Lookup for vulnerabilities affecting packages.
| Vulnerability_id | VCID-zm4q-unv1-x3d6 |
|---|
| Summary | Mozilla security researcher moz_bug_r_a4 reported
that mozIJSSubScriptLoader.LoadScript() only applied XPCNativeWrappers to
scripts loaded from standard chrome: URIs. Add-ons using
this feature to load scripts from other schemes such as file:
or data: (typically dynamically generated scripts) and
chrome: URIs using non-canonical package names (e.g. uppercase) did
not have the protective wrappers applied. If the scripts interact
with web content in any way that content could exploit the unwrapped
scripts to run arbitrary code.Firefox itself does not use this feature in a vulnerable way and
users who have not installed any Add-ons are not at risk. We have,
however, identified popular Add-ons using this feature whose
users are at risk and there are no doubt others.Thunderbird users are not at risk when JavaScript is
disabled in mail. This is the default setting and we strongly discourage
users from enabling JavaScript in mail. |
|---|
| Aliases |
|
|---|
| Fixed_packages |
|
|---|
| Affected_packages |
|
|---|
| References |
|
|---|
| Weaknesses |
|
|---|
| Exploits |
|
|---|
| Severity_range_score | 9.0 - 10.0 |
|---|
| Exploitability | null |
|---|
| Weighted_severity | null |
|---|
| Risk_score | null |
|---|
| Resource_url | http://public2.vulnerablecode.io/vulnerabilities/VCID-zm4q-unv1-x3d6 |
|---|