National Vulnerability Database (NVD) National Vulnerability Database (CVE-2006-1741)

National Cyber Awareness System

Vulnerability Summary for CVE-2006-1741

Original release date:04/14/2006

Last revised:03/08/2011

Source: US-CERT/NIST

Overview

Mozilla Firefox 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 allows remote attackers to inject arbitrary Javascript into other sites by (1) "using a modal alert to suspend an event handler while a new page is being loaded", (2) using eval(), and using certain variants involving (3) "new Script;" and (4) using window.__proto__ to extend eval, aka "cross-site JavaScript injection".

Impact

CVSS Severity (version 2.0):

CVSS v2 Base Score:4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type:Allows unauthorized modification

Solution

Fixed in: Firefox 1.5 Firefox 1.0.8 Mozilla Suite 1.7.13 SeaMonkey 1.0}

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

External Source: XF

Name: mozilla-eventhandler-xss(25806)

Hyperlink:http://xforce.iss.net/xforce/xfdb/25806

External Source: VUPEN

Name: ADV-2006-1356

Hyperlink:http://www.vupen.com/english/advisories/2006/1356

External Source: UBUNTU

Name: USN-276-1

Hyperlink:http://www.ubuntulinux.org/support/documentation/usn/usn-276-1

External Source: UBUNTU

Name: USN-275-1

Hyperlink:http://www.ubuntulinux.org/support/documentation/usn/usn-275-1

External Source: UBUNTU

Name: USN-271-1

Hyperlink:http://www.ubuntulinux.org/support/documentation/usn/usn-271-1

External Source: HP

Name: SSRT061158

Hyperlink:http://www.securityfocus.com/archive/1/archive/1/438730/100/0/threaded

External Source: HP

Name: SSRT061158

Hyperlink:http://www.securityfocus.com/archive/1/archive/1/438730/100/0/threaded

External Source: FEDORA

Name: FLSA:189137-2

Hyperlink:http://www.securityfocus.com/archive/1/archive/1/436338/100/0/threaded

External Source: FEDORA

Name: FLSA:189137-1

Hyperlink:http://www.securityfocus.com/archive/1/archive/1/436296/100/0/threaded

External Source: REDHAT

Name: RHSA-2006:0330

Hyperlink:http://www.redhat.com/support/errata/RHSA-2006-0330.html

External Source: REDHAT

Name: RHSA-2006:0329

Hyperlink:http://www.redhat.com/support/errata/RHSA-2006-0329.html

External Source: REDHAT

Name: RHSA-2006:0328

Hyperlink:http://www.redhat.com/support/errata/RHSA-2006-0328.html

External Source: FEDORA

Name: FEDORA-2006-411

Hyperlink:http://www.redhat.com/archives/fedora-announce-list/2006-April/msg00154.html

External Source: FEDORA

Name: FEDORA-2006-410

Hyperlink:http://www.redhat.com/archives/fedora-announce-list/2006-April/msg00153.html

