You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2012-104

Mozilla Foundation Security Advisory 2012-104

Title: CSS and HTML injection through Style Inspector
Impact: Critical
Announced: November 20, 2012
Reporter: Mariusz Mlynski
Products: Firefox

Fixed in: Firefox 17.0
  Firefox ESR 10.0.11

Description

Security researcher Mariusz Mlynski reported that when a maliciously crafted stylesheet is inspected in the Style Inspector, HTML and CSS can run in a chrome privileged context without being properly sanitized first. This can lead to arbitrary code execution.

References