CVE-2006-0302

Current Description

The XULDocument.persist function in Mozilla, Firefox before 1.5.0.1, and SeaMonkey before 1.0 does not validate the attribute name, which allows remote attackers to execute arbitrary Javascript by injecting RDF data into the user's localstore.rdf file.

Basic Data

PublishedFebruary 02, 2006
Last ModifiedOctober 19, 2018
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeNVD-CWE-Other
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityLOW
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactNONE
CVSS 2 - Availability ImpactNONE
CVSS 2 - Base Score5.0
SeverityMEDIUM
Exploitability Score10.0
Impact Score2.9
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

No data provided.

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationMozillaFirefox0.8*******
    2.3ApplicationMozillaFirefox0.9*******
    2.3ApplicationMozillaFirefox0.9CVE-2004-0909******
    2.3ApplicationMozillaFirefox0.9.1*******
    2.3ApplicationMozillaFirefox0.9.2*******
    2.3ApplicationMozillaFirefox0.9.3*******
    2.3ApplicationMozillaFirefox0.10*******
    2.3ApplicationMozillaFirefox0.10.1*******
    2.3ApplicationMozillaFirefox1.0*******
    2.3ApplicationMozillaFirefox1.0.1*******
    2.3ApplicationMozillaFirefox1.0.2*******
    2.3ApplicationMozillaFirefox1.0.3*******
    2.3ApplicationMozillaFirefox1.0.4*******
    2.3ApplicationMozillaFirefox1.0.5*******
    2.3ApplicationMozillaFirefox1.0.6*******
    2.3ApplicationMozillaFirefox1.0.6*linux*****
    2.3ApplicationMozillaFirefox1.0.7*******
    2.3ApplicationMozillaFirefox1.5*******
    2.3ApplicationMozillaFirefox1.5beta1******
    2.3ApplicationMozillaSeamonkey1.0*alpha*****
    2.3ApplicationMozillaSeamonkey1.0beta******

Vulnerable Software List

VendorProductVersions
Mozilla Firefox 0.10, 0.10.1, 0.8, 0.9, 0.9.1, 0.9.2, 0.9.3, 1.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.5
Mozilla Seamonkey 1.0

References

NameSourceURLTags
SCOSA-2006.26ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2006.26/SCOSA-2006.26.txtSCO
20060201-01-Uftp://patches.sgi.com/support/free/security/advisories/20060201-01-USGI
18700http://secunia.com/advisories/18700SECUNIA
18703http://secunia.com/advisories/18703SECUNIA
18704http://secunia.com/advisories/18704SECUNIA
18705http://secunia.com/advisories/18705SECUNIA
18706http://secunia.com/advisories/18706SECUNIA
18708http://secunia.com/advisories/18708SECUNIA
18709http://secunia.com/advisories/18709SECUNIA
19230http://secunia.com/advisories/19230SECUNIA
19746http://secunia.com/advisories/19746SECUNIA
19759http://secunia.com/advisories/19759SECUNIA
19780http://secunia.com/advisories/19780SECUNIA
19821http://secunia.com/advisories/19821SECUNIA
19823http://secunia.com/advisories/19823SECUNIA
19852http://secunia.com/advisories/19852SECUNIA
19862http://secunia.com/advisories/19862SECUNIA
19863http://secunia.com/advisories/19863SECUNIA
19902http://secunia.com/advisories/19902SECUNIA
19941http://secunia.com/advisories/19941SECUNIA
19950http://secunia.com/advisories/19950SECUNIA
20051http://secunia.com/advisories/20051SECUNIA
21033http://secunia.com/advisories/21033SECUNIA
21622http://secunia.com/advisories/21622SECUNIA
22065http://secunia.com/advisories/22065SECUNIA
1015570http://securitytracker.com/id?1015570SECTRACK
102550http://sunsolve.sun.com/search/document.do?assetkey=1-26-102550-1SUNALERT
228526http://sunsolve.sun.com/search/document.do?assetkey=1-26-228526-1SUNALERT
http://support.avaya.com/elmodocs2/security/ASA-2006-205.htmhttp://support.avaya.com/elmodocs2/security/ASA-2006-205.htmCONFIRM
DSA-1044http://www.debian.org/security/2006/dsa-1044DEBIAN
DSA-1046http://www.debian.org/security/2006/dsa-1046DEBIAN
DSA-1051http://www.debian.org/security/2006/dsa-1051DEBIAN
GLSA-200604-12http://www.gentoo.org/security/en/glsa/glsa-200604-12.xmlGENTOO
GLSA-200604-18http://www.gentoo.org/security/en/glsa/glsa-200604-18.xmlGENTOO
GLSA-200605-09http://www.gentoo.org/security/en/glsa/glsa-200605-09.xmlGENTOO
VU#592425http://www.kb.cert.org/vuls/id/592425CERT-VNUS Government Resource
MDKSA-2006:036http://www.mandriva.com/security/advisories?name=MDKSA-2006:036MANDRIVA
MDKSA-2006:037http://www.mandriva.com/security/advisories?name=MDKSA-2006:037MANDRIVA
MDKSA-2006:078http://www.mandriva.com/security/advisories?name=MDKSA-2006:078MANDRIVA
http://www.mozilla.org/security/announce/2006/mfsa2006-05.htmlhttp://www.mozilla.org/security/announce/2006/mfsa2006-05.htmlCONFIRM
SUSE-SA:2006:022http://www.novell.com/linux/security/advisories/2006_04_25.htmlSUSE
FEDORA-2006-075http://www.redhat.com/archives/fedora-announce-list/2006-February/msg00005.htmlFEDORA
FEDORA-2006-076http://www.redhat.com/archives/fedora-announce-list/2006-February/msg00006.htmlFEDORA
RHSA-2006:0199http://www.redhat.com/support/errata/RHSA-2006-0199.htmlREDHATVendor Advisory
RHSA-2006:0200http://www.redhat.com/support/errata/RHSA-2006-0200.htmlREDHATVendor Advisory
RHSA-2006:0330http://www.redhat.com/support/errata/RHSA-2006-0330.htmlREDHAT
FLSA:180036-1http://www.securityfocus.com/archive/1/425975/100/0/threadedFEDORA
FLSA-2006:180036-2http://www.securityfocus.com/archive/1/425978/100/0/threadedFEDORA
HPSBUX02122http://www.securityfocus.com/archive/1/438730/100/0/threadedHP
SSRT061236http://www.securityfocus.com/archive/1/446657/100/200/threadedHP
16476http://www.securityfocus.com/bid/16476BID
TA06-038Ahttp://www.us-cert.gov/cas/techalerts/TA06-038A.htmlCERTUS Government Resource
ADV-2006-0413http://www.vupen.com/english/advisories/2006/0413VUPEN
ADV-2006-3391http://www.vupen.com/english/advisories/2006/3391VUPEN
ADV-2006-3749http://www.vupen.com/english/advisories/2006/3749VUPEN
https://bugzilla.mozilla.org/show_bug.cgi?id=319847https://bugzilla.mozilla.org/show_bug.cgi?id=319847CONFIRM
mozilla-xuldocument-command-execution(24434)https://exchange.xforce.ibmcloud.com/vulnerabilities/24434XF
oval:org.mitre.oval:def:11803https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11803OVAL
oval:org.mitre.oval:def:1493https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1493OVAL
USN-271-1https://usn.ubuntu.com/271-1/UBUNTU
USN-275-1https://usn.ubuntu.com/275-1/UBUNTU
USN-276-1https://usn.ubuntu.com/276-1/UBUNTU