New Search

Install Function in Firefox and Mozilla Permits Arbitrary Code Execution

oval:org.mitre.oval:def:100001

The install function in Firefox 1.0.3 allows remote web sites on the browser's whitelist such as update.mozilla.org or addon.mozilla.org to execute arbitrary Javascript with chrome privileges leading to arbitrary code execution on the system when combined with vulnerabilities such as CVE-2005-1476 as demonstrated using a javascript: URL as the package icon and a cross-site scripting (XSS) attack on a vulnerable whitelist site.

Family:
windows
Status:
ACCEPTED
Platform(s):
  • Microsoft Windows Server 2003
  • Microsoft Windows XP
  • Microsoft Windows NT
  • Microsoft Windows 2000
Class:
vulnerability
Reference(s):
  • CVE-2005-1477
Product(s):
  • mozilla