Уязвимость обхода механизмов защиты от межсайтового скриптинга (XSS) в Mozilla Firefox, Thunderbird и SeaMonkey через символы BOM в JavaScript
Описание
Злоумышленники могут обойти защиту от межсайтового скриптинга (XSS) и провести XSS-атаку, используя символы обозначения порядка байтов (BOM), которые удаляются из JavaScript-кода перед его выполнением. Эта уязвимость известна как "Ошибка с зачеркнутыми символами BOM"
Затронутые версии ПО
- Mozilla Firefox до версий 2.0.0.17 и 3.x до 3.0.2
- Thunderbird до версии 2.0.0.17
- SeaMonkey до версии 1.1.12
Тип уязвимости
Байпас защитных механизмов и межсайтовый скриптинг (XSS)
Ссылки
- Third Party Advisory
- Third Party Advisory
- Third Party Advisory
- Third Party Advisory
- Third Party Advisory
- Third Party Advisory
- Third Party Advisory
- Third Party Advisory
- Third Party Advisory
- Third Party Advisory
- Third Party Advisory
- Third Party Advisory
- Third Party Advisory
- Third Party Advisory
- Third Party Advisory
- Third Party Advisory
- Third Party Advisory
- Third Party Advisory
- Third Party Advisory
- Third Party Advisory
Уязвимые конфигурации
Одно из
Одно из
EPSS
4.3 Medium
CVSS2
Дефекты
Связанные уязвимости
Mozilla Firefox before 2.0.0.17 and 3.x before 3.0.2, Thunderbird before 2.0.0.17, and SeaMonkey before 1.1.12 allow remote attackers to bypass cross-site scripting (XSS) protection mechanisms and conduct XSS attacks via byte order mark (BOM) characters that are removed from JavaScript code before execution, aka "Stripped BOM characters bug."
Mozilla Firefox before 2.0.0.17 and 3.x before 3.0.2, Thunderbird before 2.0.0.17, and SeaMonkey before 1.1.12 allow remote attackers to bypass cross-site scripting (XSS) protection mechanisms and conduct XSS attacks via byte order mark (BOM) characters that are removed from JavaScript code before execution, aka "Stripped BOM characters bug."
Mozilla Firefox before 2.0.0.17 and 3.x before 3.0.2, Thunderbird befo ...
Mozilla Firefox before 2.0.0.17 and 3.x before 3.0.2, Thunderbird before 2.0.0.17, and SeaMonkey before 1.1.12 allow remote attackers to bypass cross-site scripting (XSS) protection mechanisms and conduct XSS attacks via byte order mark (BOM) characters that are removed from JavaScript code before execution, aka "Stripped BOM characters bug."
EPSS
4.3 Medium
CVSS2