CVE-2006-3677

Exp

Mozilla Firefox 1.5 before 1.5.0.5 and SeaMonkey before 1.0.3 allows remote attackers to execute arbitrary code by changing certain properties of the window navigator object (window.navigator) that are accessed when Java starts up, which causes a crash that leads to code execution.

Published: 2006-07-27 Last update: 2026-04-16 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2006-3677 is rated High Exploit Risk (74.5/100): CVSS High severity, with high exploitation likelihood (EPSS 67.30%, 99th percentile). 3 public exploit reference(s) are indexed (Exploit-DB). Public exploits are available—assess exposure, apply mitigations, and prioritize patching.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Public exploit references (Exploit-DB) for CVE-2006-3677

EDB-ID Source Kind Published Link
16300 exploit_db edb 2010-09-20 Exploit-DB ↗
2082 exploit_db edb 2006-07-28 Exploit-DB ↗
9946 exploit_db edb 2006-07-25 Exploit-DB ↗

Exploit prediction scoring system (EPSS) score for CVE-2006-3677

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-04-05 76.76% 67.30% -9.46%
2 2026-02-05 81.11% 76.76% -4.35%
3 2025-06-29 81.11%

Full EPSS history (13 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2006-3677

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
7.5 2.0 HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:L)
Exploitation conditions are straightforward and predictable.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:P)
Partial confidentiality impact.
Integrity impact (I:P)
Partial integrity impact.
Availability impact (A:P)
Partial availability impact.
 10.0 6.4 [email protected]

Weakness enumeration for CVE-2006-3677

OS Trackers for CVE-2006-3677

vendor priority summary link
debian high CVE-2006-3677 high priority: Debian including 2 source packages (firefox, thunderbird), 6 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 6. https://security-tracker.debian.org/tracker/CVE-2006-3677
gentoo normal CVE-2006-3677: 2 GLSA(s) (200608-02, 200608-03), 3 atom(s) (www-client/mozilla-firefox, www-client/mozilla-firefox-bin, www-client/seamonkey); latest impact normal. https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2006-3677
redhat critical https://access.redhat.com/security/cve/CVE-2006-3677
ubuntu medium CVE-2006-3677 medium priority: Ubuntu including 5 source packages (firefox, firefox-granparadiso, lightning-sunbird, midbrowser, xulrunner), 20 status rows across 4 suites (dapper, edgy, feisty, upstream): DNE 10, needs-triage 5, released 3, not-affected 2. https://ubuntu.com/security/CVE-2006-3677

Affected software / configurations for CVE-2006-3677

Vendor Product Version Raw CPE
mozilla firefox 1.5 cpe:2.3:a:mozilla:firefox:1.5:*:*:*:*:*:*:*
mozilla firefox 1.5.0.1 cpe:2.3:a:mozilla:firefox:1.5.0.1:*:*:*:*:*:*:*
mozilla firefox 1.5.0.2 cpe:2.3:a:mozilla:firefox:1.5.0.2:*:*:*:*:*:*:*
mozilla firefox 1.5.0.3 cpe:2.3:a:mozilla:firefox:1.5.0.3:*:*:*:*:*:*:*
mozilla firefox 1.5.0.4 cpe:2.3:a:mozilla:firefox:1.5.0.4:*:*:*:*:*:*:*
mozilla seamonkey 1.0 cpe:2.3:a:mozilla:seamonkey:1.0:*:*:*:*:*:*:*
mozilla seamonkey 1.0 cpe:2.3:a:mozilla:seamonkey:1.0:*:dev:*:*:*:*:*
mozilla seamonkey 1.0.1 cpe:2.3:a:mozilla:seamonkey:1.0.1:*:*:*:*:*:*:*
mozilla seamonkey 1.0.2 cpe:2.3:a:mozilla:seamonkey:1.0.2:*:*:*:*:*:*:*

References for CVE-2006-3677

URL Tags
ftp://patches.sgi.com/support/free/security/advisories/20060703-01-U.asc
http://rhn.redhat.com/errata/RHSA-2006-0609.html Vendor Advisory
http://secunia.com/advisories/19873 Patch Vendor Advisory
http://secunia.com/advisories/21216 Patch Vendor Advisory
http://secunia.com/advisories/21229 Patch Vendor Advisory
http://secunia.com/advisories/21243 Vendor Advisory
http://secunia.com/advisories/21246 Vendor Advisory
http://secunia.com/advisories/21262 Vendor Advisory
http://secunia.com/advisories/21269 Vendor Advisory
http://secunia.com/advisories/21270 Vendor Advisory
http://secunia.com/advisories/21336 Vendor Advisory
http://secunia.com/advisories/21343 Vendor Advisory
http://secunia.com/advisories/21361 Vendor Advisory
http://secunia.com/advisories/21529 Vendor Advisory
http://secunia.com/advisories/21532 Vendor Advisory
http://secunia.com/advisories/21631 Vendor Advisory
http://secunia.com/advisories/22066 Vendor Advisory
http://secunia.com/advisories/22210 Vendor Advisory
http://security.gentoo.org/glsa/glsa-200608-02.xml
http://securitytracker.com/id?1016586
http://securitytracker.com/id?1016587
http://www.gentoo.org/security/en/glsa/glsa-200608-03.xml
http://www.kb.cert.org/vuls/id/670060 Third Party Advisory US Government Resource
http://www.mandriva.com/security/advisories?name=MDKSA-2006:143
http://www.mandriva.com/security/advisories?name=MDKSA-2006:145
http://www.mozilla.org/security/announce/2006/mfsa2006-45.html Vendor Advisory
http://www.novell.com/linux/security/advisories/2006_48_seamonkey.html
http://www.redhat.com/support/errata/RHSA-2006-0594.html Vendor Advisory
http://www.redhat.com/support/errata/RHSA-2006-0608.html Vendor Advisory
http://www.redhat.com/support/errata/RHSA-2006-0610.html Vendor Advisory
http://www.redhat.com/support/errata/RHSA-2006-0611.html Vendor Advisory
http://www.securityfocus.com/archive/1/441332/100/0/threaded
http://www.securityfocus.com/archive/1/441333/100/0/threaded
http://www.securityfocus.com/archive/1/446658/100/200/threaded
http://www.securityfocus.com/bid/19181
http://www.securityfocus.com/bid/19192 Patch
http://www.ubuntu.com/usn/usn-354-1
http://www.us-cert.gov/cas/techalerts/TA06-208A.html US Government Resource
http://www.vupen.com/english/advisories/2006/2998 Vendor Advisory
http://www.vupen.com/english/advisories/2006/3748 Vendor Advisory
http://www.vupen.com/english/advisories/2008/0083 Vendor Advisory
http://www.zerodayinitiative.com/advisories/ZDI-06-025.html Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/27981
https://exchange.xforce.ibmcloud.com/vulnerabilities/39998
https://issues.rpath.com/browse/RPL-536
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10745
https://usn.ubuntu.com/327-1/
cvelogic Threat Intelligence