Mozilla Firefox Lets Remote Users Execute Arbitrary Scripting Code
|
SecurityTracker Alert ID: 1021418 |
SecurityTracker URL: http://securitytracker.com/id/1021418
|
CVE Reference:
CVE-2008-5511, CVE-2008-5512
(Links to External Site)
|
Date: Dec 17 2008
|
Impact:
Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 2.x prior to 2.0.0.19; 3.x prior to 3.0.5
|
Description:
Several vulnerabilities were reported in Mozilla Firefox. A remote user can cause arbitrary scripting code to be executed on the target user's system.
A remote user can create HTML with a specially crafted XBL binding that is bound to an unloaded document. When the HTML is loaded by the target user, arbitrary JavaScript will be executed within the context of an arbitrary web site [CVE-2008-5511].
A remote user can create specially crafted HTML that, when loaded by the target user, will invoke XPCNativeWrappers to execute arbitrary JavaScript with chrome privileges [CVE-2008-5512].
SeaMonkey and Thunderbird are also affected.
moz_bug_r_a4 reported this vulnerability.
|
Impact:
A remote user can create HTML that, when loaded by the target user, will execute arbitrary scripting code on the target user's system.
|
Solution:
The vendor has issued a fix (2.0.0.19, 3.0.5).
The vendor's advisory is available at:
http://www.mozilla.org/security/announce/2008/mfsa2008-68.html
|
Vendor URL: www.mozilla.org/security/announce/2008/mfsa2008-68.html (Links to External Site)
|
Cause:
Access control error, Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
|
[Original Message Not Available for Viewing]
|
|