CVE-2009-2665

Loading...

General

Score:10.0/10.0
Severity:High
Category:Input Validation Error
Exploit:Available

Impact Metrics

Confidentiality:Complete
Integrity:Complete
Availability:Complete

Exploitability Metrics

Access Vector:Network
Access Complexity:Low
Authentication:None

Published on 04/08/09 - Updated on 04/09/09

Description

The nsDocument::SetScriptGlobalObject function in content/base/src/nsDocument.cpp in Mozilla Firefox 3.5.x before 3.5.2, when certain add-ons are enabled, does not properly handle a Link HTTP header, which allows remote attackers to execute arbitrary JavaScript with chrome privileges via a crafted web page, related to an incorrect security wrapper.

Category: Input Validation Error

CWE-94 (Code Injection)
The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Security Notices

US National Vulnerability DatabaseCVE-2009-2665
Mozilla MFSA2009-46

Exploits

SecurityFocusBID-35928

Relative technologies

VendorProduct
mozillafirefox

Share this vulnerability with:

Twitter Facebook LinkedIn Mail