CVE-2005-1477: XSS
First published: Mon May 09 2005(Updated: )
The install function in Firefox 1.0.3 allows remote web sites on the browser's whitelist, such as update.mozilla.org or addon.mozilla.org, to execute arbitrary Javascript with chrome privileges, leading to arbitrary code execution on the system when combined with vulnerabilities such as CVE-2005-1476, as demonstrated using a javascript: URL as the package icon and a cross-site scripting (XSS) attack on a vulnerable whitelist site.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Mozilla Firefox | =1.0.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://greyhatsecurity.org/firefox.htm
- http://greyhatsecurity.org/vulntests/ffrc.htm
- http://www.mozilla.org/security/announce/mfsa2005-42.html
- https://bugzilla.mozilla.org/show_bug.cgi?id=293302
- https://bugzilla.mozilla.org/show_bug.cgi?id=292691
- http://secunia.com/advisories/15292
- http://www.kb.cert.org/vuls/id/648758
- http://www.securityfocus.com/bid/13544
- http://securitytracker.com/id?1013913
- http://www.securityfocus.com/bid/15495
- http://www.redhat.com/support/errata/RHSA-2005-434.html
- http://www.redhat.com/support/errata/RHSA-2005-435.html
- http://www.vupen.com/english/advisories/2005/0493
- http://marc.info/?l=full-disclosure&m=111556301530553&w=2
- http://marc.info/?l=full-disclosure&m=111553138007647&w=2
- https://exchange.xforce.ibmcloud.com/vulnerabilities/20443
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9231
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A100001
- agent/references
- agent/type
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- collector/nvd-historical
- agent/software-canonical-lookup-request
- collector/nvd-index
- agent/weakness
- agent/author
- agent/remedy
- agent/severity
- agent/tags
- agent/description
- agent/event
- collector/mitre-cve
- source/MITRE
- vendor/mozilla
- canonical/mozilla firefox
- version/mozilla firefox/1.0.3