National Vulnerability Database (NVD) National Vulnerability Database (CVE-2006-6503)

National Cyber Awareness System

Vulnerability Summary for CVE-2006-6503

Original release date:12/20/2006

Last revised:03/08/2011

Source: US-CERT/NIST

Overview

Mozilla Firefox 2.x before 2.0.0.1, 1.5.x before 1.5.0.9, Thunderbird before 1.5.0.9, and SeaMonkey before 1.0.7 allows remote attackers to bypass cross-site scripting (XSS) protection by changing the src attribute of an IMG element to a javascript: URI.

Impact

CVSS Severity (version 2.0):

CVSS v2 Base Score:6.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:P) (legend)

Impact Subscore: 6.4

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type:Provides unauthorized access, Allows partial confidentiality, integrity, and availability violation; Allows unauthorized disclosure of information; Allows disruption of service

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

US-CERT Technical Alert: TA06-354A

Name: TA06-354A

Hyperlink:http://www.us-cert.gov/cas/techalerts/TA06-354A.html

US-CERT Vulnerability Note: VU#405092

Name: VU#405092

Hyperlink:http://www.kb.cert.org/vuls/id/405092

External Source: CONFIRM

Name: https://issues.rpath.com/browse/RPL-883

Hyperlink:https://issues.rpath.com/browse/RPL-883

External Source: VUPEN

Name: ADV-2008-0083

Hyperlink:http://www.vupen.com/english/advisories/2008/0083

External Source: VUPEN

Name: ADV-2006-5068

Hyperlink:http://www.vupen.com/english/advisories/2006/5068

External Source: UBUNTU

Name: USN-400-1

Hyperlink:http://www.ubuntu.com/usn/usn-400-1

External Source: UBUNTU

Name: USN-398-2

Hyperlink:http://www.ubuntu.com/usn/usn-398-2

External Source: UBUNTU

Name: USN-398-1

Hyperlink:http://www.ubuntu.com/usn/usn-398-1

External Source: BID

Name: 21668

Hyperlink:http://www.securityfocus.com/bid/21668

External Source: BUGTRAQ

Name: 20070102 rPSA-2006-0234-2 firefox thunderbird

Hyperlink:http://www.securityfocus.com/archive/1/archive/1/455728/100/200/threaded

