- Home
- CVEs with nessus.description==The remote host is affected by the vulnerability described in GLSA-200505-11 (Mozilla Suite, Mozilla Firefox: Remote compromise)
The Mozilla Suite and Firefox do not properly protect 'IFRAME' JavaScript URLs from being executed in context of another URL in the history list (CAN-2005-1476). The Mozilla Suite and Firefox also fail to verify the 'IconURL' parameter of the 'InstallTrigger.install()' function (CAN-2005-1477). Michael Krax and Georgi Guninski discovered that it is possible to bypass JavaScript-injection security checks by wrapping the javascript: URL within the view-source: or jar:
pseudo-protocols (MFSA2005-43).
Impact :
A malicious remote attacker could use the 'IFRAME' issue to execute arbitrary JavaScript code within the context of another website, allowing to steal cookies or other sensitive data. By supplying a javascript: URL as the 'IconURL' parameter of the 'InstallTrigger.Install()' function, a remote attacker could also execute arbitrary JavaScript code. Combining both vulnerabilities with a website which is allowed to install software or wrapping javascript:
URLs within the view-source: or jar: pseudo-protocols could possibly lead to the execution of arbitrary code with user privileges.
Workaround :
Affected systems can be protected by disabling JavaScript.
However, we encourage Mozilla Suite or Mozilla Firefox users to upgrade to the latest available version.
Max CVSS | 0 |
Min CVSS | 0 |
Total Count | 2 |
| ID | CVSS | Summary | Last (major) update | Published |
Back to Top
Mark selected
Back to Top