You are here: Known Vulnerabilities in Mozilla Products (Firefox > MFSA 2008-03

Mozilla Foundation Security Advisory 2008-03

Title: Privilege escalation, XSS, Remote Code Execution
Impact: Critical
Announced: February 7, 2008
Reporter: moz_bug_r_a4, Boris Zbarsky
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox
  SeaMonkey 1.1.8


Mozilla contributors moz_bug_r_a4 and Boris Zbarsky submitted a series of vulnerabilities which allow scripts from page content to escape from its sandboxed context and/or run with chrome privileges. An additional vulnerability reported by moz_bug_r_a4 demonstrated that the XMLDocument.load() function can be used to inject script into another site, violating the browser's same-origin policy.


Disable JavaScript until a version containing these fixes can be installed.