cbcvebase.
CVE-2010-3765
published 2010-10-28

CVE-2010-3765: Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before 3.0.10, and SeaMonkey 2.x before 2.0.10, when…

PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-10-27
Exploited in the wild
EPSS
83.28%
99.6th percentile
Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before 3.0.10, and SeaMonkey 2.x before 2.0.10, when JavaScript is enabled, allows remote attackers to execute arbitrary code via vectors related to nsCSSFrameConstructor::ContentAppended, the appendChild method, incorrect index tracking, and the creation of multiple frames, which triggers memory corruption, as exploited in the wild in October 2010 by the Belmoo malware.

Affected

49 ranges· showing 25
VendorProductVersion rangeFixed in
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox

Detection & IOCsextracted from sources · hover to see the quote

commanddocument.write + appendChild interleaving
path%temp%\vchost.exe
bytes
ub333udeaduffffuffff
bytes
uffffuffffuffffuffff (shellcode terminator pattern)
  • Target fingerprinting via navigator.userAgent: exploit checks for Firefox 3.6.8–3.6.11 on non-Vista/Win7 platforms before delivering payload
  • Exploit triggers via interleaved document.write and appendChild calls using specific HTML tags: 'audio', 'a', 'base' — monitor for this pattern in JavaScript executing in browser context
  • Metasploit module uses vuln_test checking for InstallVersion object to confirm vulnerable Firefox target before exploitation
  • In-the-wild exploit (Belmoo malware) drops and executes payload as vchost.exe in %TEMP% directory — monitor for this process creation
  • Metasploit module sets EXITFUNC=process and uses migrate -f as InitialAutoRunScript — look for suspicious process migration post-exploitation
  • Exploit payload space is 1024 bytes with no bad characters; ROP chain signatures (e.g. u9090u0FEB NOP sled marker, u5B58u1889 gadget) appear repeatedly in shellcode blobs
  • ·Exploit only targets Firefox 3.6.8–3.6.11 on Windows XP / Windows Server 2003 (not Vista/Win7); the in-the-wild and Metasploit variants both explicitly exclude NT 6.0 and 6.1
  • ·JavaScript must be enabled in the browser for the vulnerability to be exploitable
  • ·Affected products span Firefox 3.5.x–3.5.14, 3.6.x–3.6.11, Thunderbird 3.0.x before 3.0.10 and before 3.1.6, and SeaMonkey 2.x before 2.0.10 — detection scope should cover all these products, not just Firefox

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.