[Japanese]

JVNDB-2007-000176

Mozilla Firefox cross-site scripting vulnerability

Overview

Mozilla Firefox, web browser from Mozilla Corporation and Mozilla Japan, contains a cross-site scripting vulnerability.

Mozilla Firefox interprets HTML data improperly and activates event handlers for invalid HTML elements, leading to a cross-site scripting vulnerability.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products


mozilla.org contributors
  • Mozilla Firefox prior to version 2.0.0.2
  • Mozilla Firefox prior to version 1.5.0.10
  • Mozilla SeaMonkey prior to version 1.0.7
Turbolinux, Inc.
  • Turbolinux 10_f
  • Turbolinux Desktop 10
  • Turbolinux Multimedia
  • Turbolinux Personal
  • Turbolinux Server 10
  • Turbolinux Server 10 (x64)
  • Turbolinux Home
Hewlett-Packard Development Company, L.P
  • HP-UX 11.11
  • HP-UX 11.23
MIRACLE LINUX CORPORATION
  • Asianux Server 2.0
  • Asianux Server 2.1
  • Asianux Server 4.0
  • Asianux Server 4.0 (x86-64)
Red Hat, Inc.
  • RHEL Optional Productivity Applications 5 (server)
  • Red Hat Enterprise Linux 5 (server)
  • Red Hat Enterprise Linux 2.1 (as)
  • Red Hat Enterprise Linux 3 (as)
  • Red Hat Enterprise Linux 4 (as)
  • Red Hat Enterprise Linux 2.1 (es)
  • Red Hat Enterprise Linux 3 (es)
  • Red Hat Enterprise Linux 4 (es)
  • Red Hat Enterprise Linux 2.1 (ws)
  • Red Hat Enterprise Linux 3 (ws)
  • Red Hat Enterprise Linux 4 (ws)
  • Red Hat Enterprise Linux Desktop 3.0
  • Red Hat Enterprise Linux Desktop 4.0
  • Red Hat Enterprise Linux Desktop 5.0 (client)
  • Red Hat Linux Advanced Workstation 2.1
  • RHEL Desktop Workstation 5 (client)

Impact

An arbitrary script may be executed on the user's web browser.
Solution

[Upgrade the Software]

Mozilla has released Firefox 2.0.0.2 and 1.5.0.10 which address this vulnerability. We recommend that users of the affected products upgrade to the fixed version of the software.
Vendor Information

mozilla.org contributors Turbolinux, Inc. Hewlett-Packard Development Company, L.P MIRACLE LINUX CORPORATION Red Hat, Inc.
CWE (What is CWE?)

CVE (What is CVE?)

  1. CVE-2007-0995
References

  1. JVN : JVN#38605899
  2. National Vulnerability Database (NVD) : CVE-2007-0995
  3. Secunia Advisory : SA24205
  4. Secunia Advisory : SA24238
  5. SecurityFocus : 22694
  6. FrSIRT Advisories : FrSIRT/ADV-2007-0718
Revision History

  • [2008/05/21]
      Web page published