CVE-2010-0178 — Code Injection in Mozilla Firefox

CWE-94 — Code Injection8 documents6 sources

Severity

7.6HIGHNVD

EPSS

4.9%

top 10.37%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Seamonkey

Timeline

PublishedApr 5

Latest updateMay 2

Description

Mozilla Firefox before 3.0.19, 3.5.x before 3.5.9, and 3.6.x before 3.6.2, and SeaMonkey before 2.0.4, does not prevent applets from interpreting mouse clicks as drag-and-drop actions, which allows remote attackers to execute arbitrary JavaScript with Chrome privileges by loading a chrome: URL and then loading a javascript: URL.

CVSS vector

AV:N/AC:H/C:C/I:C/A:CExploitability: 4.9 | Impact: 10.0

Affected Packages2 packages

▶NVDmozilla/firefox3.0.17+93

▶NVDmozilla/seamonkey2.0.3+34

🔴Vulnerability Details

GHSA

GHSA-8m7g-3wf3-3hff: Mozilla Firefox before 3↗2022-05-02

▶

CVEList

CVE-2010-0178: Mozilla Firefox before 3↗2010-04-05

▶

📋Vendor Advisories

Ubuntu

Firefox 3.0 and Xulrunner vulnerabilities↗2010-04-09

▶

Ubuntu

Firefox 3.5 and Xulrunner vulnerabilities↗2010-04-09

▶

Red Hat

Firefox Chrome privilege escalation via forced URL drag and drop↗2010-03-30

▶

💬Community

Bugzilla

CVE-2010-0178 Firefox Chrome privilege escalation via forced URL drag and drop↗2010-03-30

▶

Bugzilla

CVE-2009-4307 kernel: ext4: avoid divide by zero when trying to mount a corrupted file system↗2009-12-14

▶