OSVDB ID: 86773

Title: Mozilla Multiple Product window.location Object CheckURL Function Incorrect Calling Document Return XSS Weakness

Info

Disclosure
Oct 26, 2012

Discovery
Unknown

Dates

Exploit
Unknown

Solution
Oct 26, 2012

Description

 Multiple Mozilla products contain a flaw that is triggered when the checkURL function in window.location fails to returning the proper calling document and principal. This may allow a remote attacker to conduct a cross-site scripting attacking. Additionally, when using an add-on that interacts with the page content, code execution is possible.

Classification

 Location: Context Dependent
Attack Type: Input Manipulation
Impact: Loss of Integrity
Solution: Upgrade
Exploit: Exploit Private
Disclosure: Vendor Verified, Coordinated Disclosure
OSVDB: Web Related

Solution

 Upgrade Firefox and Thunderbird to version 16.0.2 (10.0.10 ESR) or higher, and SeaMonkey to version 2.13.2 or higher, as they have been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

Mozilla Organization

Firefox

 16.0.1

Firefox ESR

 10.0.9

Thunderbird

 16.0.1

Thunderbird ESR

 10.0.9

SeaMonkey

 2.13.1

References

Credit

Unknown or Incomplete


Direct URL: http://osvdb.org/86773