CVE-2010-0170

Firefox < 3.6.2 - Cross-Site Scripting via Plugin Window Location Bypass

Title source: llm
STIX 2.1

Description

Mozilla Firefox 3.6 before 3.6.2 does not offer plugins the expected window.location protection mechanism, which might allow remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via vectors that are specific to each affected plugin.

References (7)

Core 7
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/38918
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/38919
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8602
Issue Tracking x_refsource_confirm
https://bugzilla.mozilla.org/show_bug.cgi?id=541530
Vendor Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2010:070
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2010/0692

Scores

EPSS 0.0157
EPSS Percentile 72.6%

Details

CWE
CWE-79
Status published
Products (1)
mozilla/firefox 3.6
Published Mar 25, 2010
Tracked Since Feb 18, 2026