CVE-2009-5017
Firefox < 3.6 - Cross-Site Scripting via Overlong UTF-8 Encoding
Title source: llmDescription
Mozilla Firefox before 3.6 Beta 3 does not properly handle overlong UTF-8 encoding, which makes it easier for remote attackers to bypass cross-site scripting (XSS) protection mechanisms via a crafted string, a different vulnerability than CVE-2010-1210.
References (4)
Core 4
Core References
Release Notes x_refsource_confirm
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/e42c563313a0
Patch x_refsource_confirm
https://bugzilla.mozilla.org/show_bug.cgi?id=511859
Issue Tracking x_refsource_confirm
https://bugzilla.mozilla.org/show_bug.cgi?id=522634
Exploit x_refsource_misc
http://sirdarckcat.blogspot.com/2009/10/couple-of-unicode-issues-on-php-and.html
Scores
EPSS
0.0187
EPSS Percentile
76.9%
Details
CWE
CWE-79
Status
published
Products (2)
mozilla/firefox
3.6 beta1
mozilla/firefox
< 3.6
Published
Nov 12, 2010
Tracked Since
Feb 18, 2026