Lucene search

K
mozillaMozilla FoundationMFSA2006-05
HistoryFeb 01, 2006 - 12:00 a.m.

Localstore.rdf XML injection through XULDocument.persist() — Mozilla

2006-02-0100:00:00
Mozilla Foundation
www.mozilla.org
17

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

EPSS

0.961

Percentile

99.5%

XULDocument.persist() did not validate the attribute name, allowing an attacker to inject XML into localstore.rdf that would be read and acted upon at startup. This could include JavaScript commands that would be run with the permissions of the browser.

Affected configurations

Vulners
Node
mozillafirefoxRange<1.0.8
OR
mozillafirefoxRange<1.5.0.1
OR
mozillamozilla_suiteRange<1.7.13
OR
mozillaseamonkeyRange<1
OR
mozillathunderbirdRange<1.0.8
OR
mozillathunderbirdRange<1.5.0.2
VendorProductVersionCPE
mozillafirefox*cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
mozillamozilla_suite*cpe:2.3:a:mozilla:mozilla_suite:*:*:*:*:*:*:*:*
mozillaseamonkey*cpe:2.3:a:mozilla:seamonkey:*:*:*:*:*:*:*:*
mozillathunderbird*cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

EPSS

0.961

Percentile

99.5%