New Search

Mozilla Firefox and SeaMonkey XSS Vulnerability due to window.dialogArguments being readable cross-domain

oval:org.mitre.oval:def:8355

Mozilla Firefox 3.0.x before 3.0.18 and 3.5.x before 3.5.8 and SeaMonkey before 2.0.3 does not properly restrict read access to object properties in showModalDialog which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via crafted dialogArguments values.

Family:
windows
Status:
ACCEPTED
Platform(s):
  • Microsoft Windows XP
  • Microsoft Windows 7
  • Microsoft Windows 2000
  • Microsoft Windows Vista
  • Microsoft Windows Server 2003
  • Microsoft Windows Server 2008
Class:
vulnerability
Reference(s):
  • CVE-2009-3988
Product(s):
  • Mozilla Firefox
  • Mozilla Seamonkey