Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:15436
HistoryDec 20, 2006 - 12:00 a.m.

Mozilla Foundation Security Advisory 2006-72

2006-12-2000:00:00
vulners.com
61

Mozilla Foundation Security Advisory 2006-72
Title: XSS by setting img.src to javascript: URI
Impact: High
Announced: December 19, 2006
Reporter: moz_bug_r_a4
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 2.0.0.1
Firefox 1.5.0.9
Thunderbird 1.5.0.9
SeaMonkey 1.0.7
Description
moz_bug_r_a4 reported that the src attribute of an IMG element loaded in a frame could be changed to a javascript: URI that was able to bypass the protections against cross-site script (XSS) injection. The injected script could steal credentials and financial data, or perform destructive actions on behalf of a logged-in user.
Workaround
Disable JavaScript until you can upgrade to a fixed version.
References
Exploit details withheld until after the active update period.

https://bugzilla.mozilla.org/show_bug.cgi?id=351370
CVE-2006-6503