Overview
Mozilla products fail to properly restrict access to privileged XBL bindings. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code.
Description
XBL According to Mozilla, XBL "is a markup language that defines special new elements, or 'bindings' for XUL widgets (and for HTML elements ...) ". |
Impact
A remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. |
Solution
Upgrade |
Disable JavaScript
|
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 0 | AV:--/AC:--/Au:--/C:--/I:--/A:-- |
| Temporal | 0 | E:ND/RL:ND/RC:ND |
| Environmental | 0 | CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND |
References
- http://www.mozilla.org/security/announce/2006/mfsa2006-16.html
- https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XUL/Tutorial/Introduction_to_XBL
- https://bugzilla.mozilla.org/show_bug.cgi?id=312871
- https://bugzilla.mozilla.org/show_bug.cgi?id=313236
- https://bugzilla.mozilla.org/show_bug.cgi?id=313375
Acknowledgements
This vulnerability was reported in Mozilla Foundation Security Advisory 2006-16. Mozilla credits moz_bug_r_a4 with providing information regarding this issue.
This document was written by Jeff Gennari.
Other Information
| CVE IDs: | CVE-2006-1733 |
| Severity Metric: | 26.44 |
| Date Public: | 2006-04-13 |
| Date First Published: | 2006-04-17 |
| Date Last Updated: | 2017-01-20 17:06 UTC |
| Document Revision: | 25 |