CVE-2006-6077

Name	CVE-2006-6077
Description	The (1) Password Manager in Mozilla Firefox 2.0, and 1.5.0.8 and earlier; and the (2) Passcard Manager in Netscape 8.1.2 and possibly other versions, do not properly verify that an ACTION URL in a FORM element containing a password INPUT element matches the web site for which the user stored a password, which allows remote attackers to obtain passwords via a password INPUT element on a different web page located on the web site intended for this password.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-1336-1
Debian Bugs	409220

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
iceape	source	(unstable)	1.0.8-1	high
iceweasel	source	(unstable)	2.0.0.2+dfsg-1	high		409220
mozilla-firefox	source	sarge	1.0.4-2sarge17		DSA-1336-1
xulrunner	source	(unstable)	1.8.0.10-1	medium

Notes

MFSA-2007-02
[sarge] - mozilla-firefox <no-dsa> (Mozilla products from Sarge no longer supported)
[sarge] - mozilla <no-dsa> (Mozilla products from Sarge no longer supported)
Epiphany affected by xulrunner