Mozilla Firefox Code Execution Vulnerability (Win) - May10 Network Vulnerability

Summary

The host is installed with Mozilla Firefox browser and is prone to code execution vulnerability

Impact

Successful exploitation will let attackers to execute arbitrary JavaScript with chrome privileges via a javascript: URI in input to an extension. Impact Level: Application

Solution

Upgrade to Firefox version prior to 3.6.3 or later, For updates refer tohttp://www.mozilla.com/en-US/

Insight

The flaw is due to error in 'nsIScriptableUnescapeHTML.parseFragment' method which does not properly sanitize 'HREF' attribute of an 'A' element or the 'ACTION' attribute of a 'FORM' element.

Affected

Firefox version prior to 3.6 on Windows

References

http://wizzrss.blat.co.za/2009/11/17/so-much-for-nsiscriptableunescapehtmlparsefragment/
http://www.security-assessment.com/files/whitepapers/Cross_Context_Scripting_with_Firefox.pdf
http://www.securityfocus.com/archive/1/archive/1/510883/100/0/threaded

Updated on 2015-03-25

Severity

Classification

CVE CVE-2010-1585

CVSS	Base Score: 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C

Related Vulnerabilities

Adobe Acrobat Multiple Unspecified Vulnerabilities-01 Sep13 (Windows)
Adobe Air and Flash Player Multiple Vulnerabilities August-2011 (Windows)
Adobe ExtendedScript Toolkit (ESTK) Insecure Library Loading Vulnerability (Win)
Adobe AIR Security Bypass Vulnerability Jan14 (Windows)
Adobe Acrobat Multiple Unspecified Vulnerabilities -01 May13 (Windows)

Take action and discover your vulnerabilities