7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.013 Low
EPSS
Percentile
85.8%
A class of bugs affecting many web browsers in the same way
was discovered. A Secunia advisory reports:
The problem is that the browsers don’t check if a target
frame belongs to a website containing a malicious link,
which therefore doesn’t prevent one browser window from
loading content in a named frame in another window.
Successful exploitation allows a malicious website to load
arbitrary content in an arbitrary frame in another browser
window owned by e.g. a trusted site.
A KDE Security Advisory reports:
A malicious website could abuse Konqueror to insert
its own frames into the page of an otherwise trusted
website. As a result the user may unknowingly send
confidential information intended for the trusted website
to the malicious website.
Secunia has provided a demonstration of the vulnerability at http://secunia.com/multiple_browsers_frame_injection_vulnerability_test/.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
FreeBSD | any | noarch | kdelibs | < 3.2.3_3 | UNKNOWN |
FreeBSD | any | noarch | kdebase | < 3.2.3_1 | UNKNOWN |
FreeBSD | any | noarch | linux-opera | = 7.50 | UNKNOWN |
FreeBSD | any | noarch | linux-opera | < 7.52 | UNKNOWN |
FreeBSD | any | noarch | opera | = 7.50 | UNKNOWN |
FreeBSD | any | noarch | opera | < 7.52 | UNKNOWN |
FreeBSD | any | noarch | firefox | < 0.9 | UNKNOWN |
FreeBSD | any | noarch | linux-mozilla | < 1.7 | UNKNOWN |
FreeBSD | any | noarch | linux-mozilla-devel | < 1.7 | UNKNOWN |
FreeBSD | any | noarch | mozilla-gtk1 | < 1.7 | UNKNOWN |