Описание
The nsIScriptableUnescapeHTML.parseFragment method in the ParanoidFragmentSink protection mechanism in Mozilla Firefox before 3.5.17 and 3.6.x before 3.6.14, Thunderbird before 3.1.8, and SeaMonkey before 2.0.12 does not properly sanitize HTML in a chrome document, which makes it easier for remote attackers to execute arbitrary JavaScript with chrome privileges via a javascript: URI in input to an extension, as demonstrated by a javascript:alert sequence in (1) the HREF attribute of an A element or (2) the ACTION attribute of a FORM element.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux Extended Update Support 4.8 | firefox | Affected | ||
| Red Hat Enterprise Linux Extended Update Support 5.6 | firefox | Affected | ||
| Red Hat Enterprise Linux Extended Update Support 6.0 | firefox | Affected | ||
| Red Hat Enterprise Linux Extended Update Support 6.0 | thunderbird | Affected | ||
| Red Hat Enterprise Linux 4 | firefox | Fixed | RHSA-2011:0310 | 02.03.2011 |
| Red Hat Enterprise Linux 5 | firefox | Fixed | RHSA-2011:0310 | 02.03.2011 |
| Red Hat Enterprise Linux 5 | xulrunner | Fixed | RHSA-2011:0310 | 02.03.2011 |
| Red Hat Enterprise Linux 6 | firefox | Fixed | RHSA-2011:0310 | 02.03.2011 |
| Red Hat Enterprise Linux 6 | xulrunner | Fixed | RHSA-2011:0310 | 02.03.2011 |
| Red Hat Enterprise Linux 6 | thunderbird | Fixed | RHSA-2011:0311 | 02.03.2011 |
Показывать по
Дополнительная информация
Статус:
6.8 Medium
CVSS2
Связанные уязвимости
The nsIScriptableUnescapeHTML.parseFragment method in the ParanoidFragmentSink protection mechanism in Mozilla Firefox before 3.5.17 and 3.6.x before 3.6.14, Thunderbird before 3.1.8, and SeaMonkey before 2.0.12 does not properly sanitize HTML in a chrome document, which makes it easier for remote attackers to execute arbitrary JavaScript with chrome privileges via a javascript: URI in input to an extension, as demonstrated by a javascript:alert sequence in (1) the HREF attribute of an A element or (2) the ACTION attribute of a FORM element.
The nsIScriptableUnescapeHTML.parseFragment method in the ParanoidFragmentSink protection mechanism in Mozilla Firefox before 3.5.17 and 3.6.x before 3.6.14, Thunderbird before 3.1.8, and SeaMonkey before 2.0.12 does not properly sanitize HTML in a chrome document, which makes it easier for remote attackers to execute arbitrary JavaScript with chrome privileges via a javascript: URI in input to an extension, as demonstrated by a javascript:alert sequence in (1) the HREF attribute of an A element or (2) the ACTION attribute of a FORM element.
The nsIScriptableUnescapeHTML.parseFragment method in the ParanoidFrag ...
The nsIScriptableUnescapeHTML.parseFragment method in the ParanoidFragmentSink protection mechanism in Mozilla Firefox before 3.5.17 and 3.6.x before 3.6.14, Thunderbird before 3.1.8, and SeaMonkey before 2.0.12 does not properly sanitize HTML in a chrome document, which makes it easier for remote attackers to execute arbitrary JavaScript with chrome privileges via a javascript: URI in input to an extension, as demonstrated by a javascript:alert sequence in (1) the HREF attribute of an A element or (2) the ACTION attribute of a FORM element.
6.8 Medium
CVSS2