CVE-2007-1947

Firebug < 1.03 - Cross-Zone Scripting via DOM Templates

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2007-1947. PoCs published by Thor Larholm.

AI-analyzed exploit summary This exploit demonstrates a script-code-injection vulnerability in Firebug prior to version 1.04. It leverages improper escaping of user-supplied data to inject arbitrary script code into the Firebug console.

Description

Cross-zone scripting vulnerability in the DOM templates (domplates) used by the console.log function in the Firebug extension before 1.04 for Mozilla Firefox allows remote attackers to bypass zone restrictions, read arbitrary file:// URIs, or execute arbitrary code in the browser chrome by overwriting the toString function via a certain function declaration, related to incorrect identification of anonymous JavaScript functions, a different issue than CVE-2007-1878.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Thor Larholm · htmlremotemultiple
https://www.exploit-db.com/exploits/29820

This exploit demonstrates a script-code-injection vulnerability in Firebug prior to version 1.04. It leverages improper escaping of user-supplied data to inject arbitrary script code into the Firebug console.

Classification
Working Poc 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Firebug < 1.04
No auth needed
Prerequisites: Firebug installed and enabled · JavaScript enabled in the browser
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/464875/100/0/threaded
Patch, Vendor Advisory x_refsource_confirm
http://larholm.com/2007/04/06/more-0day-in-firebug/#comment-6
Vendor Advisory x_refsource_misc
http://larholm.com/2007/04/06/more-0day-in-firebug/

Scores

EPSS 0.0448
EPSS Percentile 90.2%

Details

Status published
Products (1)
parakey_inc./firebug < 1.03
Published Apr 11, 2007
Tracked Since Feb 18, 2026