External Source: SUSE

Name: SUSE-SA:2007:006

Hyperlink:http://www.novell.com/linux/security/advisories/2007_06_mozilla.html

External Source: SUSE

Name: SUSE-SA:2006:080

Hyperlink:http://www.novell.com/linux/security/advisories/2006_80_mozilla.html

External Source: CONFIRM

Name: http://www.mozilla.org/security/announce/2006/mfsa2006-72.html

Hyperlink:http://www.mozilla.org/security/announce/2006/mfsa2006-72.html

External Source: GENTOO

Name: GLSA-200701-04

Hyperlink:http://www.gentoo.org/security/en/glsa/glsa-200701-04.xml

External Source: GENTOO

Name: GLSA-200701-03

Hyperlink:http://www.gentoo.org/security/en/glsa/glsa-200701-03.xml

External Source: SECTRACK

Name: 1017416

Hyperlink:http://securitytracker.com/id?1017416

External Source: SECTRACK

Name: 1017415

Hyperlink:http://securitytracker.com/id?1017415

External Source: SECTRACK

Name: 1017414

Hyperlink:http://securitytracker.com/id?1017414

External Source: GENTOO

Name: GLSA-200701-02

Hyperlink:http://security.gentoo.org/glsa/glsa-200701-02.xml

External Source: SECUNIA

Name: 23692

Hyperlink:http://secunia.com/advisories/23692

External Source: SECUNIA

Name: 23672

Hyperlink:http://secunia.com/advisories/23672

External Source: SECUNIA

Name: 23618

Hyperlink:http://secunia.com/advisories/23618

External Source: SECUNIA

Name: 23614

Hyperlink:http://secunia.com/advisories/23614

External Source: SECUNIA

Name: 23601

Hyperlink:http://secunia.com/advisories/23601

External Source: SECUNIA

Name: 23598

Hyperlink:http://secunia.com/advisories/23598

External Source: SECUNIA

Name: 23591

Hyperlink:http://secunia.com/advisories/23591

External Source: SECUNIA

Name: 23589

Hyperlink:http://secunia.com/advisories/23589

External Source: SECUNIA

Name: 23545

Hyperlink:http://secunia.com/advisories/23545

External Source: SECUNIA

Name: 23514

Hyperlink:http://secunia.com/advisories/23514

External Source: SECUNIA

Name: 23468

Hyperlink:http://secunia.com/advisories/23468

External Source: SECUNIA

Name: 23440

Hyperlink:http://secunia.com/advisories/23440

External Source: SECUNIA

Name: 23439

Hyperlink:http://secunia.com/advisories/23439

External Source: SECUNIA

Name: 23433

Hyperlink:http://secunia.com/advisories/23433

External Source: SECUNIA

Name: 23422

Hyperlink:http://secunia.com/advisories/23422

External Source: SECUNIA

Name: 23420

Hyperlink:http://secunia.com/advisories/23420

External Source: SECUNIA

Name: 23282

Hyperlink:http://secunia.com/advisories/23282

External Source: REDHAT

Name: RHSA-2006:0760

Hyperlink:http://rhn.redhat.com/errata/RHSA-2006-0760.html

External Source: REDHAT

Name: RHSA-2006:0759

Hyperlink:http://rhn.redhat.com/errata/RHSA-2006-0759.html

External Source: REDHAT

Name: RHSA-2006:0758

Hyperlink:http://rhn.redhat.com/errata/RHSA-2006-0758.html

External Source: OVAL

Name: oval:org.mitre.oval:def:10895

Hyperlink:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:10895

External Source: HP

Name: SSRT061181

Hyperlink:http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00771742

External Source: FEDORA

Name: FEDORA-2007-004

Hyperlink:http://fedoranews.org/cms/node/2338

External Source: FEDORA

Name: FEDORA-2006-1491

Hyperlink:http://fedoranews.org/cms/node/2297

External Source: SGI

Name: 20061202-01-P

Hyperlink:ftp://patches.sgi.com/support/free/security/advisories/20061202-01-P.asc

External Source: BUGTRAQ

Name: 20061222 rPSA-2006-0234-1 firefox

Hyperlink:http://www.securityfocus.com/archive/1/archive/1/455145/100/0/threaded

External Source: MANDRIVA

Name: MDKSA-2007:011

Hyperlink:http://www.mandriva.com/security/advisories?name=MDKSA-2007:011

External Source: MANDRIVA

Name: MDKSA-2007:010

Hyperlink:http://www.mandriva.com/security/advisories?name=MDKSA-2007:010

External Source: DEBIAN

Name: DSA-1265

Hyperlink:http://www.debian.org/security/2007/dsa-1265

External Source: DEBIAN

Name: DSA-1258

Hyperlink:http://www.debian.org/security/2007/dsa-1258

External Source: DEBIAN

Name: DSA-1253

Hyperlink:http://www.debian.org/security/2007/dsa-1253

External Source: SECUNIA

Name: 24390

Hyperlink:http://secunia.com/advisories/24390

External Source: SECUNIA

Name: 24078

Hyperlink:http://secunia.com/advisories/24078

External Source: SECUNIA

Name: 23988

Hyperlink:http://secunia.com/advisories/23988

External Source: HP

Name: HPSBUX02153

Hyperlink:http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00771742

References to Check Content

Identifier:oval:org.mitre.oval:def:10895

Check System:http://oval.mitre.org/XMLSchema/oval-definitions-5

Hyperlink:http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:10895

Vulnerable software and versions

Configuration 1

* cpe:/a:mozilla:firefox:1.5.0.8 and previous versions

* cpe:/a:mozilla:firefox:2.0 and previous versions

* cpe:/a:mozilla:seamonkey:1.0.6 and previous versions

* cpe:/a:mozilla:thunderbird:1.5.0.8 and previous versions

* Denotes Vulnerable Software

Technical Details

Vulnerability Type (View All)

CVE Standard Vulnerability Entry:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6503