Security-Alerts mailing list archive (email@example.com)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[security-alerts] FW: [SA26288] Mozilla Products Addon Chrome-Loaded "about:blank" Cross-Context Scripting
> Mozilla Products Addon Chrome-Loaded "about:blank" Cross-Context
> SECUNIA ADVISORY ID:
> VERIFY ADVISORY:
> Moderately critical
> Cross Site Scripting, System access
> From remote
> 1.1 originally posted 2007-07-31
> Mozilla Firefox 2.0.x
> Mozilla SeaMonkey 1.1.x
> Mozilla Thunderbird 2.x
> A vulnerability has been reported in Mozilla products, which
> potentially can be exploited by malicious people to compromise a
> user's system.
> The vulnerability is caused due to an error within the handling of
> "about:blank" pages loaded by chrome in an addon. This can be
> exploited to execute script code under chrome privileges by e.g.
> clicking on a link opened in an "about:blank" window created and
> populated in a certain ways by an addon.
> Successful exploitation requires that certain addons are installed.
> The vulnerability is reported in the following products and
> * Firefox 126.96.36.199
> * Thunderbird 188.8.131.52
> * SeaMonkey 1.1.3
> Update to the latest versions:
> Update to version 184.108.40.206.
> Fixed in the upcoming version 220.127.116.11.
> Fixed in the upcoming version 1.1.4.
> NOTE: With version 18.104.22.168, changes that prevent exploitation of a
> URI handling vulnerability in Microsoft Windows were applied to
> Firefox and Thunderbird.
> For more information:
> PROVIDED AND/OR DISCOVERED BY:
> 2007-07-31: Updated "Description". Added link to vendor advisory.
> ORIGINAL ADVISORY:
> OTHER REFERENCES: