Mozilla Firefox May Let Remote Users Hijack User Clicks to Perform Certain Actions
|
|
SecurityTracker Alert ID: 1020922
|
|
SecurityTracker URL: http://securitytracker.com/id?1020922
|
|
CVE Reference: CVE-2008-3837
(Links to External Site)
|
Date: Sep 24 2008
|
Impact: Modification of user information
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Advisory: Mozilla Foundation Security Advisory
|
Version(s): prior to 2.0.0.17, 3.0 prior to 3.0.2
|
Description: A vulnerability was reported in Mozilla Firefox. A remote user may be able to cause the target user to download a file or perform drag-and-drop actions.
A remote user can create specially crafted HTML that, when loaded by the target user, will move the content while the user clicks
the mouse. As a result, an item may be dragged rather than clicked. A remote user may be able to exploit this to cause the target
user to download a file or perform drag-and-drop actions.
Mozilla SeaMonkey is also affected.
This vulnerability is a variant
of a flaw in Internet Explorer that was previously reported by Liu Die Yu.
Paul Nickerson reported this vulnerability.
|
Impact: A remote user may be able to cause the target user to download a file or perform drag-and-drop actions.
|
Solution: The vendor has issued a fixed version (2.0.0.17, 3.0.2).
The vendor's advisory is available at:
http://www.mozilla.org/security/announce/2008/mfsa2008-40.html
|
Vendor URL: www.mozilla.org/security/announce/2008/mfsa2008-40.html (Links to External Site)
|
Cause: Access control error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Tue, 23 Sep 2008 23:16:53 -0400
Subject: http://www.mozilla.org/security/announce/2008/mfsa2008-40.html
|
CVE-2008-3837
|
|
