Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2006-0496

Overview

Vulnerability Score 4.3 4.3
CVE Id CVE-2006-0496
Last Modified 19 Apr 2011 09:48:56
Published 31 Jan 2006 09:02:00
Confidentiality Impact NONE NONE
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2006-0496

Summary

Cross-site scripting (XSS) vulnerability in Mozilla 1.7.12 and possibly earlier, Mozilla Firefox 1.0.7 and possibly earlier, and Netscape 8.1 and possibly earlier, allows remote attackers to inject arbitrary web script or HTML via the -moz-binding (Cascading Style Sheets) CSS property, which does not require that the style sheet have the same origin as the web page, as demonstrated by the compromise of a large number of LiveJournal accounts.

Vulnerable Systems

Application

  • Mozilla 1.7

  • Mozilla 1.7.1

  • Mozilla 1.7.10

  • Mozilla 1.7.11

  • Mozilla 1.7.12

  • Mozilla 1.7.2

  • Mozilla 1.7.3

  • Mozilla 1.7.5

  • Mozilla 1.7.6

  • Mozilla 1.7.7

  • Mozilla 1.7.8

  • Mozilla Firefox 1.0

  • Mozilla Firefox 1.0.1

  • Mozilla Firefox 1.0.2

  • Mozilla Firefox 1.0.3

  • Mozilla Firefox 1.0.4

  • Mozilla Firefox 1.0.5

  • Mozilla Firefox 1.0.6

  • Mozilla Firefox 1.0.7


References

CONFIRM - https://bugzilla.mozilla.org/show_bug.cgi?id=324253

XF - mozilla-mozbinding-xss(24427)

VUPEN - ADV-2006-0403

BID - 16427

OSVDB - 22924

MISC - http://www.davidpashley.com/cgi/pyblosxom.cgi/computing/livejournal-mozilla-bug.html

SECTRACK - 1015563

SECTRACK - 1015553

FULLDISC - 20060128 -moz-binding CSS property: more XSS fun

MISC - http://community.livejournal.com/lj_dev/708069.html


Last Updated: 27 May 2016 10:41:40