Overview
There is a vulnerability the way Mozilla handles script-generated events that could allow a remote, unauthenticated attacker to access data contained on the victim's clipboard.
Description
Mozilla is an open-source web browser, email/newsgroup client, IRC client, and HTML editor available for a number of platforms including Microsoft Windows, Linux, and other UNIX platforms. When a web page is loaded by the browser, it will accept certain JavaScript events to control behavior on the page. These script-generated events can be applied to text fields. There is a vulnerability in the way Mozilla handles copy/paste keyboard shortcut sequences sent to text fields using JavaScript. While Mozilla restricts the use of copy (Ctrl+C) and paste (Ctrl+V) keyboard shortcut sequences, it fails to restrict other variations such as Ctrl+Ins (copy) and Shift+Ins (paste). Exploitation of this vulnerability could allow a remote, unauthenticated attacker to access the victim's clipboard. |
Impact
By convincing a victim to view a malicious web page, a remote, unauthenticated attacker could perform read/write operations to the victim's clipboard. Since users may copy/paste usernames, passwords, or potentially other sensitive information to the clipboard, the attacker could gain access to this information. |
Solution
Upgrade |
|
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
This vulnerability was reported by Wladimir Palant.
This document was written by Damon Morda.
Other Information
| CVE IDs: | None |
| Severity Metric: | 16.88 |
| Date Public: | 2004-08-31 |
| Date First Published: | 2004-09-17 |
| Date Last Updated: | 2004-09-17 20:14 UTC |
| Document Revision: | 19 |