CVE-2009-2408

CVE Database · CVE-2009-2408

CVE-2009-2408

· MEDIUMModified

CVSS v3.1

5.9

EPSS

5.74%

Published

Jul 30, 2009

Modified

Apr 22, 2026

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Mozilla Network Security Services (NSS) before 3.12.3, Firefox before 3.0.13, Thunderbird before 2.0.0.23, and SeaMonkey before 1.1.18 do not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. NOTE: this was originally reported for Firefox before 3.5.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Weaknesses (CWE)

CWE-295

Affected Products (12)

mozilla · firefox (up to 3.0.13)vulnerable

mozilla · network_security_services (up to 3.12.3)vulnerable

mozilla · seamonkey (up to 1.1.18)vulnerable

mozilla · thunderbird (up to 2.0.0.23)vulnerable

opensuse · opensusevulnerable

suse · linux_enterprisevulnerable

suse · linux_enterprise_servervulnerable