CVE-2007-1878 - Cross-zone scripting vulnerability in the DOM templates (domplates) used by the console.log function

CVE-2007-1878

Summary

Cross-zone scripting vulnerability in the DOM templates (domplates) used by the console.log function in the Firebug extension before 1.03 for Mozilla Firefox allows remote attackers to bypass zone restrictions, read arbitrary file:// URIs, or execute arbitrary code in the browser chrome, as demonstrated via the runFile function, related to lack of HTML escaping in the property name.

References

Vulnerable Configurations

cpe:2.3:a:parakey_inc.:firebug:1.01:*:*:*:*:*:*:*
cpe:2.3:a:parakey_inc.:firebug:1.01:*:*:*:*:*:*:*
cpe:2.3:a:parakey_inc.:firebug:1.02:*:*:*:*:*:*:*
cpe:2.3:a:parakey_inc.:firebug:1.02:*:*:*:*:*:*:*

CVSS

Base:	6.8 (as of 16-10-2018 - 16:41)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:M/Au:N/C:P/I:P/A:P

refmap via4

bid	23315
bugtraq	20070404 Firefox extensions go Evil - Critical Vulnerabilities in Firefox/Firebug 20070404 Re: [WEB SECURITY] Firefox extensions go Evil - Critical Vulnerabilities in Firefox/Firebug
confirm	http://www.getfirebug.com/blog/2007/04/04/security-update/
misc	http://larholm.com/2007/04/06/0day-vulnerability-in-firebug/ http://www.gnucitizen.org/blog/firebug-goes-evil
secunia	24743
sreason	2525
vupen	ADV-2007-1272
xf	firefox-firebug-console-security-bypass(33451)

Last major update

16-10-2018 - 16:41

Published

06-04-2007 - 00:19

Last modified

16-10-2018 - 16:41