Mozilla Foundation Security Advisory 2009-12
XSL Transformation vulnerability
- March 27, 2009
- Guido Landi, Andre, Michael Rooney, Martin
- Firefox, SeaMonkey
- Fixed in
- Firefox 3.0.8
- SeaMonkey 1.1.16
Security researcher Guido Landi discovered that a XSL stylesheet could be used to crash the browser during a XSL transformation. An attacker could potentially use this crash to run arbitrary code on a victim's computer.
This vulnerability was also previously reported as a stability problem by Ubuntu community member, Andre. Ubuntu community member Michael Rooney reported Andre's findings to Mozilla, and Mozilla community member Martin helped reduce Andre's original testcase and contributed a patch to fix the vulnerability.