search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Mozilla JavaScript privilege escalation

Vulnerability Note VU#466521

Original Release Date: 2008-03-27 | Last Revised: 2008-03-27

Overview

Mozilla products contain multiple vulnerabilities that may allow a remote, unauthenticated attacker to execute arbitrary code.

Description

Mozilla Firefox, Thunderbird, and SeaMonkey do not properly handle JavaScript, which may allow privilege escalation and execution of arbitrary code on an affected system.

Impact

Successful exploitation of this vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

Solution

Apply an update

Mozilla Foundation has issued new versions of the affected products which address these vulnerabilities. Please see MFSA 2008-14 for more details.

Workaround
Disabling JavaScript is an effective workaround for these vulnerabilities. It is strongly recommended that you disable JavaScript until a version containing patches for these vulnerabilities can be installed.

Vendor Information

466521
 
Expand all

Mozilla Affected

Updated:  March 27, 2008

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Mozilla Foundation has issued new versions of the affected products which address these vulnerabilities.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

http://www.mozilla.org/security/announce/2008/mfsa2008-14.html

Acknowledgements

This document was written by Joseph Pruszynski.

Other Information

CVE IDs: CVE-2008-1233, CVE-2008-1234, CVE-2008-1235
Severity Metric: 20.38
Date Public: 2008-03-25
Date First Published: 2008-03-27
Date Last Updated: 2008-03-27 21:08 UTC
Document Revision: 17

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis