6987 matches found
Information disclosure with *FromPoint on iframes — Mozilla
Security researcher Jordan Milne reported an information leak where document.caretPositionFromPoint and document.elementFromPoint functions could be used on a cross-origin iframe to gain information on the iframe's DOM and other attributes through a timing attack, violating same-origin policy...
CVE-2014-1487
The Web workers implementation in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, and SeaMonkey before 2.24 allows remote attackers to bypass the Same Origin Policy and obtain sensitive authentication information via vectors involving error messages...
Security Vulnerabilities in Apache Cordova / PhoneGap
The following email was sent to Apache Cordova/PhoneGap on 12/13/2013, and again on 1/17/2014. As there has been no response, we are re-posting it here to alert the general public of the inherent vulnerabilities in Apache Cordova/PhoneGap. Dear PhoneGap contributors, PhoneGap’s domain whitelistin...
CVE-2012-2899
Google Chrome before 21.0.1180.82 on iOS makes certain incorrect calls to WebView methods that trigger use of an applewebdata: URL, which allows remote attackers to bypass the Same Origin Policy and conduct Universal XSS UXSS attacks via vectors involving the document.write method...
CVE-2012-2899
Google Chrome before 21.0.1180.82 on iOS makes certain incorrect calls to WebView methods that trigger use of an applewebdata: URL, which allows remote attackers to bypass the Same Origin Policy and conduct Universal XSS UXSS attacks via vectors involving the document.write method...
Design/Logic Flaw
Google Chrome before 21.0.1180.82 on iOS makes certain incorrect calls to WebView methods that trigger use of an applewebdata: URL, which allows remote attackers to bypass the Same Origin Policy and conduct Universal XSS UXSS attacks via vectors involving the document.write method...
CVE-2012-2899
Summary: CVE-2012-2899 affects Google Chrome on iOS prior to 21.0.1180.82. The issue arises from incorrect calls to WebView methods that enable an applewebdata: URL, bypassing the Same Origin Policy and enabling Universal XSS (UXSS) via document.write. Impact: SOP bypass and UXSS risk on affected...
CVE-2012-2899
Removed by vendor...
CVE-2013-5227
Apple Safari before 6.1.1 and 7.x before 7.0.1 allows remote attackers to bypass the Same Origin Policy and discover credentials by triggering autofill of subframe form fields...
Design/Logic Flaw
Apple Safari before 6.1.1 and 7.x before 7.0.1 allows remote attackers to bypass the Same Origin Policy and discover credentials by triggering autofill of subframe form fields...
CVE-2013-5227
CVE-2013-5227 (Safari autofill origin tracking) affects Apple Safari, where remote attackers could bypass Same Origin Policy and discover credentials by triggering autofill of subframe form fields. The vulnerability is described as: Safari may autofill user names and passwords into a subframe fro...
CVE-2013-5227
Apple Safari before 6.1.1 and 7.x before 7.0.1 allows remote attackers to bypass the Same Origin Policy and discover credentials by triggering autofill of subframe form fields...
Vatican Web Site Cross Site Scripting
Official Vatican web site Cross Site Scripting Time Line Vulnerability No one has responded to multiple security advisories sent to Vatican -------------------------------------------------------------------- Title: Official Vatican web site Cross Site Scripting Vendor: http://vatican.va...
CVE-2013-5612
Cross-site scripting XSS vulnerability in Mozilla Firefox before 26.0 and SeaMonkey before 2.23 makes it easier for remote attackers to inject arbitrary web script or HTML by leveraging a Same Origin Policy violation triggered by lack of a charset parameter in a Content-Type HTTP header...
CVE-2013-5612
Cross-site scripting XSS vulnerability in Mozilla Firefox before 26.0 and SeaMonkey before 2.23 makes it easier for remote attackers to inject arbitrary web script or HTML by leveraging a Same Origin Policy violation triggered by lack of a charset parameter in a Content-Type HTTP header...
Cross site scripting
Cross-site scripting XSS vulnerability in Mozilla Firefox before 26.0 and SeaMonkey before 2.23 makes it easier for remote attackers to inject arbitrary web script or HTML by leveraging a Same Origin Policy violation triggered by lack of a charset parameter in a Content-Type HTTP header...
CVE-2013-5612
Cross-site scripting XSS vulnerability in Mozilla Firefox before 26.0 and SeaMonkey before 2.23 makes it easier for remote attackers to inject arbitrary web script or HTML by leveraging a Same Origin Policy violation triggered by lack of a charset parameter in a Content-Type HTTP header...
CVE-2013-5612
CVE-2013-5612 is a cross-site scripting (XSS) vulnerability in Mozilla Firefox before 26.0 and SeaMonkey before 2.23 due to the absence of a charset parameter in the Content-Type header. Connected advisories confirm Firefox/SeaMonkey fixes in 2013–2014 releases (e.g., openSUSE SU-2013:1917, Mirac...
Mozilla: Character encoding cross-origin XSS attack (MFSA 2013-106)
Cross-site scripting XSS vulnerability in Mozilla Firefox before 26.0 and SeaMonkey before 2.23 makes it easier for remote attackers to inject arbitrary web script or HTML by leveraging a Same Origin Policy violation triggered by lack of a charset parameter in a Content-Type HTTP header...
CVE-2013-5612
Cross-site scripting XSS vulnerability in Mozilla Firefox before 26.0 and SeaMonkey before 2.23 makes it easier for remote attackers to inject arbitrary web script or HTML by leveraging a Same Origin Policy violation triggered by lack of a charset parameter in a Content-Type HTTP header...