5.1 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:P/I:P/A:P
0.019 Low
EPSS
Percentile
88.4%
Several scripting vulnerabilities were discovered and
corrected in Mozilla:
CVE-2004-0905
javascript; links dragged onto another frame or
page allows an attacker to steal or modify sensitive
information from other sites. The user could be convinced
to drag obscurred links in the context of a game or even a
fake scrollbar. If the user could be convinced to drag two
links in sequence into a separate window (not frame) the
attacker would be able to run arbitrary programs.
CVE-2004-0908
Untrusted javascript code can read and write to the
clipboard, stealing any sensitive data the user might
have copied. Workaround: disable
javascript
CVE-2004-0909
Signed scripts requesting enhanced abilities could
construct the request in a way that led to a confusing
grant dialog, possibly fooling the user into thinking
the privilege requested was inconsequential while
actually obtaining explicit permission to run and
install software. Workaround: Never
grant enhanced abilities of any kind to untrusted web
pages.