Mozilla Firefox Code Execution Vulnerability (Win) - May10 Network Vulnerability

Summary

The host is installed with Mozilla Firefox browser and is prone to code execution vulnerability

Impact

Successful exploitation will let attackers to execute arbitrary JavaScript with chrome privileges via a javascript: URI in input to an extension. Impact Level: Application

Solution

Upgrade to Firefox version prior to 3.6.3 or later, For updates refer tohttp://www.mozilla.com/en-US/

Insight

The flaw is due to error in 'nsIScriptableUnescapeHTML.parseFragment' method which does not properly sanitize 'HREF' attribute of an 'A' element or the 'ACTION' attribute of a 'FORM' element.

Affected

Firefox version prior to 3.6 on Windows

References

http://wizzrss.blat.co.za/2009/11/17/so-much-for-nsiscriptableunescapehtmlparsefragment/
http://www.security-assessment.com/files/whitepapers/Cross_Context_Scripting_with_Firefox.pdf
http://www.securityfocus.com/archive/1/archive/1/510883/100/0/threaded

Updated on 2015-03-25

Severity

Classification

CVE CVE-2010-1585

CVSS	Base Score: 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C

Related Vulnerabilities

Adobe Acrobat and Reader PDF Handling Code Execution Vulnerability (Windows)
Adobe Air Code Execution and DoS Vulnerabilities (Windows)
Adobe AIR Multiple Vulnerabilities-01 Sep13 (Mac OS X)
Adobe Flash Player Buffer Overflow Vulnerability - Apr14 (Mac OS X)
Adobe Air Multiple Vulnerabilities - December12 (Windows)

Take action and discover your vulnerabilities