Lucene search

Mozilla FoundationMFSA2007-05

HistoryFeb 23, 2007 - 12:00 a.m.

XSS and local file access by opening blocked popupsand local file access by opening blocked popups — Mozilla

2007-02-2300:00:00

Mozilla Foundation

www.mozilla.org

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

EPSS

0.551

Percentile

97.7%

JSON

shutdown reported that if you could convince a user to open a blocked popup you could perform a cross-site scripting attack against any site that contains a frame whose source is a data: URL. To accomplish this the attacker’s site would have to frame the target site plus another frame whose source is the exact same data: url as the victim site, and then attempt to open a popup with a javascript: url from the data: frame. It is unclear whether any high-value target sites that match this description actually exist.

Affected configurations

Vulners

Node

mozillafirefoxRange<1.5.0.10

mozillafirefoxRange<2.0.0.2

mozillaseamonkeyRange<1.0.8

VendorProductVersionCPE
mozillafirefox*cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
mozillaseamonkey*cpe:2.3:a:mozilla:seamonkey:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
mozilla	firefox	*	cpe:2.3:a:mozilla:firefox::::::::
mozilla	seamonkey	*	cpe:2.3:a:mozilla:seamonkey::::::::

References

nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0780

nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0800

bugzilla.mozilla.org/show_bug.cgi?id=354973

bugzilla.mozilla.org/show_bug.cgi?id=369390

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

EPSS

0.551

Percentile

97.7%

JSON

Related for MFSA2007-05