CVE-2006-0299

critical

Description

The E4X implementation in Mozilla Firefox before 1.5.0.1, Thunderbird 1.5 if running Javascript in mail, and SeaMonkey before 1.0 exposes the internal "AnyName" object to external interfaces, which allows multiple cooperating domains to exchange information in violation of the same origin restrictions.

References

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1625

https://exchange.xforce.ibmcloud.com/vulnerabilities/24437

https://bugzilla.mozilla.org/show_bug.cgi?id=322312

http://www.vupen.com/english/advisories/2006/3749

http://www.vupen.com/english/advisories/2006/0413

http://www.securityfocus.com/bid/16476

http://www.securityfocus.com/archive/1/446657/100/200/threaded

http://www.mozilla.org/security/announce/2006/mfsa2006-08.html

http://securitytracker.com/id?1015570

http://secunia.com/advisories/22065

http://secunia.com/advisories/18704

http://secunia.com/advisories/18700

Details

Source: Mitre, NVD

Published: 2006-02-02

Updated: 2018-10-19

Risk Information

CVSS v2

Base Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical