Lucene search
K

221 matches found

securityvulns
securityvulns
added 2010/09/10 12:0 a.m.88 views

Mozilla Foundation Security Advisory 2010-61

Mozilla Foundation Security Advisory 2010-61 Title: UTF-7 XSS by overriding document charset using object type attribute Impact: High Announced: September 7, 2010 Reporter: David Huang, Collin Jackson Products: Firefox, Thunderbird, SeaMonkey Fixed in: Firefox 3.6.9 Firefox 3.5.12 Thunderbird 3.1...

4.3CVSS1AI score0.02107EPSS
Exploits0
Prion
Prion
added 2010/09/09 7:0 p.m.22 views

Cross site scripting

Mozilla Firefox before 3.5.12 and 3.6.x before 3.6.9, Thunderbird before 3.0.7 and 3.1.x before 3.1.3, and SeaMonkey before 2.0.7 do not properly restrict use of the type attribute of an OBJECT element to set a document's charset, which allows remote attackers to bypass cross-site scripting XSS...

4.3CVSS6AI score0.02107EPSS
Exploits0References14Affected Software3
Cvelist
Cvelist
added 2010/09/09 6:0 p.m.26 views

CVE-2010-2768

Mozilla Firefox before 3.5.12 and 3.6.x before 3.6.9, Thunderbird before 3.0.7 and 3.1.x before 3.1.3, and SeaMonkey before 2.0.7 do not properly restrict use of the type attribute of an OBJECT element to set a document's charset, which allows remote attackers to bypass cross-site scripting XSS...

8.2AI score0.02107EPSS
Exploits0References14
CVE
CVE
added 2010/09/09 6:0 p.m.140 views

CVE-2010-2768

CVE-2010-2768 affects Mozilla Firefox (before 3.5.12 and 3.6.x before 3.6.9), Thunderbird (before 3.0.7 and 3.1.x before 3.1.3), and SeaMonkey (before 2.0.7). Root cause: Object tag type attribute not properly restricted when setting a document charset, enabling UTF-7 encoded payloads to bypass X...

4.3CVSS8AI score0.02107EPSS
Exploits0References14Affected Software1
Tenable Nessus
Tenable Nessus
added 2010/09/09 12:0 a.m.38 views

FreeBSD : mozilla -- multiple vulnerabilities (4a21ce2c-bb13-11df-8e32-000f20797ede)

The Mozilla Project reports : MFSA 2010-49 Miscellaneous memory safety hazards rv:1.9.2.9/ 1.9.1.12 MFSA 2010-50 Frameset integer overflow vulnerability MFSA 2010-51 Dangling pointer vulnerability using DOM plugin array MFSA 2010-52 Windows XP DLL loading vulnerability MFSA 2010-53 Heap buffer...

9.3CVSS9.3AI score0.22109EPSS
Exploits1References31
Mozilla
Mozilla
added 2010/09/07 12:0 a.m.45 views

UTF-7 XSS by overriding document charset using <object> type attribute — Mozilla

Security researchers David Huang and Collin Jackson of Carnegie Mellon University CyLab Silicon Valley campus reported that the type attribute of an tag can override the charset of a framed HTML document, even when the document is included across origins. A page could be constructed containing su...

4.3CVSS9AI score0.02107EPSS
Exploits0References2Affected Software3
UbuntuCve
UbuntuCve
added 2010/09/07 12:0 a.m.45 views

CVE-2010-2768

Mozilla Firefox before 3.5.12 and 3.6.x before 3.6.9, Thunderbird before 3.0.7 and 3.1.x before 3.1.3, and SeaMonkey before 2.0.7 do not properly restrict use of the type attribute of an OBJECT element to set a document's charset, which allows remote attackers to bypass cross-site scripting XSS...

4.3CVSS7.2AI score0.02107EPSS
Exploits0References3
Tenable Nessus
Tenable Nessus
added 2010/08/19 12:0 a.m.32 views

FreeBSD : ruby -- UTF-7 encoding XSS vulnerability in WEBrick (34e0316a-aa91-11df-8c2e-001517289bf8)

The official ruby site reports : WEBrick have had a cross-site scripting vulnerability that allows an attacker to inject arbitrary script or HTML via a crafted URI. This does not affect user agents that strictly implement HTTP/1.1, however, some user agents do not. %NASLMINLEVEL 70300 C Tenable...

4.3CVSS7.1AI score0.02814EPSS
Exploits0References3
FreeBSD
FreeBSD
added 2010/08/16 12:0 a.m.48 views

ruby -- UTF-7 encoding XSS vulnerability in WEBrick

The official ruby site reports: WEBrick have had a cross-site scripting vulnerability that allows an attacker to inject arbitrary script or HTML via a crafted URI. This does not affect user agents that strictly implement HTTP/1.1, however, some user agents do not...

