Mozilla Firefox 'data:' URI XSS Vulnerability - Sep09 (Win) Network Vulnerability

Summary

This host is installed with Mozilla Product(s) and is prone to Cross-Site Scripting vulnerability.

Impact

Successful exploitation will allow attackers to conduct Cross-Site Scripting attacks in the victim's system. Impact Level: Application

Solution

Upgrade to Firefox version 3.6.3 or later, For updates refer to http://www.mozilla.org/

Insight

Firefox fails to sanitise the 'data:' URIs in Location headers in HTTP responses, which can be exploited via vectors related to injecting a Location header or Location HTTP response header.

Affected

Mozilla, Firefox version 3.0.13 and prior, 3.5 and 3.6/3.7 a1 pre on Windows.

References

http://websecurity.com.ua/3323/
http://websecurity.com.ua/3386/

Updated on 2015-03-25

Severity

Classification

CVE CVE-2009-3012

CVSS	Base Score: 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N

Related Vulnerabilities

Adobe Reader Cross-Site Scripting & Denial of Service Vulnerabilities (Windows)
Apple Safari Multiple Vulnerabilities Dec13 (Mac OS X)
Apple QuickTime Multiple Arbitrary Code Execution Vulnerabilities (Win)
Adobe Flex SDK 'SWF' Files Cross-Site Scripting Vulnerability (Windows)
Apple Safari 'Webkit' Multiple Vulnerabilities -01 Feb15 (Mac OS X)

Take action and discover your vulnerabilities