CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Mozilla : Security Vulnerabilities Published In 2005

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2005-4874 94 2005-12-31 2008-09-05
4.3
None Remote Medium Not required Partial None None
The XMLHttpRequest object in Mozilla 1.7.8 supports the HTTP TRACE method, which allows remote attackers to obtain (1) proxy authentication passwords via a request with a "Max-Forwards: 0" header or (2) arbitrary local passwords on the web server that hosts this object.
2 CVE-2005-4809 2005-12-31 2008-09-05
5.0
None Remote Low Not required None Partial None
Mozilla Firefox 1.0.1 and possibly other versions, including Mozilla and Thunderbird, allows remote attackers to spoof the URL in the Status Bar via an A HREF tag that contains a TABLE tag that contains another A tag.
3 CVE-2005-4720 DoS 2005-12-31 2008-09-05
5.0
None Remote Low Not required None None Partial
Mozilla Firefox 1.0.7 and earlier on Linux allows remote attackers to cause a denial of service (client crash) via an IFRAME element with a large value of the WIDTH attribute, which triggers a problem related to representation of floating-point numbers, leading to an infinite loop of widget resizes and a corresponding large number of function calls on the stack.
4 CVE-2005-4685 2005-12-31 2008-09-05
6.4
None Remote Low Not required Partial Partial None
Firefox and Mozilla can associate a cookie with multiple domains when the DNS resolver has a non-root domain in its search list, which allows remote attackers to trick a user into accepting a cookie for a hostname formed via search-list expansion of the hostname entered by the user, or steal a cookie for an expanded hostname, as demonstrated by an attacker who operates an ap1.com Internet web site to steal cookies associated with an ap1.com.example.com intranet web site.
5 CVE-2005-4534 2005-12-27 2008-09-05
7.5
User Remote Low Not required Partial Partial Partial
The shadow database feature (syncshadowdb) in Bugzilla 2.9 through 2.16.10 allows local users to overwrite arbitrary files via a symlink attack on temporary files.
6 CVE-2005-4134 DoS Overflow 2005-12-09 2010-08-21
5.0
None Remote Low Not required None None Partial
Mozilla Firefox 1.5, Netscape 8.0.4 and 7.2, and K-Meleon before 0.9.12 allows remote attackers to cause a denial of service (CPU consumption and delayed application startup) via a web site with a large title, which is recorded in history.dat but not processed efficiently during startup. NOTE: despite initial reports, the Mozilla vendor does not believe that this issue can be used to trigger a crash or buffer overflow in Firefox. Also, it has been independently reported that Netscape 8.1 does not have this issue.
7 CVE-2005-3896 DoS 2005-11-29 2008-09-05
7.8
None Remote Low Not required None None Complete
Mozilla allows remote attackers to cause a denial of service (CPU consumption) via a Javascript BODY onload event that calls the window function.
8 CVE-2005-3402 Bypass +Info 2005-11-01 2008-09-05
2.6
None Remote High Not required Partial None None
The SMTP client in Mozilla Thunderbird 1.0.5 BETA, 1.0.7, and possibly other versions, does not notify users when it cannot establish a secure channel with the server, which allows remote attackers to obtain authentication information without detection via a man-in-the-middle (MITM) attack that bypasses TLS authentication or downgrades CRAM-MD5 authentication to plain authentication.
9 CVE-2005-3139 2005-10-05 2008-09-05
5.0
None Remote Low Not required Partial None None
Bugzilla 2.19.1 through 2.20rc2 and 2.21, with user matching turned on in substring mode, allows attackers to list all users whose names match an arbitrary substring, even when the usevisibilitygroups parameter is set.
10 CVE-2005-3138 +Info 2005-10-05 2008-09-05
5.0
None Remote Low Not required Partial None None
Bugzilla 2.18rc1 through 2.18.3, 2.19 through 2.20rc2, and 2.21 allows remote attackers to obtain sensitive information such as the list of installed products via the config.cgi file, which is accessible even when the requirelogin parameter is set.
11 CVE-2005-3089 DoS 2005-09-28 2010-08-21
2.6
None Remote High Not required None None Partial
Firefox 1.0.6 allows attackers to cause a denial of service (crash) via a Proxy Auto-Config (PAC) script that uses an eval statement. NOTE: it is not clear whether an untrusted party has any role in triggering this issue, so it might not be a vulnerability.
12 CVE-2005-2968 Exec Code 2005-09-20 2010-08-21
7.5
User Remote Low Not required Partial Partial Partial
Firefox 1.0.6 and Mozilla 1.7.10 allows attackers to execute arbitrary commands via shell metacharacters in a URL that is provided to the browser on the command line, which is sent unfiltered to bash.