4.3CVSS6.9AI score0.02814EPSS
Exploits0References1
NVD
NVD
added 2010/06/17 4:30 p.m.19 views

CVE-2010-0541

Cross-site scripting XSS vulnerability in the WEBrick HTTP server in Ruby in Apple Mac OS X 10.5.8, and 10.6 before 10.6.4, allows remote attackers to inject arbitrary web script or HTML via a crafted URI that triggers a UTF-7 error page...

4.3CVSS5.1AI score0.02814EPSS
Exploits0References10
Prion
Prion
added 2010/06/17 4:30 p.m.24 views

Cross site scripting

Cross-site scripting XSS vulnerability in the WEBrick HTTP server in Ruby in Apple Mac OS X 10.5.8, and 10.6 before 10.6.4, allows remote attackers to inject arbitrary web script or HTML via a crafted URI that triggers a UTF-7 error page...

4.3CVSS5.5AI score0.02814EPSS
Exploits0References10Affected Software2
Cvelist
Cvelist
added 2010/06/17 4:0 p.m.21 views

CVE-2010-0541

Cross-site scripting XSS vulnerability in the WEBrick HTTP server in Ruby in Apple Mac OS X 10.5.8, and 10.6 before 10.6.4, allows remote attackers to inject arbitrary web script or HTML via a crafted URI that triggers a UTF-7 error page...

6.4AI score0.02814EPSS
Exploits0References10
UbuntuCve
UbuntuCve
added 2010/06/17 12:0 a.m.33 views

CVE-2010-0541

Cross-site scripting XSS vulnerability in the WEBrick HTTP server in Ruby in Apple Mac OS X 10.5.8, and 10.6 before 10.6.4, allows remote attackers to inject arbitrary web script or HTML via a crafted URI that triggers a UTF-7 error page...

4.3CVSS7.2AI score0.02814EPSS
Exploits0References2
Prion
Prion
added 2010/06/11 6:0 p.m.15 views

Cross site scripting

Cross-site scripting XSS vulnerability in WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, allows remote attackers to inject arbitrary web script or HTML via vectors related to improper UTF-7 canonicalization, and lack of termination of...

4.3CVSS5.7AI score0.02933EPSS
Exploits0References21Affected Software1
UbuntuCve
UbuntuCve
added 2010/06/11 6:0 p.m.26 views

CVE-2010-1390

Cross-site scripting XSS vulnerability in WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, allows remote attackers to inject arbitrary web script or HTML via vectors related to improper UTF-7 canonicalization, and lack of termination of...

4.3CVSS6AI score0.02933EPSS
Exploits0References2
Cvelist
Cvelist
added 2010/06/11 5:28 p.m.24 views

CVE-2010-1390

Cross-site scripting XSS vulnerability in WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, allows remote attackers to inject arbitrary web script or HTML via vectors related to improper UTF-7 canonicalization, and lack of termination of...

7.3AI score0.02933EPSS
Exploits0References21
Debian CVE
Debian CVE
added 2010/06/11 5:28 p.m.24 views

CVE-2010-1390

Removed by vendor...

4.3CVSS6.7AI score0.02933EPSS
Exploits0
UbuntuCve
UbuntuCve
added 2009/12/30 8:0 p.m.15 views

CVE-2009-4459

Redmine 0.8.7 and earlier uses the title tag before defining the character encoding in a meta tag, which allows remote attackers to conduct cross-site scripting XSS attacks and inject arbitrary script via UTF-7 encoded values in the title parameter to a new issue page, which may be interpreted as...

4.3CVSS6AI score0.01134EPSS
Exploits0References1
Prion
Prion
added 2009/12/30 8:0 p.m.13 views

Cross site scripting

Redmine 0.8.7 and earlier uses the title tag before defining the character encoding in a meta tag, which allows remote attackers to conduct cross-site scripting XSS attacks and inject arbitrary script via UTF-7 encoded values in the title parameter to a new issue page, which may be interpreted as...

4.3CVSS6.1AI score0.01134EPSS
Exploits0References3Affected Software1
Packet Storm
Packet Storm
added 2009/12/21 12:0 a.m.20 views

Redmine 0.8.7 UTF-7 Cross Site Scripting

Redmine prior to . Thus it may be possible to create a page with encoded to UTF-7 JavaScript in title and it will be executed in Internet Explorer 7/8 with Auto-Select encoding on Proof-of-Concept: 1. Create new issue with title "+ADw-script+AD4-alert'XSS';+ADw-/script+AD4-" without quotes 2. Ope...

7.4AI score
Exploits0
Rows per page
Query Builder