Oval Definition:oval:org.mitre.oval:def:12532
Revision Date:2014-10-06Version:31
Title:Remote code execution vulnerability in Mozilla Firefox before 3.5.17 and 3.6.x before 3.6.14, Thunderbird before 3.1.8, and SeaMonkey before 2.0.12 through ParanoidFragmentSink protection mechanism
Description:The nsIScriptableUnescapeHTML.parseFragment method in the ParanoidFragmentSink protection mechanism in Mozilla Firefox before 3.5.17 and 3.6.x before 3.6.14, Thunderbird before 3.1.8, and SeaMonkey before 2.0.12 does not properly sanitize HTML in a chrome document, which makes it easier for remote attackers to execute arbitrary JavaScript with chrome privileges via a javascript: URI in input to an extension, as demonstrated by a javascript:alert sequence in (1) the HREF attribute of an A element or (2) the ACTION attribute of a FORM element.
Family:windowsClass:vulnerability
Status:ACCEPTEDReference(s):CVE-2010-1585
Platform(s):Microsoft Windows 2000
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Vista
Microsoft Windows XP
Product(s):Mozilla Firefox
Mozilla SeaMonkey
Mozilla Thunderbird
Definition Synopsis
  • Check for vulnerable versions for Mozilla Firefox
  • Mozilla Firefox Mainline release is installed
  • AND Check for vulnerable version
  • Mozilla Firefox Mainline version is before 3.5.17
  • OR Mozilla Firefox Mainline version is 3.6.x before 3.6.14
  • OR Check for vulnerable versions for Mozilla SeaMonkey
  • Mozilla Seamonkey is installed
  • AND Check if Mozilla SeaMonkey version is before 2.0.12
  • OR Check for vulnerable versions for Mozilla Thunderbird
  • Mozilla Thunderbird Mainline release is installed
  • AND Check if Mozilla Thunderbird version is before 3.1.8
    • BACK