You are here: Known Vulnerabilities in Mozilla Products (Firefox 1.0.1) > MFSA 2005-20

Mozilla Foundation Security Advisory 2005-20

Title: XSLT can include stylesheets from arbitrary hosts
Severity: Low
Risk: High
Reporter: Georgi Guninski
Products: Firefox, Mozilla Suite

Fixed in: Firefox 1.0.1
  Mozilla Suite 1.7.6

Description

xsl:include and xsl:import can include XSLT stylesheets from arbitrary domains including those behind the user's firewall. This at least allows for existence checking of these files; it's not clear how much, if any, data could be extracted from arbitrary XML files.

Workaround

Upgrade to a fixed build.

References