CVE-2010-1197 — Cross-site Scripting in Mozilla Seamonkey

CWE-79 — Cross-site Scripting11 documents6 sources

Severity

4.3MEDIUMNVD

EPSS

1.0%

top 22.62%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Seamonkey Mozilla Firefox

Timeline

PublishedJun 24

Latest updateMay 2

Description

Mozilla Firefox 3.5.x before 3.5.10 and 3.6.x before 3.6.4, and SeaMonkey before 2.0.5, does not properly handle situations in which both "Content-Disposition: attachment" and "Content-Type: multipart" are present in HTTP headers, which allows remote attackers to conduct cross-site scripting (XSS) attacks via an uploaded HTML document.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages2 packages

▶NVDmozilla/seamonkey2.0.4+34

▶NVDmozilla/firefox12 versions+11

🔴Vulnerability Details

GHSA

GHSA-3chw-v2q9-5w9w: Mozilla Firefox 3↗2022-05-02

▶

CVEList

CVE-2010-1197: Mozilla Firefox 3↗2010-06-23

▶

📋Vendor Advisories

Ubuntu

Firefox and Xulrunner vulnerability↗2010-07-26

▶

Ubuntu

Firefox and Xulrunner vulnerabilities↗2010-07-23

▶

Ubuntu

ant, apturl, Epiphany, gluezilla, gnome-python-extras, liferea, mozvoikko, OpenJDK, packagekit, ubufox, webfav, yelp update↗2010-07-23

▶

Ubuntu

Firefox regression↗2010-06-30

▶

Ubuntu

Firefox and Xulrunner vulnerabilities↗2010-06-29

▶

💬Community

Bugzilla

CVE-2010-1197 Mozilla Content-Disposition: attachment ignored if Content-Type: multipart also present↗2010-05-10

▶