External Source: SUSE

Name: SUSE-SA:2006:004

Hyperlink:http://www.novell.com/linux/security/advisories/2006_04_25.html

External Source: SUSE

Name: SUSE-SA:2006:004

Hyperlink:http://www.novell.com/linux/security/advisories/2006_04_25.html

External Source: CONFIRM

Name: http://www.mozilla.org/security/announce/2006/mfsa2006-09.html

Hyperlink:http://www.mozilla.org/security/announce/2006/mfsa2006-09.html

External Source: MANDRIVA

Name: MDKSA-2006:076

Hyperlink:http://www.mandriva.com/security/advisories?name=MDKSA-2006:076

External Source: GENTOO

Name: GLSA-200605-09

Hyperlink:http://www.gentoo.org/security/en/glsa/glsa-200605-09.xml

External Source: GENTOO

Name: GLSA-200604-18

Hyperlink:http://www.gentoo.org/security/en/glsa/glsa-200604-18.xml

External Source: GENTOO

Name: GLSA-200604-12

Hyperlink:http://www.gentoo.org/security/en/glsa/glsa-200604-12.xml

External Source: DEBIAN

Name: DSA-1051

Hyperlink:http://www.debian.org/security/2006/dsa-1051

External Source: DEBIAN

Name: DSA-1046

Hyperlink:http://www.debian.org/security/2006/dsa-1046

External Source: DEBIAN

Name: DSA-1044

Hyperlink:http://www.debian.org/security/2006/dsa-1044

External Source: CONFIRM

Name: http://support.avaya.com/elmodocs2/security/ASA-2006-205.htm

Hyperlink:http://support.avaya.com/elmodocs2/security/ASA-2006-205.htm

External Source: SUNALERT

Name: 228526

Hyperlink:http://sunsolve.sun.com/search/document.do?assetkey=1-26-228526-1

External Source: SUNALERT

Name: 102550

Hyperlink:http://sunsolve.sun.com/search/document.do?assetkey=1-26-102550-1

External Source: SECUNIA

Name: 21622

Type: Advisory

Hyperlink:http://secunia.com/advisories/21622

External Source: SECUNIA

Name: 21033

Type: Advisory

Hyperlink:http://secunia.com/advisories/21033

External Source: SECUNIA

Name: 20051

Type: Advisory

Hyperlink:http://secunia.com/advisories/20051

External Source: SECUNIA

Name: 19950

Type: Advisory

Hyperlink:http://secunia.com/advisories/19950

External Source: SECUNIA

Name: 19941

Type: Advisory

Hyperlink:http://secunia.com/advisories/19941

External Source: SECUNIA

Name: 19902

Type: Advisory

Hyperlink:http://secunia.com/advisories/19902

External Source: SECUNIA

Name: 19863

Type: Advisory

Hyperlink:http://secunia.com/advisories/19863

External Source: SECUNIA

Name: 19862

Type: Advisory

Hyperlink:http://secunia.com/advisories/19862

External Source: SECUNIA

Name: 19852

Type: Advisory

Hyperlink:http://secunia.com/advisories/19852

External Source: SECUNIA

Name: 19823

Type: Advisory

Hyperlink:http://secunia.com/advisories/19823

External Source: SECUNIA

Name: 19821

Type: Advisory

Hyperlink:http://secunia.com/advisories/19821

External Source: SECUNIA

Name: 19811

Type: Advisory

Hyperlink:http://secunia.com/advisories/19811

External Source: SECUNIA

Name: 19780

Type: Advisory

Hyperlink:http://secunia.com/advisories/19780

External Source: SECUNIA

Name: 19759

Type: Advisory

Hyperlink:http://secunia.com/advisories/19759

External Source: SECUNIA

Name: 19746

Type: Advisory

Hyperlink:http://secunia.com/advisories/19746

External Source: SECUNIA

Name: 19729

Type: Advisory

Hyperlink:http://secunia.com/advisories/19729

External Source: SECUNIA

Name: 19721

Type: Advisory

Hyperlink:http://secunia.com/advisories/19721

External Source: SECUNIA

Name: 19714

Type: Advisory

Hyperlink:http://secunia.com/advisories/19714

External Source: SECUNIA

Name: 19696

Type: Advisory

Hyperlink:http://secunia.com/advisories/19696

External Source: SECUNIA

Name: 19631

Type: Advisory

Hyperlink:http://secunia.com/advisories/19631

External Source: OVAL

Name: oval:org.mitre.oval:def:9167

Hyperlink:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:9167

External Source: SUSE

Name: SUSE-SA:2006:021

Hyperlink:http://lists.suse.com/archive/suse-security-announce/2006-Apr/0003.html

External Source: SGI

Name: 20060404-01-U

Hyperlink:ftp://patches.sgi.com/support/free/security/advisories/20060404-01-U.asc

External Source: SCO

Name: SCOSA-2006.26

Hyperlink:ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2006.26/SCOSA-2006.26.txt

External Source: MANDRIVA

Name: MDKSA-2006:078

Hyperlink:http://www.mandriva.com/security/advisories?name=MDKSA-2006:078

US Government Resource: oval:org.mitre.oval:def:1855

Name: oval:org.mitre.oval:def:1855

Type: Tool Signature

Hyperlink:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:1855

References to Check Content

Identifier:oval:org.mitre.oval:def:9167

Check System:http://oval.mitre.org/XMLSchema/oval-definitions-5

Hyperlink:http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:9167

Identifier:oval:org.mitre.oval:def:1855

Check System:http://oval.mitre.org/XMLSchema/oval-definitions-5

Hyperlink:http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:1855

Vulnerable software and versions

Configuration 1

* cpe:/a:mozilla:firefox:1.0

* cpe:/a:mozilla:firefox:1.0.1

* cpe:/a:mozilla:firefox:1.0.2

* cpe:/a:mozilla:firefox:1.0.3

* cpe:/a:mozilla:firefox:1.0.4

* cpe:/a:mozilla:firefox:1.0.5

* cpe:/a:mozilla:firefox:1.0.6

* cpe:/a:mozilla:firefox:1.5

* cpe:/a:mozilla:firefox:1.5:beta1

* cpe:/a:mozilla:firefox:1.5:beta2

* cpe:/a:mozilla:mozilla_suite:1.7.10

* cpe:/a:mozilla:mozilla_suite:1.7.11

* cpe:/a:mozilla:mozilla_suite:1.7.6

* cpe:/a:mozilla:mozilla_suite:1.7.7

* cpe:/a:mozilla:mozilla_suite:1.7.8

* cpe:/a:mozilla:seamonkey:1.0::alpha

* cpe:/a:mozilla:thunderbird:1.0

* cpe:/a:mozilla:thunderbird:1.0.1

* cpe:/a:mozilla:thunderbird:1.0.2

* cpe:/a:mozilla:thunderbird:1.0.3

* cpe:/a:mozilla:thunderbird:1.0.4

* cpe:/a:mozilla:thunderbird:1.0.5

* cpe:/a:mozilla:thunderbird:1.0.5:beta

* cpe:/a:mozilla:thunderbird:1.0.6

* cpe:/a:mozilla:thunderbird:1.5

* cpe:/a:mozilla:thunderbird:1.5:beta2

* cpe:/a:mozilla:firefox:1.0.7 and previous versions

* cpe:/a:mozilla:mozilla_suite:1.7.12 and previous versions

* cpe:/a:mozilla:seamonkey:1.0:beta and previous versions

* cpe:/a:mozilla:thunderbird:1.0.7 and previous versions

* cpe:/a:mozilla:thunderbird:1.5.0.1 and previous versions

* Denotes Vulnerable Software

Technical Details

Vulnerability Type (View All)

Cross-Site Scripting (XSS) (CWE-79)

CVE Standard Vulnerability Entry:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1741