Page 107 of 661 results (0.020 seconds)

CVSS: 7.8EPSS: 0%CPEs: 9EXPL: 0

Directory traversal vulnerability in Mozilla Firefox before 2.0.0.17 and 3.x before 3.0.2, Thunderbird before 2.0.0.17, and SeaMonkey before 1.1.12 allows remote attackers to bypass "restrictions imposed on local HTML files," and obtain sensitive information and prompt users to write this information into a file, via directory traversal sequences in a resource: URI. Vulnerabilidad de salto de directorio en Firefox de Mozilla antes de 2.0.0.17 y 3.x antes de 3.0.2, Thunderbird antes de 2.0.0.17, y SeaMonkey antes de 1.1.12 permite a atacantes remotos evitar "restricciones impuestas en archivos HTML locales" y obtener información sensible y a los usuarios de línea de comandos escribir esta información en un archivo, mediante secuencias de salto de directorio en un URI fuente. • http://download.novell.com/Download?buildid=WZXONb-tqBw~ http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00005.html http://secunia.com/advisories/31984 http://secunia.com/advisories/31985 http://secunia.com/advisories/31987 http://secunia.com/advisories/32007 http://secunia.com/advisories/32010 http://secunia.com/advisories/32011 http://secunia.com/advisories/32012 http://secunia.com/advisories/32025 http://secunia.com/advisories/32042 http://secunia.com/advisorie • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 4.0EPSS: 1%CPEs: 18EXPL: 0

Mozilla 1.9 M8 and earlier, Mozilla Firefox 2 before 2.0.0.15, SeaMonkey 1.1.5 and other versions before 1.1.10, Netscape 9.0, and other Mozilla-based web browsers, when a user accepts an SSL server certificate on the basis of the CN domain name in the DN field, regard the certificate as also accepted for all domain names in subjectAltName:dNSName fields, which makes it easier for remote attackers to trick a user into accepting an invalid certificate for a spoofed web site. Mozilla 1.9 M8 y anteriores, Mozilla Firefox 2 y anteriores a 2.0.0.15, SeaMonkey 1.1.5 y otras versiones anteriores a 1.1.10, Netscape 9.0, y otras navegadores basados en Mozilla, cuando un usuario aceptar un certificado SSL de servidor sobre las bases del nombre de dominio CN en el campo DN, considerando que el certificado es también aceptado por todos los nombres de dominio en el campo subjectAltName:dNSName, el cual hace más fácil a los atacantes remotos engañar a un usuario aceptando un certificado no válido para una página web falsa. • http://lists.opensuse.org/opensuse-security-announce/2008-07/msg00004.html http://nils.toedtmann.net/pub/subjectAltName.txt http://rhn.redhat.com/errata/RHSA-2008-0616.html http://secunia.com/advisories/30878 http://secunia.com/advisories/30898 http://secunia.com/advisories/30903 http://secunia.com/advisories/30911 http://secunia.com/advisories/30949 http://secunia.com/advisories/31005 http://secunia.com/advisories/31008 http://secunia.com/advisories/31021 http://secunia.com&# • CWE-20: Improper Input Validation •

CVSS: 4.3EPSS: 0%CPEs: 24EXPL: 0

Mozilla Firefox before 2.0.0.15 and SeaMonkey before 1.1.10 allow remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via vectors involving (1) an event handler attached to an outer window, (2) a SCRIPT element in an unloaded document, or (3) the onreadystatechange handler in conjunction with an XMLHttpRequest. Mozilla Firefox anteriores a 2.0.0.15 y SeaMonkey anterior a 1.1.10, permite a atacantes remotos saltar el Same Origin Policy y conducir un ataque de secuencias de comandos en sitios cruzados a través de vectores que involucran (1) un gestor de evento adjuntado a una ventana experna, (2) un elemento SCRIPT en un documento eliminado de memoria o (3) el gestor onreadystatechange en conjunción con una XMLHttpRequest. • http://lists.opensuse.org/opensuse-security-announce/2008-07/msg00004.html http://rhn.redhat.com/errata/RHSA-2008-0616.html http://secunia.com/advisories/30878 http://secunia.com/advisories/30898 http://secunia.com/advisories/30903 http://secunia.com/advisories/30911 http://secunia.com/advisories/30949 http://secunia.com/advisories/31005 http://secunia.com/advisories/31008 http://secunia.com/advisories/31021 http://secunia.com/advisories/31023 http://secunia.com/advisories/3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.5EPSS: 49%CPEs: 37EXPL: 0

Mozilla Firefox before 2.0.0.15, Thunderbird 2.0.0.14 and earlier, and SeaMonkey before 1.1.10 allow remote attackers to execute arbitrary code via an XUL document that includes a script from a chrome: URI that points to a fastload file, related to this file's "privilege level." Mozilla Firefox y versiones anteriores a 2.0.0.15, Thunderbird 2.0.0.14 y anteriores, y SeaMonkey y anteriores a 1.1.10 permiten a los atacantes remotos ejecutar código arbitrario a través de un documento XUL que incluye una secuencia de comandos desde un chrome: URI que apunta a un archivo de carga rápida, relacionado con el nivel de permisos de este fichero. • http://lists.opensuse.org/opensuse-security-announce/2008-07/msg00004.html http://rhn.redhat.com/errata/RHSA-2008-0616.html http://secunia.com/advisories/30878 http://secunia.com/advisories/30898 http://secunia.com/advisories/30903 http://secunia.com/advisories/30911 http://secunia.com/advisories/30915 http://secunia.com/advisories/30949 http://secunia.com/advisories/31005 http://secunia.com/advisories/31008 http://secunia.com/advisories/31021 http://secunia.com/advisories/3 • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 6.8EPSS: 22%CPEs: 37EXPL: 0

The mozIJSSubScriptLoader.LoadScript function in Mozilla Firefox before 2.0.0.15, Thunderbird 2.0.0.14 and earlier, and SeaMonkey before 1.1.10 does not apply XPCNativeWrappers to scripts loaded from (1) file: URIs, (2) data: URIs, or (3) certain non-canonical chrome: URIs, which allows remote attackers to execute arbitrary code via vectors involving third-party add-ons. La función mozIJSSubScriptLoader.LoadScript en Mozilla Firefox anteriores a 2.0.0.15, Thunderbird 2.0.0.14 y anteriores, y SeaMonkey anteriores a 1.1.10no aplican XPCNativeWrappers a las secuencias de comandos cargadas desde (1) file: URIs, (2) data: URIs, o (3) certain non-canonical chrome: URIs, lo que permite a atacantes remotos ejecutar código arbitrario a través de vectores que implican accesorios de terceros. • http://lists.opensuse.org/opensuse-security-announce/2008-07/msg00004.html http://rhn.redhat.com/errata/RHSA-2008-0616.html http://secunia.com/advisories/30878 http://secunia.com/advisories/30898 http://secunia.com/advisories/30903 http://secunia.com/advisories/30911 http://secunia.com/advisories/30915 http://secunia.com/advisories/30949 http://secunia.com/advisories/31005 http://secunia.com/advisories/31008 http://secunia.com/advisories/31021 http://secunia.com/advisories/3 • CWE-264: Permissions, Privileges, and Access Controls •