CVE-2003-0791

CRITICAL

Mozilla <1.4 - Code Injection

Title source: llm

Description

The Script.prototype.freeze/thaw functionality in Mozilla 1.4 and earlier allows attackers to execute native methods by modifying the string used as input to the script.thaw JavaScript function, which is then deserialized and executed.

References (6)

[URL Repurposed] http://secunia.com/advisories/11103/

[Broken Link] http://www.mandriva.com/security/advisories?name=MDKSA-2004:021

[Broken Link, Patch, Vendor Advisory] http://www.osvdb.org/8390

[Broken Link, Patch, Third Party Advisory, VDB Entry, Vendor Advisory] http://www.securityfocus.com/advisories/6979

[Broken Link, Patch, Third Party Advisory, VDB Entry, Vendor Advisory] http://www.securityfocus.com/bid/9322

[Issue Tracking, Patch, Vendor Advisory] https://bugzilla.mozilla.org/show_bug.cgi?id=221526

Scores

CVSS v3 9.8

EPSS 0.0115

EPSS Percentile 78.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status draft

Affected Products (2)

mozilla/mozilla < 1.4

sco/openserver

Timeline

Published Oct 07, 2003

Tracked Since Feb 18, 2026