8 matches found
SUSE CVE-2009-3988
Mozilla Firefox 3.0.x before 3.0.18 and 3.5.x before 3.5.8, and SeaMonkey before 2.0.3, does not properly restrict read access to object properties in showModalDialog, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting XSS attacks via crafted...
FreeBSD : mozilla -- multiple vulnerabilities (f82c85d8-1c6e-11df-abb2-000f20797ede)
Mozilla Project reports : MFSA 2010-05 XSS hazard using SVG document and binary Content-Type MFSA 2010-04 XSS due to window.dialogArguments being readable cross-domain MFSA 2010-03 Use-after-free crash in HTML parser MFSA 2010-02 Web Worker Array Handling Heap Corruption Vulnerability MFSA 2010-0...
Mozilla violation of same-origin policy due to properties set on objects passed to showModalDialog (MFSA 2010-04)
Mozilla Firefox 3.0.x before 3.0.18 and 3.5.x before 3.5.8, and SeaMonkey before 2.0.3, does not properly restrict read access to object properties in showModalDialog, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting XSS attacks via crafted...
XSS due to window.dialogArguments being readable cross-domain — Mozilla
Security researcher Hidetake Jo of Microsoft Vulnerability Research reported that the properties set on an object passed to showModalDialog were readable by the document contained in the dialog, even when the document was from a different domain. This is a violation of the same-origin policy and...
Microsoft Internet Explorer contains cross-site scripting vulnerabilities in local HTML resources
Overview Microsoft Internet Explorer IE includes several local HTML resources that contain cross-site scripting vulnerabilities. These resources use the dialogArguments property of dialog frames insecurely, allowing an attacker to execute arbitrary script in the Local Machine Zone. Description...
MS02-023 does not patch actual issue!
Hello, Microsoft released a cumulative patch yesterday, which, among other issues, allegedly patches the dialogArguments vulnerability http://jscript.dk/adv/TL002/. In their bulletin Microsoft makes several severe errors: 1. "A cross-site scripting vulnerability in a Local HTML Resource..." No,...
Update and comments on the MS02-023 patch, holes still remain
The latest cumulative patch from Microsoft, http://www.microsoft.com/technet/security/bulletin/MS02-023.asp , promises to eliminate "six newly discovered vulnerabilities", but fails to do so. First, we find what MS calls "A cross-site scripting vulnerability in a Local HTML Resource". This is...
IE allows universal Cross Site Scripting (TL#002)
Thor Larholm security advisory TL002 ------------------------------------- By Thor Larholm, Denmark. 16 April 2002 HTML Format: http://jscript.dk/adv/TL002/ Topic: IE allows universal Cross Site Scripting. Discovery date: 18 March 2002. Severity: High Affected applications: ----------------------...