Lookup for vulnerabilities affecting packages.
| Vulnerability_id | VCID-ppd4-9vpc-rkg4 |
|---|
| Summary | shutdown reported that if you could convince a user to
open a blocked popup you could perform a cross-site scripting attack against
any site that contains a frame whose source is a data: URL. To accomplish this
the attacker's site would have to frame the target site plus another frame
whose source is the exact same data: url as the victim site, and then
attempt to open a popup with a javascript: url from the data: frame. It is
unclear whether any high-value target sites that match this description
actually exist.Similarly, Michal Zalewski reported that although pages
loaded from the web normally cannot open windows containing local files,
if you could convince a user to open a blocked popup then this restriction
could be bypassed. In order to take advantage of this flaw the attacker
would have to know the full path to a locally-saved file containing
malicious script. He also reported that a flaw in the seeding of the
pseudo-random number generator resulted in downloaded files being
saved to temporary files with a reasonably predictable name. The two combined
could be used to steal information saved on the local disk. |
|---|
| Aliases |
|
|---|
| Fixed_packages |
|
|---|
| Affected_packages |
|
|---|
| References |
|
|---|
| Weaknesses |
|
|---|
| Exploits |
|
|---|
| Severity_range_score | null |
|---|
| Exploitability | null |
|---|
| Weighted_severity | null |
|---|
| Risk_score | null |
|---|
| Resource_url | http://public2.vulnerablecode.io/vulnerabilities/VCID-ppd4-9vpc-rkg4 |
|---|