Vulnerability Note VU#996798
Mozilla Firefox insecurely handles content from external applications
Mozilla Firefox does not properly enforce domain restrictions on content sent by external applications, allowing a remote attacker to execute code on a vulnerable system.
If Firefox is displaying a privileged chrome: URI, then the external application could cause Firefox to execute arbitrary code.
By convincing a user to open a specially crafted media file, an attacker may be able to execute arbitrary code on a vulnerable system. Other applications that have the ability to send URIs to Firefox may also be used to trigger the vulnerability. Additional impacts are similar to cross-site scripting attacks, as described in CERT Advisory CA-2000-02.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Mozilla, Inc.||Affected||-||02 Aug 2005|
|Netscape Communications Corporation||Affected||-||02 Aug 2005|
|Red Hat Software, Inc.||Affected||-||15 Aug 2005|
CVSS Metrics (Learn More)
This vulnerability was reported in Mozilla Foundation Security Advisory 2005-53. Mozilla credits Michael Krax for providing information regarding this issue.
This document was written by Jeff Gennari and Will Dormann.
- CVE IDs: CAN-2005-2267
- Date Public: 13 Jul 2005
- Date First Published: 02 Aug 2005
- Date Last Updated: 15 Aug 2005
- Severity Metric: 8.02
- Document Revision: 48
If you have feedback, comments, or additional information about this vulnerability, please send us email.