New Search

Mozilla Multiple Products Document Charset OBJECT Element UTF-7 XSS Protection Mechanism Bypass

oval:org.mitre.oval:def:11735

Mozilla Firefox before 3.5.12 and 3.6.x before 3.6.9 Thunderbird before 3.0.7 and 3.1.x before 3.1.3 and SeaMonkey before 2.0.7 do not properly restrict use of the type attribute of an OBJECT element to set a document's charset which allows remote attackers to bypass cross-site scripting (XSS) protection mechanisms via UTF-7 encoding.

Family:
windows
Status:
ACCEPTED
Platform(s):
  • Microsoft Windows XP
  • Microsoft Windows 2000
  • Microsoft Windows Vista
  • Microsoft Windows 7
  • Microsoft Windows Server 2008
  • Microsoft Windows Server 2003
Class:
vulnerability
Reference(s):
  • CVE-2010-2768
Product(s):
  • Mozilla SeaMonkey
  • Mozilla Thunderbird
  • Mozilla Firefox