13 CVE-2005-2871 DoS Exec Code Overflow 2005-09-09 2010-08-21
7.5
User Remote Low Not required Partial Partial Partial
Buffer overflow in the International Domain Name (IDN) support in Mozilla Firefox 1.0.6 and earlier, and Netscape 8.0.3.3 and 7.2, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a hostname with all "soft" hyphens (character 0xAD), which is not properly handled by the NormalizeIDN call in nsStandardURL::BuildNormalizedSpec.
14 CVE-2005-2707 2005-09-23 2010-08-21
5.0
None Remote Low Not required None Partial None
Firefox before 1.0.7 and Mozilla Suite before 1.7.12 allows remote attackers to spawn windows without user interface components such as the address and status bar, which could be used to conduct spoofing or phishing attacks.
15 CVE-2005-2706 2005-09-23 2010-08-21
6.4
None Remote Low Not required Partial Partial None
Firefox before 1.0.7 and Mozilla before Suite 1.7.12 allows remote attackers to execute Javascript with chrome privileges via an about: page such as about:mozilla.
16 CVE-2005-2705 Exec Code Overflow 2005-09-23 2010-08-21
7.5
User Remote Low Not required Partial Partial Partial
Integer overflow in the JavaScript engine in Firefox before 1.0.7 and Mozilla Suite before 1.7.12 might allow remote attackers to execute arbitrary code.
17 CVE-2005-2704 2005-09-23 2010-08-21
5.0
None Remote Low Not required None Partial None
Firefox before 1.0.7 and Mozilla Suite before 1.7.12 allows remote attackers to spoof DOM objects via an XBL control that implements an internal XPCOM interface.
18 CVE-2005-2703 94 2005-09-23 2011-02-10
5.0
None Remote Low Not required None Partial None
Firefox before 1.0.7 and Mozilla Suite before 1.7.12 allows remote attackers to modify HTTP headers of XML HTTP requests via XMLHttpRequest, and possibly use the client to exploit vulnerabilities in servers or proxies, including HTTP request smuggling and HTTP request splitting.
19 CVE-2005-2702 DoS Exec Code 2005-09-23 2010-08-21
7.5
User Remote Low Not required Partial Partial Partial
Firefox before 1.0.7 and Mozilla Suite before 1.7.12 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via Unicode sequences with "zero-width non-joiner" characters.
20 CVE-2005-2701 Exec Code Overflow 2005-09-23 2010-08-21
7.5
User Remote Low Not required Partial Partial Partial
Heap-based buffer overflow in Firefox before 1.0.7 and Mozilla Suite before 1.7.12 allows remote attackers to execute arbitrary code via an XBM image file that ends in a large number of spaces instead of the expected end tag.
21 CVE-2005-2602 2005-08-17 2008-09-05
2.6
None Remote High Not required None Partial None
Mozilla Thunderbird 1.0 and Firefox 1.0.6 allows remote attackers to obfuscate URIs via a long URI, which causes the address bar to go blank and could facilitate phishing attacks.
22 CVE-2005-2429 2005-08-03 2008-09-05
5.0
None Remote Low Not required None Partial None
Firefox, when opening Microsoft Word documents, does not properly set the permissions on shared sections, which allows remote attackers to write arbitrary data to open applications in Microsoft Office.
23 CVE-2005-2395 2005-07-27 2008-09-05
5.0
None Remote Low Not required Partial None None
Mozilla Firefox 1.0.4 and 1.0.5 does not choose the challenge with the strongest authentication scheme available as required by RFC2617, which might cause credentials to be sent in plaintext even if an encrypted channel is available.
24 CVE-2005-2353 2005-08-05 2008-09-05
2.1
None Local Low Not required None Partial None
run-mozilla.sh in Thunderbird, with debugging enabled, allows local users to create or overwrite arbitrary files via a symlink attack on temporary files.
25 CVE-2005-2270 Exec Code 2005-07-13 2010-08-21
7.5
User Remote Low Not required Partial Partial Partial
Firefox before 1.0.5 and Mozilla before 1.7.9 does not properly clone base objects, which allows remote attackers to execute arbitrary code by navigating the prototype chain to reach a privileged object.
26 CVE-2005-2269 Exec Code 2005-07-13 2010-08-21
7.5
User Remote Low Not required Partial Partial Partial
Firefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 does not properly verify the associated types of DOM node names within the context of their namespaces, which allows remote attackers to modify certain tag properties, possibly leading to execution of arbitrary script or code, as demonstrated using an XHTML document with IMG tags with custom properties ("XHTML node spoofing").
