CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
EPSS
Percentile
61.1%
Yosuke Hasegawa reported that the Mozilla browser engine mishandled invalid sequences in the Shift-JIS encoding. When encountering an invalid pair Mozilla would turn the entire two-byte sequence into a single unknown character rather than an unknown character followed by a valid single-byte character. On some sites attackers may have been able to end their input with the first byte of a two byte sequence; when that input was later put into a page context it might cause the following delimiter (such as a double-quote) to be consumed, breaking the format of the page. Depending on the page this could potentially be used to steal data or inject script into the page.