| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Mozilla Firefox 3.0.10 and earlier on Linux allows remote attackers to cause a denial of service (application crash) via a URI for a large GIF image in the BACKGROUND attribute of a BODY element. |
| nsViewManager.cpp in Mozilla Firefox 3.0.2 through 3.0.10 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via vectors related to interaction with TinyMCE. |
| Worldweaver DX Studio Player 3.0.29.0, 3.0.22.0, 3.0.12.0, and probably other versions before 3.0.29.1, when used as a plug-in for Firefox, does not restrict access to the shell.execute JavaScript API method, which allows remote attackers to execute arbitrary commands via a .dxstudio file that invokes this method. |
| js/src/xpconnect/src/xpcwrappedjsclass.cpp in Mozilla Firefox before 3.0.11, Thunderbird before 2.0.0.22, and SeaMonkey before 1.1.17 allows remote attackers to execute arbitrary web script with the privileges of a chrome object, as demonstrated by the browser sidebar and the FeedWriter. |
| Mozilla Firefox before 3.0.11, Thunderbird, and SeaMonkey do not check content policy before loading a script file into a XUL document, which allows remote attackers to bypass intended access restrictions via a crafted HTML document, as demonstrated by a "web bug" in an e-mail message, or web script or an advertisement in a web page. |
| Mozilla Firefox 3 before 3.0.11 associates an incorrect principal with a file: URL loaded through the location bar, which allows user-assisted remote attackers to bypass intended access restrictions and read files via a crafted HTML document, aka a "file-URL-to-file-URL scripting" attack. |
| The garbage-collection implementation in Mozilla Firefox before 3.0.11, Thunderbird before 2.0.0.22, and SeaMonkey before 1.1.17 sets an element's owner document to null in unspecified circumstances, which allows remote attackers to execute arbitrary JavaScript with chrome privileges via a crafted event handler, related to an incorrect context for this event handler. |
| Race condition in the NPObjWrapper_NewResolve function in modules/plugin/base/src/nsJSNPRuntime.cpp in xul.dll in Mozilla Firefox 3 before 3.0.11 might allow remote attackers to execute arbitrary code via a page transition during Java applet loading, related to a use-after-free vulnerability for memory associated with a destroyed Java object. |
| Mozilla Firefox before 3.0.11, Thunderbird before 2.0.0.22, and SeaMonkey before 1.1.17 use the HTTP Host header to determine the context of a document provided in a non-200 CONNECT response from a proxy server, which allows man-in-the-middle attackers to execute arbitrary web script by modifying this CONNECT response, aka an "SSL tampering" attack. |
| The JavaScript engine in Mozilla Firefox before 3.0.11, Thunderbird before 2.0.0.22, and SeaMonkey before 1.1.17 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to (1) js_LeaveSharpObject, (2) ParseXMLSource, and (3) a certain assertion in jsinterp.c; and other vectors. |
| Mozilla Firefox before 3.0.11, Thunderbird before 2.0.0.22, and SeaMonkey before 1.1.17 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors involving "double frame construction." |
| Mozilla Firefox 3.0.10 allows remote attackers to cause a denial of service (infinite loop, application hang, and memory consumption) via a KEYGEN element in conjunction with (1) a META element specifying automatic page refresh or (2) a JavaScript onLoad event handler for a BODY element. NOTE: it was later reported that earlier versions are also affected. |
| The SVG component in Mozilla Firefox 3.0.4 allows remote attackers to cause a denial of service (application hang) via a large value in the r (aka Radius) attribute of a circle element, related to an "unclamped loop." |
| Mozilla Firefox executes DOM calls in response to a javascript: URI in the target attribute of a submit element within a form contained in an inline PDF file, which might allow remote attackers to bypass intended Adobe Acrobat JavaScript restrictions on accessing the document object, as demonstrated by a web site that permits PDF uploads by untrusted users, and therefore has a shared document.domain between the web site and this javascript: URI. NOTE: the researcher reports that Adobe's position is "a PDF file is active content." |
| The browser engine in Mozilla Firefox 3 before 3.0.11, Thunderbird before 2.0.0.22, and SeaMonkey before 1.1.17 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to (1) nsEventStateManager::GetContentState and nsNativeTheme::CheckBooleanAttr; (2) UnhookTextRunFromFrames and ClearAllTextRunReferences; (3) nsTextFrame::ClearTextRun; (4) IsPercentageAware; (5) PL_DHashTableFinish; (6) nsListBoxBodyFrame::GetNextItemBox; (7) AtomTableClearEntry, related to the atom table, DOM mutation events, and Unicode surrogates; (8) nsHTMLEditor::HideResizers; and (9) nsWindow::SetCursor, related to changing the cursor; and other vectors. |
| Mozilla Firefox before 3.0.9 and SeaMonkey 1.1.17 do not block javascript: URIs in Refresh headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header or (2) specifying the content of a Refresh header. NOTE: it was later reported that Firefox 3.6 a1 pre and Mozilla 1.7.x and earlier are also affected. |
| Mozilla Firefox before 3.0.9 and SeaMonkey before 1.1.17 allow user-assisted remote attackers to obtain sensitive information via a web page with an embedded frame, which causes POST data from an outer page to be sent to the inner frame's URL during a SAVEMODE_FILEONLY save of the inner frame. |
| The jar: URI implementation in Mozilla Firefox before 3.0.9, Thunderbird, and SeaMonkey does not follow the Content-Disposition header of the inner URI, which allows remote attackers to conduct cross-site scripting (XSS) attacks and possibly other attacks via an uploaded .jar file with a "Content-Disposition: attachment" designation. |
| Cross-site scripting (XSS) vulnerability in the MozSearch plugin implementation in Mozilla Firefox before 3.0.9 allows user-assisted remote attackers to inject arbitrary web script or HTML via a javascript: URI in the SearchForm element. |
| A regression error in Mozilla Firefox 2.x before 2.0.0.2 and 1.x before 1.5.0.10, and SeaMonkey 1.1 before 1.1.1 and 1.0 before 1.0.8, allows remote attackers to execute arbitrary JavaScript as the user via an HTML mail message with a javascript: URI in an (1) img, (2) link, or (3) style tag, which bypasses the access checks and executes code with chrome privileges. |
