40 matches found
CVE-2017-7815
The CVE-2017-7815 entry relates to Mozilla Firefox's handling of iframe pages where the data: protocol can trigger a Javascript modal dialog that points to an arbitrary domain, potentially spoofing the origin seen by the user. This vulnerability affects Firefox versions before 56 (i.e., Firefox &...
CVE-2017-5386
WebExtension scripts can use the "data:" protocol to affect pages loaded by other web extensions using this protocol, leading to potential data disclosure or privilege escalation in affected extensions. This vulnerability affects Firefox ESR 45.7 and Firefox 51...
CVE-2017-7791
On pages containing an iframe, the "data:" protocol can be used to create a modal alert that will render over arbitrary domains following page navigation, spoofing of the origin of the modal alert from the iframe content. This vulnerability affects Thunderbird 52.3, Firefox ESR 52.3, and Firefox ...
CVE-2017-5386
WebExtension scripts can use the "data:" protocol to affect pages loaded by other web extensions using this protocol, leading to potential data disclosure or privilege escalation in affected extensions. This vulnerability affects Firefox ESR 45.7 and Firefox 51...
CVE-2017-5386
CVE-2017-5386 : WebExtension scripts can use the data: protocol to affect pages loaded by other web extensions, enabling potential data disclosure or privilege escalation. Public disclosures show the issue affects Mozilla Firefox releases including ESR builds and Firefox versions prior to 51.0.1 ...
The vulnerability in the implementation of the “data” protocol in Mozilla Firefox, Firefox ESR, and the Thunderbird email client allows a perpetrator to influence the integrity of the protected information.
The vulnerability of the “data:” protocol implementation in Mozilla Firefox, Firefox ESR, and the email client Thunderbird is related to errors in its operation on pages containing “iframe” elements. Exploiting this vulnerability can allow a malicious actor to influence the integrity of protected...
UBUNTU-CVE-2017-7815
On pages containing an iframe, the "data:" protocol can be used to create a modal dialog through Javascript that will have an arbitrary domains as the dialog's location, spoofing of the origin of the modal dialog from the user view. Note: This attack only affects installations with e10 multiproce...
Mozilla: Spoofing following page navigation with data: protocol and modal alerts (MFSA 2017-19)
On pages containing an iframe, the "data:" protocol can be used to create a modal alert that will render over arbitrary domains following page navigation, spoofing of the origin of the modal alert from the iframe content. This vulnerability affects Thunderbird 52.3, Firefox ESR 52.3, and Firefox ...
openSUSE Security Update : MozillaFirefox (openSUSE-2017-921)
This update to Mozilla Firefox 52.3esr fixes a number of security issues. The following vulnerabilities were advised upstream under MFSA 2017-19 boo1052829 : - CVE-2017-7798: XUL injection in the style editor in devtools - CVE-2017-7800: Use-after-free in WebSockets during disconnection -...
Mozilla: Spoofing following page navigation with data: protocol and modal alerts (MFSA 2017-19)
On pages containing an iframe, the "data:" protocol can be used to create a modal alert that will render over arbitrary domains following page navigation, spoofing of the origin of the modal alert from the iframe content. This vulnerability affects Thunderbird 52.3, Firefox ESR 52.3, and Firefox ...
CVE-2017-7791
On pages containing an iframe, the "data:" protocol can be used to create a modal alert that will render over arbitrary domains following page navigation, spoofing of the origin of the modal alert from the iframe content. This vulnerability affects Thunderbird 52.3, Firefox ESR 52.3, and Firefox ...
Mozilla: WebExtensions can use data: protocol to affect other extensions (MFSA 2017-02)
WebExtension scripts can use the "data:" protocol to affect pages loaded by other web extensions using this protocol, leading to potential data disclosure or privilege escalation in affected extensions. This vulnerability affects Firefox ESR 45.7 and Firefox 51...
CVE-2017-5386
WebExtension scripts can use the "data:" protocol to affect pages loaded by other web extensions using this protocol, leading to potential data disclosure or privilege escalation in affected extensions. This vulnerability affects Firefox ESR 45.7 and Firefox 51...
CVE-2017-5386
WebExtension scripts can use the "data:" protocol to affect pages loaded by other web extensions using this protocol, leading to potential data disclosure or privilege escalation in affected extensions. This vulnerability affects Firefox ESR 45.7 and Firefox 51...
UBUNTU-CVE-2017-5386
WebExtension scripts can use the "data:" protocol to affect pages loaded by other web extensions using this protocol, leading to potential data disclosure or privilege escalation in affected extensions. This vulnerability affects Firefox ESR 45.7 and Firefox 51...
New Relic: [login.newrelic.com] XSS via return_to
The returnto parameter is not validated properly, which allows an attacker to execute javascript via the data: protocol: https://login.newrelic.com/login?returnto=data:text/html%3Bbase64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg%3D%3D Despite being executed not in the newrelic domain, the script still c...
Apple Safari SOP bypass (CVE-2015-3753)
Damien Antipa and me love browser security. Hence we always keep up to date on what is going on this field. Few months ago Christian Schneider blogged about Chrome SOP Bypass with SVG. We decided to poke some other browser using the same technique and the outcome was CVE-2015-3753. The SOP-bypass...
TextSecure to Drop Support for Encrypted SMS
Open Whisper Systems is phasing out support for encrypted SMS and MMS messages in its TextSecure messaging product. The move does not spell the end for encrypted messaging for users of the Android app, as the company plans to switch to its own transport protocol to address some of the security an...
security flaw
Firefox 1.0 does not invoke the Javascript Security Manager when a user drags a javascript: or data: URL to a tab, which allows remote attackers to bypass the security model, aka "firetabbing."...
netscape.datatrack.txt
Date: Sun, 6 Jun 1999 13:17:04 +0300 From: Georgi Guninski To: [email protected] Subject: Netscape Communicator code injection in JavaScript console using "data:" protocol There is a bug in Netscape Communicator 4.6 Win95, 4.07 Linux probably all 4.x are affected, which allows sniffing URLs fr...