Overview
A vulnerability exists in Mozilla products that may allow a remote attacker to gain elevated privileges.
Description
Mozilla products contain a vulnerability in the way the JavaScript watch() function is handled that may result in privilege escalation. According to the Mozilla Foundation Security Advisory 2006-70: Shutdown demonstrated that it was possible to use a JavaScript watch() to gain elevated privilege. |
Impact
A remote, unauthenticated attacker may be able to gain elevated privileges. |
Solution
Apply an update According to the Mozilla Foundation Security Advisory 2006-70, this vulnerability is addressed in Firefox 2.0.0.1, Firefox 1.5.0.9, Thunderbird 1.5.0.9, and SeaMonkey 1.0.7. |
Disable JavaScript
|
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- http://www.mozilla.org/security/announce/2006/mfsa2006-70.html
- https://bugzilla.mozilla.org/show_bug.cgi?id=354978
- http://secunia.com/advisories/23591/
- http://secunia.com/advisories/23598/
- http://secunia.com/advisories/23439/
- http://secunia.com/advisories/23514/
- http://secunia.com/advisories/23545/
- http://secunia.com/advisories/23601/
- http://secunia.com/advisories/23614/
- http://secunia.com/advisories/23618/
- http://secunia.com/advisories/23692/
- http://www.securityfocus.com/bid/21668
- http://secunia.com/advisories/23988/
Acknowledgements
This issue was reported in Mozilla Foundation Security Advisory 2006-70. Mozilla credits shutdown with providing information about this issue.
This document was written by Chris Taschner.
Other Information
| CVE IDs: | CVE-2006-6501 |
| Severity Metric: | 24.30 |
| Date Public: | 2006-12-19 |
| Date First Published: | 2007-01-18 |
| Date Last Updated: | 2007-02-02 16:45 UTC |
| Document Revision: | 26 |