Accessing XBL compilation scope via valueOf.call() — Mozilla

2006-04-1300:00:00

Mozilla Foundation

www.mozilla.org

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

EPSS

0.97

Percentile

99.8%

JSON

moz_bug_r_a4 discovered that the compilation scope of privileged built-in XBL bindings was not fully protected from web content and could be accessed by calling valueOf.call() and valueOf.apply() on a method of that binding. This could then be used to compile and run attacker-supplied JavaScript, giving it the privileges of the binding which would allow an attacker to install malware such as viruses and password sniffers.

Affected configurations

Vulners

Node

mozillafirefoxRange<1.0.8

mozillafirefoxRange<1.5

mozillamozilla_suiteRange<1.7.13

mozillaseamonkeyRange<1

mozillathunderbirdRange<1.0.8

mozillathunderbirdRange<1.5

VendorProductVersionCPE
mozillafirefox*cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
mozillamozilla_suite*cpe:2.3:a:mozilla:mozilla_suite:*:*:*:*:*:*:*:*
mozillaseamonkey*cpe:2.3:a:mozilla:seamonkey:*:*:*:*:*:*:*:*
mozillathunderbird*cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
mozilla	firefox	*	cpe:2.3:a:mozilla:firefox::::::::
mozilla	mozilla_suite	*	cpe:2.3:a:mozilla:mozilla_suite::::::::
mozilla	seamonkey	*	cpe:2.3:a:mozilla:seamonkey::::::::
mozilla	thunderbird	*	cpe:2.3:a:mozilla:thunderbird::::::::