Integer overflow in the XSLT node sorting implementation in Mozilla Firefox 3.5.x before 3.5.10 and 3.6.x before 3.6.4, Thunderbird before 3.0.5, and SeaMonkey before 2.0.5 allows remote attackers to execute arbitrary code via a large text value for a node.
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13287
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10885
https://exchange.xforce.ibmcloud.com/vulnerabilities/59666
https://bugzilla.mozilla.org/show_bug.cgi?id=554255
http://www.zerodayinitiative.com/advisories/ZDI-10-113
http://www.vupen.com/english/advisories/2010/1773
http://www.vupen.com/english/advisories/2010/1640
http://www.vupen.com/english/advisories/2010/1592
http://www.vupen.com/english/advisories/2010/1557
http://www.vupen.com/english/advisories/2010/1556
http://www.vupen.com/english/advisories/2010/1551
http://www.ubuntu.com/usn/usn-930-2
http://www.securitytracker.com/id?1024139
http://www.securitytracker.com/id?1024138
http://www.securityfocus.com/bid/41082
http://www.securityfocus.com/bid/41050
http://www.securityfocus.com/archive/1/511972/100/0/threaded
http://www.redhat.com/support/errata/RHSA-2010-0501.html
http://www.redhat.com/support/errata/RHSA-2010-0500.html
http://www.redhat.com/support/errata/RHSA-2010-0499.html
http://www.mozilla.org/security/announce/2010/mfsa2010-30.html
http://www.mandriva.com/security/advisories?name=MDVSA-2010:125
http://www.exploit-db.com/exploits/14949
http://ubuntu.com/usn/usn-930-1
http://support.avaya.com/css/P8/documents/100091069
http://secunia.com/advisories/40481
http://secunia.com/advisories/40401
http://secunia.com/advisories/40326
http://secunia.com/advisories/40323
http://lists.opensuse.org/opensuse-security-announce/2010-07/msg00005.html
http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043405.html
http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043369.html