Lookup for vulnerabilities affecting packages.
| Vulnerability_id | VCID-yng5-8qtn-uka9 |
|---|
| Summary | Normally Mozilla-based clients prevent web content from linking to local files
but Eric Foley reports a partial bypass of this restriction by using Windows
filename syntax (on a Windows computer) rather than a file:/// URL as the
SRC= attribute. The image will not be loaded on the web page--it will appear as
a broken image--but if a user can be convinced to right-click and select
"View Image" then the content will be loaded. Since the image will replace
the current document attacker script cannot be run on it. Loading a local
file at a known location is about the extent of this attack.If the local file is a media file an external helper program may be launched
to play the media depending on your settings. The action will be the same
as if you had clicked on a remote link of the same media type and does not
present any additional risk. Local files identified as executable will
never be opened in this way, with "executable" broadly
defined on windows to include many scriptable document formats with a history
of being abused.By referencing a local device rather than a file this could be used
as a limited denial-of-service attack to hang the browser. |
|---|
| Aliases |
|
|---|
| Fixed_packages |
|
|---|
| Affected_packages |
|
|---|
| References |
|
|---|
| Weaknesses |
|
|---|
| Exploits |
|
|---|
| Severity_range_score | 0.1 - 3 |
|---|
| Exploitability | null |
|---|
| Weighted_severity | null |
|---|
| Risk_score | null |
|---|
| Resource_url | http://public2.vulnerablecode.io/vulnerabilities/VCID-yng5-8qtn-uka9 |
|---|