27 CVE-2005-2268 2005-07-13 2010-08-21
2.6
None Remote High Not required None Partial None
Firefox before 1.0.5 and Mozilla before 1.7.9 does not clearly associate a Javascript dialog box with the web page that generated it, which allows remote attackers to spoof a dialog box from a trusted site and facilitates phishing attacks, aka the "Dialog Origin Spoofing Vulnerability."
28 CVE-2005-2267 Exec Code 2005-07-13 2010-08-21
7.5
User Remote Low Not required Partial Partial Partial
Firefox before 1.0.5 allows remote attackers to steal information and possibly execute arbitrary code by using standalone applications such as Flash and QuickTime to open a javascript: URL, which is run in the context of the previous page, and may lead to code execution if the standalone application loads a privileged chrome: URL.
29 CVE-2005-2266 2005-07-13 2010-08-21
5.0
None Remote Low Not required Partial None None
Firefox before 1.0.5 and Mozilla before 1.7.9 allows a child frame to call top.focus and other methods in a parent frame, even when the parent is in a different domain, which violates the same origin policy and allows remote attackers to steal sensitive information such as cookies and passwords from web sites whose child frames do not verify that they are in the same domain as their parents.
30 CVE-2005-2265 DoS Exec Code 2005-07-13 2010-08-21
5.0
None Remote Low Not required None None Partial
Firefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 and 7.2 allows remote attackers to cause a denial of service (access violation and crash), and possibly execute arbitrary code, by calling InstallVersion.compareTo with an object instead of a string.
31 CVE-2005-2264 2005-07-13 2010-08-21
7.5
None Remote Low Not required Partial Partial Partial
Firefox before 1.0.5 allows remote attackers to steal sensitive information by opening a malicious link in the Firefox sidebar using the _search target, then injecting script into other pages via a data: URL.
32 CVE-2005-2263 2005-07-13 2010-08-21
5.0
None Remote Low Not required None Partial None
The InstallTrigger.install method in Firefox before 1.0.5 and Mozilla before 1.7.9 allows remote attackers to execute a callback function in the context of another domain by forcing a page navigation after the install method has been called, which causes the callback to be run in the context of the new page and results in a same origin violation.
33 CVE-2005-2262 Exec Code 2005-07-13 2010-08-21
5.1
User Remote High Not required Partial Partial Partial
Firefox 1.0.3 and 1.0.4, and Netscape 8.0.2, allows remote attackers to execute arbitrary code by tricking the user into using the "Set As Wallpaper" (in Firefox) or "Set as Background" (in Netscape) context menu on an image URL that is really a javascript: URL with an eval statement, aka "Firewalling."
34 CVE-2005-2261 Bypass 2005-07-13 2010-08-21
7.5
None Remote Low Not required Partial Partial Partial
Firefox before 1.0.5, Thunderbird before 1.0.5, Mozilla before 1.7.9, Netscape 8.0.2, and K-Meleon 0.9 runs XBL scripts even when Javascript has been disabled, which makes it easier for remote attackers to bypass such protection.
35 CVE-2005-2260 2005-07-13 2010-08-21
7.5
User Remote Low Not required Partial Partial Partial
The browser user interface in Firefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 and 7.2 does not properly distinguish between user-generated events and untrusted synthetic events, which makes it easier for remote attackers to perform dangerous actions that normally could only be performed manually by the user.
36 CVE-2005-2174 2005-07-08 2008-09-05
2.6
None Remote High Not required Partial None None
Bugzilla 2.17.x, 2.18 before 2.18.2, 2.19.x, and 2.20 before 2.20rc1 inserts a bug into the database before it is marked private, which introduces a race condition and allows attackers to access information about the bug via buglist.cgi before MySQL replication is complete.
37 CVE-2005-2173 2005-07-08 2008-09-05
5.0
None Remote Low Not required None Partial None
The Flag::validate and Flag::modify functions in Bugzilla 2.17.1 to 2.18.1 and 2.19.1 to 2.19.3 do not verify that the flag ID is appropriate for the given bug or attachment ID, which allows users to change flags on arbitrary bugs and obtain a bug summary via process_bug.cgi.
38 CVE-2005-2114 DoS 2005-07-05 2010-08-21
5.0
None Remote Low Not required None None Partial
Mozilla 1.7.8, Firefox 1.0.4, Camino 0.8.4, Netscape 8.0.2, and K-Meleon 0.9, and possibly other products that use the Gecko engine, allow remote attackers to cause a denial of service (application crash) via JavaScript that repeatedly calls an empty function.
