CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
EPSS
Percentile
99.8%
moz_bug_r_a4 discovered that the compilation scope of privileged built-in XBL bindings was not fully protected from web content and could be accessed by calling valueOf.call() and valueOf.apply() on a method of that binding. This could then be used to compile and run attacker-supplied JavaScript, giving it the privileges of the binding which would allow an attacker to install malware such as viruses and password sniffers.
Vendor | Product | Version | CPE |
---|---|---|---|
mozilla | firefox | * | cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:* |
mozilla | mozilla_suite | * | cpe:2.3:a:mozilla:mozilla_suite:*:*:*:*:*:*:*:* |
mozilla | seamonkey | * | cpe:2.3:a:mozilla:seamonkey:*:*:*:*:*:*:*:* |
mozilla | thunderbird | * | cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:* |