Microsoft Internet Explorer 6 on Windows XP SP2/SP3 and IE 7 on Vista - DoS via LI Element Attribute Manipulation
Microsoft Internet Explorer 6 on Windows XP SP2 and SP3, and Internet Explorer 7 on Vista, allows remote attackers to cause a denial of service (application crash) via JavaScript code that calls createElement to create an instance of the LI element, and then calls setAttribute to set the value attribute.