You are here: Known Vulnerabilities in Mozilla Products (Firefox 1.0.1) > MFSA 2005-20
Mozilla Foundation Security Advisory 2005-20
Title: XSLT can include stylesheets from arbitrary hosts
Reporter: Georgi Guninski
Products: Firefox, Mozilla Suite
Fixed in: Firefox 1.0.1
Mozilla Suite 1.7.6
xsl:include and xsl:import can include XSLT stylesheets from arbitrary domains including those behind the user's firewall. This at least allows for existence checking of these files; it's not clear how much, if any, data could be extracted from arbitrary XML files.
Upgrade to a fixed build.