CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
AI Score
Confidence
High
EPSS
Percentile
100.0%
Web pages with extremely long titles caused subsequent launches of
Firefox browser to hang for up to a few minutes, or caused Firefox to
crash on computers with insufficient memory. (CVE-2005-4134)
Igor Bukanov discovered that the JavaScript engine did not properly
declare some temporary variables. Under some rare circumstances, a
malicious website could exploit this to execute arbitrary code with
the privileges of the user. (CVE-2006-0292, CVE-2006-1742)
The function XULDocument.persist() did not sufficiently validate the
names of attributes. An attacker could exploit this to inject
arbitrary XML code into the file βlocalstore.rdfβ, which is read and
evaluated at startup. This could include JavaScript commands that
would be run with the userβs privileges. (CVE-2006-0296)
Due to a flaw in the HTML tag parser a specific sequence of HTML tags
caused memory corruption. A malicious web site could exploit this to
crash the browser or even execute arbitrary code with the userβs
privileges. (CVE-2006-0749)
Georgi Guninski discovered that embedded XBL scripts of web sites
could escalate their (normally reduced) privileges to get full
privileges of the user if that page is viewed with βPrint Previewβ.
(CVE-2006-1727)
The crypto.generateCRMFRequest() function had a flaw which could be
exploited to run arbitrary code with the userβs privileges.
(CVE-2006-1728)
Claus JΓΈrgensen and Jesse Ruderman discovered that a text input box
could be pre-filled with a filename and then turned into a file-upload
control with the contents intact. A malicious web site could exploit
this to read any local file the user has read privileges for.
(CVE-2006-1729)
An integer overflow was detected in the handling of the CSS property
βletter-spacingβ. A malicious web site could exploit this to run
arbitrary code with the userβs privileges. (CVE-2006-1730)
The methods valueOf.call() and .valueOf.apply() returned an object
whose privileges were not properly confined to those of the caller,
which made them vulnerable to cross-site scripting attacks. A
malicious web site could exploit this to modify the contents or steal
confidential data (such as passwords) from other opened web pages.
(CVE-2006-1731) The window.controllers array variable (CVE-2006-1732)
and event handlers (CVE-2006-1741) were vulnerable to a similar attack.
The privileged built-in XBL bindings were not fully protected from web
content and could be accessed by calling valueOf.call() and
valueOf.apply() on a method of that binding. A malicious web site
could exploit this to run arbitrary JavaScript code with the userβs
privileges. (CVE-2006-1733)
It was possible to use the Object.watch() method to access an internal
function object (the βclone parentβ). A malicious web site could
exploit this to execute arbitrary JavaScript code with the userβs
privileges. (CVE-2006-1734)
By calling the XBL.method.eval() method in a special way it was
possible to create JavaScript functions that would get compiled with
the wrong privileges. A malicious web site could exploit this to
execute arbitrary JavaScript code with the userβs privileges.
(CVE-2006-1735)
Michael Krax discovered that by layering a transparent image link to
an executable on top of a visible (and presumably desirable) image a
malicious site could fool the user to right-click and choose βSave
image asβ¦β from the context menu, which would download the
executable instead of the image. (CVE-2006-1736)
Several crashes have been fixed which could be triggered by web sites
and involve memory corruption. These could potentially be exploited to
execute arbitrary code with the userβs privileges. (CVE-2006-1737,
CVE-2006-1738, CVE-2006-1739, CVE-2006-1790)
If the user has turned on the βEntering secure siteβ modal warning
dialog, it was possible to spoof the browserβs secure-site indicators
(the lock icon and the gold URL field background) by first loading the
target secure site in a pop-up window, then changing its location to a
different site, which retained the displayed secure-browsing
indicators from the original site. (CVE-2006-1740)
ubuntu.com/security/CVE-2005-4134
ubuntu.com/security/CVE-2006-0292
ubuntu.com/security/CVE-2006-0296
ubuntu.com/security/CVE-2006-0749
ubuntu.com/security/CVE-2006-1727
ubuntu.com/security/CVE-2006-1728
ubuntu.com/security/CVE-2006-1729
ubuntu.com/security/CVE-2006-1730
ubuntu.com/security/CVE-2006-1731
ubuntu.com/security/CVE-2006-1732
ubuntu.com/security/CVE-2006-1733
ubuntu.com/security/CVE-2006-1734
ubuntu.com/security/CVE-2006-1735
ubuntu.com/security/CVE-2006-1736
ubuntu.com/security/CVE-2006-1737
ubuntu.com/security/CVE-2006-1738
ubuntu.com/security/CVE-2006-1739
ubuntu.com/security/CVE-2006-1740
ubuntu.com/security/CVE-2006-1741
ubuntu.com/security/CVE-2006-1742
ubuntu.com/security/CVE-2006-1790