 22, 1999
Netscape 4.7 records user passwords in the preferences.js file during an IMAP or POP session, even if the user has not enabled "remember passwords."
By default, Internet Explorer 5.0 and other versions enables the "Navigate sub-frames across different domains" option, which
CVE-1999-0827
- November 01, 1999
By default, Internet Explorer 5.0 and other versions enables the "Navigate sub-frames across different domains" option, which allows frame spoofing.
Netscape Communicator 4.x with Javascript enabled does not warn a user of cookie settings, even if they have selected the option to "Only accept cookies originating
CVE-1999-0809
- July 09, 1999
Netscape Communicator 4.x with Javascript enabled does not warn a user of cookie settings, even if they have selected the option to "Only accept cookies originating from the same server as the page being viewed".
Denial of service in Netscape Enterprise Server
CVE-1999-0752
- July 06, 1999
Denial of service in Netscape Enterprise Server via a buffer overflow in the SSL handshake.
When Javascript is embedded within the TITLE tag, Netscape Communicator
CVE-1999-0762
- May 24, 1999
When Javascript is embedded within the TITLE tag, Netscape Communicator allows a remote attacker to use the "about" protocol to gain access to browser information.
The Netscape Directory Server installation procedure leaves sensitive information in a file
CVE-1999-0807
- May 01, 1999
The Netscape Directory Server installation procedure leaves sensitive information in a file that is accessible to local users.
talkback in Netscape 4.5
CVE-1999-0424
- March 18, 1999
talkback in Netscape 4.5 allows a local user to overwrite arbitrary files of another user whose Netscape crashes.
talkback in Netscape 4.5
CVE-1999-0425
- March 18, 1999
talkback in Netscape 4.5 allows a local user to kill an arbitrary process of another user whose Netscape crashes.
Internet Explorer 3.x to 4.01
CVE-1999-0869
- December 01, 1998
Internet Explorer 3.x to 4.01 allows a remote attacker to insert malicious content into a frame of another web site, aka frame spoofing.
Netscape Enterprise servers may list files through the PageServices query.
CVE-1999-0269
- August 01, 1998
Netscape Enterprise servers may list files through the PageServices query.
A configuration in a web browser such as Internet Explorer or Netscape Navigator
CVE-1999-0537
- April 01, 1998
A configuration in a web browser such as Internet Explorer or Netscape Navigator allows execution of active content such as ActiveX, Java, Javascript, etc.
Some web servers under Microsoft Windows
CVE-1999-0012
- February 06, 1998
Some web servers under Microsoft Windows allow remote attackers to bypass access restrictions for files with long file names.
Netscape FastTrack Web server lists files when a lowercase "get" command is used instead of an uppercase GET.
CVE-1999-0239
7.5 - High
- January 01, 1998
Netscape FastTrack Web server lists files when a lowercase "get" command is used instead of an uppercase GET.
Improper Handling of Case Sensitivity
JavaScript in Internet Explorer 3.x and 4.x, and Netscape 2.x, 3.x and 4.x
CVE-1999-0031
- July 08, 1997
JavaScript in Internet Explorer 3.x and 4.x, and Netscape 2.x, 3.x and 4.x, allows remote attackers to monitor a user's web activities, aka the Bell Labs vulnerability.
ucbmail allows remote attackers to execute commands via shell metacharacters
CVE-1999-0868
- February 20, 1997
ucbmail allows remote attackers to execute commands via shell metacharacters that are passed to it from INN.
The view-source CGI program allows remote attackers to read arbitrary files via a
CVE-1999-0174
- February 01, 1997
The view-source CGI program allows remote attackers to read arbitrary files via a .. (dot dot) attack.
List of arbitrary files on Web host
CVE-1999-0045
- December 10, 1996
List of arbitrary files on Web host via nph-test-cgi script.
Command execution via shell metachars in INN daemon (innd) 1.5 using "newgroup" and "rmgroup" control messages
CVE-1999-0043
- December 04, 1996
Command execution via shell metachars in INN daemon (innd) 1.5 using "newgroup" and "rmgroup" control messages, and others.
The Java Applet Security Manager implementation in Netscape Navigator 2.0 and Java Developer's Kit 1.0
CVE-1999-0142
- March 01, 1996
The Java Applet Security Manager implementation in Netscape Navigator 2.0 and Java Developer's Kit 1.0 allows an applet to connect to arbitrary hosts.