OSVDB ID: 43458

Title: Mozilla Multiple Products XPCNativeWrapper js_GetClassPrototype .prototype Bypass

Info

Disclosure

Feb 08, 2008

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

Mozilla Firefox before 2.0.0.12, Thunderbird before 2.0.0.12, and SeaMonkey before 1.1.8 allows remote attackers to execute script outside of the sandbox and conduct cross-site scripting (XSS) attacks via multiple vectors including the XMLDocument.load function, aka "JavaScript privilege escalation bugs."

Classification

Disclosure: Vendor Verified

Solution

Upgrade to Firefox version 2.0.0.12, Thunderbird 2.0.0.12, Seamonkey 1.1.8 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

Mozilla Organization	Firefox	2.0.0.11
	SeaMonkey	1.1.7
	Thunderbird	2.0.0.11

References

Related OSVDB ID: 1023983 41215 41217 41218 41221 41222 41223 43456 43457 43459 43460 43461
CVE ID: 2008-0415 (see also: NVD)
Secunia Advisory ID: 28754 28758 28766 28815 28818 28839 28864 28865 28877 28879 28924 28939 28958 29049 29086 29098 29164 29167 29211 29567 30327 30620 31043
SCIP VulDB ID: 3586
Other Advisory URL: http://browser.netscape.com/releasenotes/
http://lists.debian.org/debian-security-announce/2008/msg00070.html
http://lists.debian.org/debian-security-announce/debian-security-announce-2008/msg00049.html
http://lists.debian.org/debian-security-announce/debian-security-announce-2008/msg00050.html
http://lists.debian.org/debian-security-announce/debian-security-announce-2008/msg00051.html
http://lists.opensuse.org/opensuse-security-announce/2008-02/msg00006.html
http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.445399
http://sunsolve.sun.com/search/document.do?assetkey=1-66-238492-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-239546-1
http://support.novell.com/techcenter/psdb/6251b18e050302ebe7fe74294b55c818.html
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0051
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0093
http://www.gentoo.org/security/en/glsa/glsa-200805-18.xml
http://www.ubuntu.com/usn/usn-576-1
http://www.ubuntu.com/usn/usn-582-1
https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00274.html
https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00309.html
https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00905.html
Vendor Specific Advisory URL: http://www.mozilla.org/security/announce/2008/mfsa2008-03.html
Vendor Specific News/Changelog Entry: https://bugzilla.mozilla.org/show_bug.cgi?id=407289

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/43458

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Mozilla Organization

Firefox

SeaMonkey

Thunderbird

References

Credit