- December 19, 2006
- Firefox, SeaMonkey, Thunderbird
- Fixed in
- Firefox 18.104.22.168
- Firefox 22.214.171.124
- SeaMonkey 1.0.7
- Thunderbird 126.96.36.199
moz_bug_r_a4 reported that the
src attribute of an
to bypass the protections against cross-site script (XSS) injection.
The injected script could steal credentials and financial data, or perform
destructive actions on behalf of a logged-in user.
Exploit details withheld until after the active update period.