Mozilla Firefox — свободный браузер на движке Gecko

The PLUGINSPAGE functionality in Mozilla Firefox before 1.5.0.4 allows remote user-assisted attackers to execute privileged code by tricking a user into installing missing plugins and selecting the "Manual Install" button, then using nested javascript: URLs. NOTE: the manual install button is used for downloading software from a remote web site, so this issue would not cross privilege boundaries if the user progresses to the point of installing malicious software from the attacker-controlled site.

Firefox 1.5.0.2 does not fix all test cases associated with CVE-2006-1729, which allows remote attackers to read arbitrary files by inserting the target filename into a text box, then turning that box into a file upload control.

Mozilla Firefox and Thunderbird before 1.5.0.4 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via (1) nested <option> tags in a select tag, (2) a DOMNodeRemoved mutation event, (3) "Content-implemented tree views," (4) BoxObjects, (5) the XBL implementation, (6) an iframe that attempts to remove itself, which leads to memory corruption.

Mozilla Firefox and Thunderbird before 1.5.0.4 strip the Unicode Byte-order-Mark (BOM) from a UTF-8 page before the page is passed to the parser, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a BOM sequence in the middle of a dangerous tag such as SCRIPT.

The PLUGINSPAGE functionality in Mozilla Firefox before 1.5.0.4 allows ...

Mozilla Firefox and Thunderbird before 1.5.0.4 strip the Unicode Byte- ...

Firefox 1.5.0.2 does not fix all test cases associated with CVE-2006-1 ...

Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 1.5 ...

Integer overflow in Mozilla Firefox and Thunderbird before 1.5.0.4 all ...

Mozilla Firefox and Thunderbird before 1.5.0.4 allow remote attackers ...