CVE-2010-1585

Mozilla Firefox <3.5.17 & 3.6.x <3.6.14 - RCE

Title source: llm
STIX 2.1

Description

The nsIScriptableUnescapeHTML.parseFragment method in the ParanoidFragmentSink protection mechanism in Mozilla Firefox before 3.5.17 and 3.6.x before 3.6.14, Thunderbird before 3.1.8, and SeaMonkey before 2.0.12 does not properly sanitize HTML in a chrome document, which makes it easier for remote attackers to execute arbitrary JavaScript with chrome privileges via a javascript: URI in input to an extension, as demonstrated by a javascript:alert sequence in (1) the HREF attribute of an A element or (2) the ACTION attribute of a FORM element.

References (9)

Core 9
Core References
Various Sources x_refsource_confirm
http://downloads.avaya.com/css/P8/documents/100133195
Issue Tracking x_refsource_confirm
https://bugzilla.mozilla.org/show_bug.cgi?id=562547
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/510883/100/0/threaded
Vendor Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2011:041
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12532
Vendor Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2011:042

Scores

EPSS 0.0447
EPSS Percentile 90.3%

Details

CWE
CWE-20
Status published
Products (47)
mozilla/firefox 3.6
mozilla/firefox 3.6.2
mozilla/firefox 3.6.3
mozilla/firefox 3.6.4
mozilla/firefox 3.6.6
mozilla/firefox 3.6.7
mozilla/firefox 3.6.8
mozilla/firefox 3.6.9
mozilla/firefox 3.6.10
mozilla/firefox 3.6.11
... and 37 more
Published Apr 28, 2010
Tracked Since Feb 18, 2026