39 CVE-2005-1937 2005-06-14 2010-08-21
2.6
None Remote High Not required None Partial None
A regression error in Firefox 1.0.3 and Mozilla 1.7.7 allows remote attackers to inject arbitrary Javascript from one page into the frameset of another site, aka the frame injection spoofing vulnerability, a re-introduction of a vulnerability that was originally identified and addressed by CVE-2004-0718.
40 CVE-2005-1576 2005-05-12 2008-09-05
2.6
None Remote High Not required None Partial None
The file download dialog in Mozilla Firefox 0.10.1 and 1.0 for Windows uses the Content-Type HTTP header to determine the file type, but saves the original file extension when "Save to Disk" is selected, which allows remote attackers to hide the real file types of downloaded files.
41 CVE-2005-1575 2005-05-14 2008-09-05
5.0
None Remote Low Not required None Partial None
The file download dialog in Mozilla Firefox 0.10.1 and 1.0 for Windows allows remote attackers to hide the real file types of downloaded files via the Content-Type HTTP header and a filename containing whitespace, dots, or ASCII byte 160.
42 CVE-2005-1565 2005-05-12 2008-09-05
5.0
None Remote Low Not required Partial None None
Bugzilla 2.17.1 through 2.18, 2.19.1, and 2.19.2, when a user is prompted to log in while attempting to view a chart, displays the password in the URL, which may allow local users to gain sensitive information from web logs or browser history.
43 CVE-2005-1564 2005-05-12 2008-09-05
7.5
User Remote Low Not required Partial Partial Partial
post_bug.cgi in Bugzilla 2.10 through 2.18, 2.19.1, and 2.19.2 allows remote authenticated users to "enter bugs into products that are closed for bug entry" by modifying the URL to specify the name of the product.
44 CVE-2005-1563 2005-05-14 2008-09-05
5.0
None Remote Low Not required Partial None None
Bugzilla 2.10 through 2.18, 2.19.1, and 2.19.2 displays a different error message depending on whether a product exists or not, which allows remote attackers to determine hidden products.
45 CVE-2005-1532 264 2005-05-12 2011-02-14
7.5
User Remote Low Not required Partial Partial Partial
Firefox before 1.0.4 and Mozilla Suite before 1.7.8 do not properly limit privileges of Javascript eval and Script objects in the calling context, which allows remote attackers to conduct unauthorized activities via "non-DOM property overrides," a variant of CVE-2005-1160.
46 CVE-2005-1531 2005-05-12 2010-08-21
7.5
User Remote Low Not required Partial Partial Partial
Firefox before 1.0.4 and Mozilla Suite before 1.7.8 does not properly implement certain security checks for script injection, which allows remote attackers to execute script via "Wrapped" javascript: URLs, as demonstrated using (1) a javascript: URL in a view-source: URL, (2) a javascript: URL in a jar: URL, or (3) "a nested variant."
47 CVE-2005-1477 Exec Code XSS 2005-05-09 2010-08-21
5.1
User Remote High Not required Partial Partial Partial
The install function in Firefox 1.0.3 allows remote web sites on the browser's whitelist, such as update.mozilla.org or addon.mozilla.org, to execute arbitrary Javascript with chrome privileges, leading to arbitrary code execution on the system when combined with vulnerabilities such as CVE-2005-1476, as demonstrated using a javascript: URL as the package icon and a cross-site scripting (XSS) attack on a vulnerable whitelist site.
48 CVE-2005-1476 Exec Code 2005-05-09 2010-08-21
5.1
None Remote High Not required Partial Partial Partial
Firefox 1.0.3 allows remote attackers to execute arbitrary Javascript in other domains by using an IFRAME and causing the browser to navigate to a previous javascript: URL, which can lead to arbitrary code execution when combined with CVE-2005-1477.
49 CVE-2005-1160 +Priv 2005-05-02 2010-08-21
5.1
User Remote High Not required Partial Partial Partial
The privileged "chrome" UI code in Firefox before 1.0.3 and Mozilla Suite before 1.7.7 allows remote attackers to gain privileges by overriding certain properties or methods of DOM nodes, as demonstrated using multiple attacks involving the eval function or the Script object.
50 CVE-2005-1159 DoS Exec Code Bypass 2005-05-02 2010-08-21
7.5
User Remote Low Not required Partial Partial Partial
The native implementations of InstallTrigger and other functions in Firefox before 1.0.3 and Mozilla Suite before 1.7.7 do not properly verify the types of objects being accessed, which causes the Javascript interpreter to continue execution at the wrong memory address, which may allow attackers to cause a denial of service (application crash) and possibly execute arbitrary code by passing objects of the wrong type.
Total number of vulnerabilities : 93   Page : 1 (This Page)2
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.