You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2009-12

Mozilla Foundation Security Advisory 2009-12

Title: XSL Transformation vulnerability
Impact: Critical
Announced: March 27, 2009
Reporter: Guido Landi, Andre, Michael Rooney, Martin
Products: Firefox, SeaMonkey

Fixed in: Firefox 3.0.8
  SeaMonkey 1.1.16


Security researcher Guido Landi discovered that a XSL stylesheet could be used to crash the browser during a XSL transformation. An attacker could potentially use this crash to run arbitrary code on a victim's computer.

This vulnerability was also previously reported as a stability problem by Ubuntu community member, Andre. Ubuntu community member Michael Rooney reported Andre's findings to Mozilla, and Mozilla community member Martin helped reduce Andre's original testcase and contributed a patch to fix the vulnerability.