Unauthorized access to wyciwyg:// documents — Mozilla

Michal Zalewski reported that it was possible to bypass the same-origin checks and read from cached wyciwyg documents. It is possible to access wyciwyg:// documents without proper same domain policy checks through the use of HTTP 302 redirects. This enables the attacker to steal sensitive data...

XSS using addEventListener and setTimeout — Mozilla

Mozilla contributor mozbugra4 demonstrated that the methods addEventListener and setTimeout could be used to inject script into another site in violation of the browser's same-origin policy. This could be used to access or modify private or valuable information from that other site...

Cross site scripting

Cross-domain vulnerability in Apple Safari for Windows 3.0.2 allows remote attackers to bypass the Same Origin Policy and access restricted information from other domains via JavaScript that overwrites the document variable and statically sets the document.domain attribute to a file:// location, ...

CVE-2007-3514

Cross-domain vulnerability in Apple Safari for Windows 3.0.2 allows remote attackers to bypass the Same Origin Policy and access restricted information from other domains via JavaScript that overwrites the document variable and statically sets the document.domain attribute to a file:// location, ...

CVE-2007-3514

CVE-2007-3514 describes a cross-domain vulnerability in Apple Safari for Windows 3.0.2 where JavaScript that overwrites the document variable and statically assigns the document.domain to a file:// location bypasses the Same Origin Policy and allows access to restricted information from other dom...

CVE-2007-3514

Cross-domain vulnerability in Apple Safari for Windows 3.0.2 allows remote attackers to bypass the Same Origin Policy and access restricted information from other domains via JavaScript that overwrites the document variable and statically sets the document.domain attribute to a file:// location, ...

CVE-2007-3481

Cross-domain vulnerability in Microsoft Internet Explorer 6 and 7 allows remote attackers to bypass the Same Origin Policy and access restricted information from other domains via JavaScript that overwrites the document variable and statically sets the document.domain attribute. NOTE: this issue...

CVE-2007-3482

Cross-domain vulnerability in Apple Safari for Windows 3.0.1 allows remote attackers to bypass the "same origin policy" and access restricted information from other domains via JavaScript that overwrites the document variable and statically sets the document.domain attribute...

Cross site scripting

Cross-domain vulnerability in Apple Safari for Windows 3.0.1 allows remote attackers to bypass the "same origin policy" and access restricted information from other domains via JavaScript that overwrites the document variable and statically sets the document.domain attribute...

CVE-2007-3481

CVE-2007-3481 concerns a cross-domain issue in Microsoft Internet Explorer 6 and 7 where a remote attacker could bypass the Same Origin Policy by a JavaScript action that overwrites the document variable and statically sets the document.domain attribute. The connected PT-security entry confirms a...

CVE-2007-3481

Cross-domain vulnerability in Microsoft Internet Explorer 6 and 7 allows remote attackers to bypass the Same Origin Policy and access restricted information from other domains via JavaScript that overwrites the document variable and statically sets the document.domain attribute. NOTE: this issue...

CVE-2007-3482

CVE-2007-3482 concerns Cross-domain vulnerability in Apple Safari for Windows 3.0.1 where JavaScript can overwrite the document variable and statically set document.domain, allowing a remote attacker to bypass the same-origin policy and access restricted information from other domains. The connec...

CVE-2007-3482

Cross-domain vulnerability in Apple Safari for Windows 3.0.1 allows remote attackers to bypass the "same origin policy" and access restricted information from other domains via JavaScript that overwrites the document variable and statically sets the document.domain attribute...

PT-2007-4742 · Microsoft · Internet Explorer

Name of the Vulnerable Software and Affected Versions: Microsoft Internet Explorer versions 6 through 7 Description: A cross-domain issue allows remote attackers to bypass the Same Origin Policy and access restricted information from other domains via JavaScript. This is achieved by overwriting t...

[Full-disclosure] Safari XMLHttpRequest HTTP header injection

Westpoint Security Advisory --------------------------- Title: Safari XMLHttpRequest HTTP header injection Risk Rating: Low Platforms: MacOS and Windows Author: Richard Moore [email protected] Date: 25 June 2007 Advisory ID: wp-07-0002 URL: http://www.westpoint.ltd.uk/advisories/wp-07-0002.tx...

Apple Safari cross-domain HTTP redirection race condition

Overview Apple Safari contains a race condition when handling HTTP redirection when updating pages. This can allow a cross-domain violation. Description Apple Safari contains a race condition when updating pages. When this race condition is used in combination with an HTTP redirection, Safari may...

Mozilla Firefox allows cross-domain iframe access via JavaScript

Overview Mozilla Firefox allows cross-domain access to an iframe. This vulnerability could allow an attacker to interact with a web site in a different domain. The attacker could read content and cookies, capture keystrokes, and modify content. Description An iframe is an HTML element which allow...

USN-468-1: Firefox vulnerabilities

Various flaws were discovered in the layout and JavaScript engines. By tricking a user into opening a malicious web page, an attacker could execute arbitrary code with the user's privileges. CVE-2007-2867, CVE-2007-2868 A flaw was discovered in the form autocomplete feature. By tricking a user in...

CVE-2007-2870

Mozilla Firefox 1.5.x before 1.5.0.12 and 2.x before 2.0.0.4, and SeaMonkey 1.0.9 and 1.1.2, allows remote attackers to bypass the same-origin policy and conduct cross-site scripting XSS and other attacks by using the addEventListener method to add an event listener for a site, which is executed ...

CVE-2007-2870

Mozilla Firefox 1.5.x before 1.5.0.12 and 2.x before 2.0.0.4, and SeaMonkey 1.0.9 and 1.1.2, allows remote attackers to bypass the same-origin policy and conduct cross-site scripting XSS and other attacks by using the addEventListener method to add an event listener for a site, which is executed ...