CVE-2006-1731

CWE-79Cross-site Scripting (XSS)18 documents8 sources
Severity
4.3MEDIUM
EPSS
2.8%
top 13.85%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Mozilla FirefoxMozilla Mozilla SuiteMozilla Seamonkey+1 more
Timeline
PublishedApr 14
Latest updateMay 3

Description

Mozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 returns the Object class prototype instead of the global window object when (1) .valueOf.call or (2) .valueOf.apply are called without any arguments, which allows remote attackers to conduct cross-site scripting (XSS) attacks.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages5 packages

NVDmozilla/firefox1.0.7+8
NVDmozilla/thunderbird1.0.7+8
NVDmozilla/mozilla_suite1.7.12+5
Debianthunderbird< 1.5.0.2-1+3

🔴Vulnerability Details

3
GHSA
GHSA-5g37-6qw5-9qqj: Mozilla Firefox and Thunderbird 12022-05-03
OSV
CVE-2006-1731: Mozilla Firefox and Thunderbird 12006-04-14
CVEList
CVE-2006-1731: Mozilla Firefox and Thunderbird 12006-04-14

📋Vendor Advisories

5
Ubuntu
Thunderbird vulnerabilities2006-05-03
Ubuntu
Mozilla vulnerabilities2006-04-28
Ubuntu
Firefox vulnerabilities2006-04-20
Red Hat
security flaw2006-04-14
Debian
CVE-2006-1731: firefox - Mozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla S...2006

💬Community

7
Bugzilla
CVE-2006-1731 security flaw2018-08-16
Bugzilla
CVE-2006-1731 Cross-site scripting using .valueOf.call()2006-04-13
Bugzilla
CVE-2006-1731 Cross-site scripting using .valueOf.call()2006-04-13
Bugzilla
CVE-2006-1731 Cross-site scripting using .valueOf.call()2006-04-13
Bugzilla
CVE-2006-1731 Cross-site scripting using .valueOf.call()2006-04-13
CVE-2006-1731 (MEDIUM CVSS 4.3) | Mozilla Firefox and Thunderbird 1.x | cvebase.io