New Search

Mozilla Cross-site JavaScript Injection Using Event Handlers

oval:org.mitre.oval:def:1855

Mozilla Firefox 1.x before 1.5 and 1.0.x before 1.0.8 Mozilla Suite before 1.7.13 and SeaMonkey before 1.0 allows remote attackers to inject arbitrary Javascript into other sites by (1) "using a modal alert to suspend an event handler while a new page is being loaded" (2) using eval() and using certain variants involving (3) "new Script;" and (4) using window.__proto__ to extend eval aka "cross-site JavaScript injection".

Family:
windows
Status:
ACCEPTED
Platform(s):
  • Microsoft Windows XP
  • Microsoft Windows 2000
  • Microsoft Windows Server 2003
Class:
vulnerability
Reference(s):
  • CVE-2006-1741
Product(s):
  • mozilla