New Search

Mozilla Multiple Products Document Charset OBJECT Element UTF-7 XSS Protection Mechanism Bypass

oval:org.mitre.oval:def:11735

Mozilla Firefox before 3.5.12 and 3.6.x before 3.6.9 Thunderbird before 3.0.7 and 3.1.x before 3.1.3 and SeaMonkey before 2.0.7 do not properly restrict use of the type attribute of an OBJECT element to set a document's charset which allows remote attackers to bypass cross-site scripting (XSS) protection mechanisms via UTF-7 encoding.

Family:
windows
Status:
ACCEPTED
Platform(s):
  • Microsoft Windows 7
  • Microsoft Windows Vista
  • Microsoft Windows Server 2008
  • Microsoft Windows Server 2003
  • Microsoft Windows XP
  • Microsoft Windows 2000
Class:
vulnerability
Reference(s):
  • CVE-2010-2768
Product(s):
  • Mozilla Thunderbird
  • Mozilla Firefox
  • Mozilla SeaMonkey