Impact
remote code execution
Solution
Please Install the Updated Packages.
Insight
The Mozilla Firefox browser was updated to version 3.0.5, fixing various security issues and stability problems.
The Mozilla Seamonkey browser was updated to version 1.1.14, also fixing various security issues and stability problems.
The other Mozilla browsers and suites are still being prepared and will be released when they have passed QA.
The following security issues were fixed:
CVE-2008-5513: Mozilla security researcher moz_bug_r_a4 reported vulnerabilities in the session-restore feature by which content could be injected into an incorrect document storage location, including storage locations for other domains. An attacker could utilize these issues to violate the browser's same-origin policy and perform an XSS attack while SessionStore data is being restored.
moz_bug_r_a4 also reported that one variant could be used by an attacker to run arbitrary JavaScript with chrome privileges.
CVE-2008-5511: Mozilla security
researcher moz_bug_r_a4 reported that an XBL binding, when attached to an unloaded document, can be used to violate the same-origin policy and execute arbitrary JavaScript within the context of a different website.
moz_bug_r_a4 also reported two vulnerabilities by which page content can pollute XPCNativeWrappers and run arbitrary JavaScript with chrome privileges. Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail. Workaround Disable JavaScript until a version containing these fixes can be installed.
CVE-2008-5510: Kojima Hajime reported that unlike
literal null characters which were handled correctly, the escaped form '\0' was ignored by the CSS parser and treated as if it was not present in the CSS input string. This issue could potentially be used to bypass script sanitation routines in web applications. The severity of this issue was determined to be low.
CVE-2008-5508: Perl developer Chip Salzenberg reported that certain control characters, when placed at the beginning of a URL, would lead to incorrect parsing resulting in a malformed URL being output by the parser. IBM researchers Justin Schuh, Tom Cr ...
Description truncated, for more information please check the Reference URL
Affected
MozillaFirefox,seamonkey on openSUSE 10.3, openSUSE 11.0, openSUSE 11.1
References
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2008-5500, CVE-2008-5501, CVE-2008-5502, CVE-2008-5503, CVE-2008-5505, CVE-2008-5506, CVE-2008-5507, CVE-2008-5508, CVE-2008-5510, CVE-2008-5511, CVE-2008-5512, CVE-2008-5513 -
CVSS Base Score: 10.0
AV:N/AC:L/Au:N/C:C/I:C/A:C
Related Vulnerabilities