OSVDB ID: 86774

Title: Mozilla Multiple Product window.location Object valueOf Method Shadowing XSS Weakness

Info

Disclosure
Oct 26, 2012

Discovery
Unknown

Dates

Exploit
Unknown

Solution
Oct 26, 2012

Description

 Multiple Mozilla products contain a flaw that is triggered by the true value of window.location being shadowed via user-supplied input passed to the valueOf method. This may allow a remote attacker to perform a cross-site scripting attack, when combined with certain unspecified plugins.

Classification

 Location: Context Dependent
Attack Type: Input Manipulation
Impact: Loss of Integrity
Solution: Upgrade
Exploit: Exploit Private
Disclosure: Vendor Verified, Coordinated Disclosure
OSVDB: Web Related

Solution

 Upgrade Firefox and Thunderbird to version 16.0.2 (10.0.10 ESR) or higher, and SeaMonkey to version 2.13.2 or higher, as they have been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

Mozilla Organization

Firefox

 16.0.1

Firefox ESR

 10.0.9

Thunderbird

 16.0.1

Thunderbird ESR

 10.0.9

SeaMonkey

 2.13.1

References

Credit

Unknown or Incomplete


Direct URL: http://osvdb.org/86774