CVE-2010-2768 — Cross-site Scripting in Mozilla Firefox

CWE-79 — Cross-site Scripting9 documents6 sources

Severity

4.3MEDIUMNVD

EPSS

0.8%

top 26.43%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Seamonkey Mozilla Thunderbird

Timeline

PublishedSep 9

Latest updateMay 17

Description

Mozilla Firefox before 3.5.12 and 3.6.x before 3.6.9, Thunderbird before 3.0.7 and 3.1.x before 3.1.3, and SeaMonkey before 2.0.7 do not properly restrict use of the type attribute of an OBJECT element to set a document's charset, which allows remote attackers to bypass cross-site scripting (XSS) protection mechanisms via UTF-7 encoding.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages3 packages

▶NVDmozilla/firefox3.5.11+87

▶NVDmozilla/seamonkey2.0.6+40

▶NVDmozilla/thunderbird3.0.6+67

🔴Vulnerability Details

GHSA

GHSA-85q9-j3xv-55xg: Mozilla Firefox before 3↗2022-05-17

▶

CVEList

CVE-2010-2768: Mozilla Firefox before 3↗2010-09-09

▶

📋Vendor Advisories

Ubuntu

Firefox and Xulrunner regression↗2010-09-16

▶

Ubuntu

Thunderbird regression↗2010-09-16

▶

Ubuntu

Thunderbird vulnerabilities↗2010-09-08

▶

Ubuntu

Firefox and Xulrunner vulnerabilities↗2010-09-08

▶

Red Hat

Mozilla UTF-7 XSS by overriding document charset using <object> type attribute (MFSA 2010-61)↗2010-09-07

▶

💬Community

Bugzilla

CVE-2010-2768 Mozilla UTF-7 XSS by overriding document charset using <object> type attribute (MFSA 2010-61)↗2010-09-03

▶