You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2012-29

Mozilla Foundation Security Advisory 2012-29

Title: Potential XSS through ISO-2022-KR/ISO-2022-CN decoding issues
Impact: Moderate
Announced: April 24, 2012
Reporter: Masato Kinugawa
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 12.0
  Firefox ESR 10.0.4
  Thunderbird 12.0
  Thunderbird ESR 10.0.4
  SeaMonkey 2.9


Security researcher Masato Kinugawa found that during the decoding of ISO-2022-KR and ISO-2022-CN character sets, characters near 1024 bytes are treated incorrectly, either doubling or deleting bytes. On certain pages it might be possible for an attacker to pad the output of the page such that these errors fall in the right place to affect the structure of the page, allowing for cross-site script (XSS) injection.