Mozilla Firefox infoRSS Extension Cross-Context Scripting Vulnerability
http://www.cert-in.org.in/vulnerability/civn-2009-144.htm
Original Issue Date: November 30, 2009

Severity Rating: High
System Affected
infoRSS 1.x (extension for Firefox)

Overview
A vulnerability has been reported in the infoRSS extension for Firefox,
which could allow a remote attacker to execute arbitrary code to compromise
a user’s system.

Description
This vulnerability is caused due to improper sanitisation of user input
passed via RSS feeds before being used to render content in the infoRSS
extension for Firefox. A remote attacker could exploit this vulnerability
by tricking a user to subscribe to a specially crafted RSS feed. Successful
exploitation of this vulnerability could allow a remote attacker to execute
arbitrary script code within the “chrome:” context and execute arbitrary
commands on a user’s system.

Solution
http://www.mozilla.com/firefox/
Vendor Information
Mozilla
https://addons.mozilla.org/en-S/firefox/addons/versions/361#version-1.2.0

References
Mozilla
https://addons.mozilla.org/en-S/firefox/addons/versions/361#version-1.2.0
Secunia
http://secunia.com/advisories/37467/
Juniper Networks
http://www.juniper.net/security/auto/vulnerabilities/vuln37091.html

Disclaimer
The information provided herein is on “as is” basis, without warranty of
any kind.

Advertisements