• Security Center
  • Security Advisories
  • Known Vulnerabilities
  • Bug Bounty
  • Security Blog

You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2012-101

Mozilla Foundation Security Advisory 2012-101

Title: Improper character decoding in HZ-GB-2312 charset
Impact: High
Announced: November 20, 2012
Reporter: Masato Kinugawa
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 17.0
  Firefox ESR 10.0.11
  Thunderbird 17.0
  Thunderbird ESR 10.0.11
  SeaMonkey 2.14

Description

Security researcher Masato Kinugawa found when HZ-GB-2312 charset encoding is used for text, the "~" character will destroy another character near the chunk delimiter. This can lead to a cross-site scripting (XSS) attack in pages encoded in HZ-GB-2312.

References

• "~" eats a char near chunk delimiter in HZ-GB-2312 encoding
• CVE-2012-4207