Mozilla Firefox up to 1.0.4 Javascript Disabled XBL Control Remote Code Execution
CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
---|---|---|
4.5 | $0-$5k | 0.00 |
A vulnerability, which was classified as problematic, was found in Mozilla Firefox up to 1.0.4 (Web Browser). This affects some unknown functionality of the component Javascript Disabled XBL Control Handler. The manipulation with an unknown input leads to a remote code execution vulnerability. This is going to have an impact on confidentiality, integrity, and availability. The summary by CVE is:
The browser user interface in Firefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 and 7.2 does not properly distinguish between user-generated events and untrusted synthetic events, which makes it easier for remote attackers to perform dangerous actions that normally could only be performed manually by the user.
The weakness was published 07/13/2005 by moz_bug_r_a4 as MFSA2005-46 as not defined advisory (Website). The advisory is shared at mozilla.org. This vulnerability is uniquely identified as CVE-2005-2260 since 07/13/2005. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. It demands that the victim is doing some kind of user interaction. Neither technical details nor an exploit are publicly available.
It is declared as proof-of-concept. The vulnerability scanner Nessus provides a plugin with the ID 19260 (Fedora Core 3 : firefox-1.0.6-1.1.fc3 (2005-603)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Fedora Local Security Checks. The commercial vulnerability scanner Qualys is able to test this issue with plugin 117890 (CentOS Security Update for Mozilla (CESA-2005:587)).
Upgrading eliminates this vulnerability. Applying a patch is able to eliminate this problem. The bugfix is ready for download at mozilla.org. The best possible mitigation is suggested to be upgrading to the latest version.
The vulnerability is also documented in the vulnerability database at Tenable (19260). Similar entries are available at 1323, 1543, 1609 and 1607.
Product
Type
Vendor
Name
Version
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB CVSS-B Score: 🔍VulDB CVSS-BT Score: 🔍
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 5.0VulDB Meta Temp Score: 4.5
VulDB Base Score: 5.0
VulDB Temp Score: 4.5
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
AV | AC | Au | C | I | A |
---|---|---|---|---|---|
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
---|---|---|---|---|---|
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Remote Code ExecutionCWE: Unknown
ATT&CK: Unknown
Local: No
Remote: Yes
Availability: 🔍
Status: Proof-of-Concept
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
0-Day | unlock | unlock | unlock | unlock |
---|---|---|---|---|
Today | unlock | unlock | unlock | unlock |
Nessus ID: 19260
Nessus Name: Fedora Core 3 : firefox-1.0.6-1.1.fc3 (2005-603)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Port: 🔍
OpenVAS ID: 55121
OpenVAS Name: Debian Security Advisory DSA 779-1 (mozilla-firefox)
OpenVAS File: 🔍
OpenVAS Family: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Patch: mozilla.org
Timeline
07/13/2005 🔍07/13/2005 🔍
07/13/2005 🔍
07/13/2005 🔍
07/13/2005 🔍
07/15/2005 🔍
07/21/2005 🔍
03/11/2021 🔍
Sources
Vendor: mozilla.orgProduct: mozilla.org
Advisory: MFSA2005-46
Researcher: moz_bug_r_a4
Status: Not defined
Confirmation: 🔍
CVE: CVE-2005-2260 (🔍)
OVAL: 🔍
SecurityFocus: 14242
Secunia: 16043 - Firefox Multiple Vulnerabilities, Highly Critical
Vupen: ADV-2005-1075
See also: 🔍
Entry
Created: 07/15/2005 12:08Updated: 03/11/2021 17:52
Changes: 07/15/2005 12:08 (69), 01/31/2018 09:52 (4), 03/11/2021 17:44 (7), 03/11/2021 17:46 (2), 03/11/2021 17:52 (1)
Complete: 🔍
No comments yet. Languages: en.
Please log in to comment.