ID CVE-2005-1477
Summary The install function in Firefox 1.0.3 allows remote web sites on the browser's whitelist, such as update.mozilla.org or addon.mozilla.org, to execute arbitrary Javascript with chrome privileges, leading to arbitrary code execution on the system when combined with vulnerabilities such as CVE-2005-1476, as demonstrated using a javascript: URL as the package icon and a cross-site scripting (XSS) attack on a vulnerable whitelist site.
References
Vulnerable Configurations
  • cpe:2.3:a:mozilla:firefox:1.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:1.0.3:*:*:*:*:*:*:*
CVSS
Base: 5.1 (as of 11-10-2017 - 01:30)
Impact:
Exploitability:
CWE NVD-CWE-Other
CAPEC
Access
VectorComplexityAuthentication
NETWORK HIGH NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:H/Au:N/C:P/I:P/A:P
oval via4
  • accepted 2007-03-21T16:16:19.069-04:00
    class vulnerability
    contributors
    • name Robert L. Hollis
      organization ThreatGuard, Inc.
    • name Jonathan Baker
      organization The MITRE Corporation
    • name Matthew Wojcik
      organization The MITRE Corporation
    • name Anna Min
      organization BigFix, Inc
    • name Daniel Tarnu
      organization GFI Software
    description The install function in Firefox 1.0.3 allows remote web sites on the browser's whitelist, such as update.mozilla.org or addon.mozilla.org, to execute arbitrary Javascript with chrome privileges, leading to arbitrary code execution on the system when combined with vulnerabilities such as CVE-2005-1476, as demonstrated using a javascript: URL as the package icon and a cross-site scripting (XSS) attack on a vulnerable whitelist site.
    family windows
    id oval:org.mitre.oval:def:100001
    status accepted
    submitted 2005-08-16T04:00:00.000-04:00
    title Install Function in Firefox and Mozilla Permits Arbitrary Code Execution
    version 4
  • accepted 2013-04-29T04:18:31.566-04:00
    class vulnerability
    contributors
    • name Aharon Chernin
      organization SCAP.com, LLC
    • name Dragos Prisaca
      organization G2, Inc.
    definition_extensions
    • comment The operating system installed on the system is Red Hat Enterprise Linux 3
      oval oval:org.mitre.oval:def:11782
    • comment CentOS Linux 3.x
      oval oval:org.mitre.oval:def:16651
    • comment The operating system installed on the system is Red Hat Enterprise Linux 4
      oval oval:org.mitre.oval:def:11831
    • comment CentOS Linux 4.x
      oval oval:org.mitre.oval:def:16636
    • comment Oracle Linux 4.x
      oval oval:org.mitre.oval:def:15990
    description The install function in Firefox 1.0.3 allows remote web sites on the browser's whitelist, such as update.mozilla.org or addon.mozilla.org, to execute arbitrary Javascript with chrome privileges, leading to arbitrary code execution on the system when combined with vulnerabilities such as CVE-2005-1476, as demonstrated using a javascript: URL as the package icon and a cross-site scripting (XSS) attack on a vulnerable whitelist site.
    family unix
    id oval:org.mitre.oval:def:9231
    status accepted
    submitted 2010-07-09T03:56:16-04:00
    title The install function in Firefox 1.0.3 allows remote web sites on the browser's whitelist, such as update.mozilla.org or addon.mozilla.org, to execute arbitrary Javascript with chrome privileges, leading to arbitrary code execution on the system when combined with vulnerabilities such as CVE-2005-1476, as demonstrated using a javascript: URL as the package icon and a cross-site scripting (XSS) attack on a vulnerable whitelist site.
    version 24
redhat via4
advisories
  • rhsa
    id RHSA-2005:434
  • rhsa
    id RHSA-2005:435
refmap via4
bid
  • 13544
  • 15495
cert-vn VU#648758
confirm http://www.mozilla.org/security/announce/mfsa2005-42.html
fulldisc
  • 20050508 Firefox Remote Compromise Leaked
  • 20050508 Firefox Remote Compromise Technical Details
misc
sco SCOSA-2005.49
sectrack 1013913
secunia 15292
vupen ADV-2005-0493
xf mozilla-javascript-code-execution(20443)
Last major update 11-10-2017 - 01:30
Published 09-05-2005 - 04:00
Back to Top