Mozilla Products: Wrong principal used for validating URI for some Javascript components - mfsa2013-72ID: oval:org.secpod.oval:def:16335 | Date: (C)2013-12-30 (M)2023-12-07 |
Class: PATCH | Family: macos |
Security researcher Cody Crews reported that some Javascript components will perform checks against the wrong uniform resource identifier (URI) before performing security sensitive actions. This will return an incorrect location for the originator of the call. This could be used to bypass same-origin policy, allowing for cross-site scripting (XSS) or the installation of malicious add-ons from third-party pages.
Platform: |
Apple Mac OS 14 |
Apple Mac OS 13 |
Apple Mac OS 12 |
Apple Mac OS 11 |
Apple Mac OS X 10.15 |
Apple Mac OS X 10.14 |
Apple Mac OS X 10.13 |
Apple Mac OS X 10.11 |
Apple Mac OS X 10.12 |
Product: |
Mozilla Firefox |
Mozilla Thunderbird ESR |
Mozilla SeaMonkey |
Mozilla Thunderbird |
Mozilla Firefox ESR |