Lucene search

Mozilla FoundationMFSA2011-27

HistoryJun 21, 2011 - 12:00 a.m.

XSS encoding hazard with inline SVG — Mozilla

2011-06-2100:00:00

Mozilla Foundation

www.mozilla.org

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

EPSS

0.002

Percentile

57.3%

JSON

Security researcher Mario Heiderich reported that HTML-encoded entities were being improperly decoded when displayed inside SVG elements. This could lead to XSS attacks on sites relying on HTML encoding of user-supplied content.

Affected configurations

Vulners

Node

mozillafirefoxRange<5

mozillaseamonkeyRange<2.2

VendorProductVersionCPE
mozillafirefox*cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
mozillaseamonkey*cpe:2.3:a:mozilla:seamonkey:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
mozilla	firefox	*	cpe:2.3:a:mozilla:firefox::::::::
mozilla	seamonkey	*	cpe:2.3:a:mozilla:seamonkey::::::::

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2369

bugzilla.mozilla.org/show_bug.cgi?id=650001

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

EPSS

0.002

Percentile

57.3%

JSON

Related for MFSA2011-27