You are here: Known Vulnerabilities in Mozilla Products (Firefox 2.0.0.12) > MFSA 2008-03

Mozilla Foundation Security Advisory 2008-03

Title: Privilege escalation, XSS, Remote Code Execution
Impact: Critical
Announced: February 7, 2008
Reporter: moz_bug_r_a4, Boris Zbarsky
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 2.0.0.12
  Thunderbird 2.0.0.12
  SeaMonkey 1.1.8

Description

Mozilla contributors moz_bug_r_a4 and Boris Zbarsky submitted a series of vulnerabilities which allow scripts from page content to escape from its sandboxed context and/or run with chrome privileges. An additional vulnerability reported by moz_bug_r_a4 demonstrated that the XMLDocument.load() function can be used to inject script into another site, violating the browser's same-origin policy.

Workaround

Disable JavaScript until a version containing these fixes can be installed.

References