Vulnerability Details : CVE-2006-1733
Mozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 does not properly protect the compilation scope of privileged built-in XBL bindings, which allows remote attackers to execute arbitrary code via the (1) valueOf.call or (2) valueOf.apply methods of an XBL binding, or (3) "by inserting an XBL method into the DOM's document.body prototype chain."
Vulnerability category: Execute code
Products affected by CVE-2006-1733
- cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.5:beta1:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.5:beta2:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.5:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:1.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:1.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:1.0.5:beta:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:1.5:beta2:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:1.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:1.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:1.5:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_suite:*:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_suite:1.7.7:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_suite:1.7.8:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_suite:1.7.10:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_suite:1.7.6:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_suite:1.7.11:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:seamonkey:*:beta:*:*:*:*:*:*
- cpe:2.3:a:mozilla:seamonkey:1.0:*:alpha:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2006-1733
24.27%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 96 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2006-1733
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST |
CWE ids for CVE-2006-1733
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2006-1733
-
http://support.avaya.com/elmodocs2/security/ASA-2006-205.htm
ASA-2006-205 (SUN 102502, 102513, 102514, 102519, 102550, 102556, 102557, 102582, 102588, 102589, 102593)
-
http://www.securityfocus.com/archive/1/434524/100/0/threaded
-
http://secunia.com/advisories/19821
About Secunia Research | FlexeraVendor Advisory
-
http://secunia.com/advisories/19759
About Secunia Research | FlexeraVendor Advisory
-
http://secunia.com/advisories/19862
About Secunia Research | FlexeraVendor Advisory
-
http://www.novell.com/linux/security/advisories/2006_04_25.html
404 Page Not Found | SUSE
-
http://www.mozilla.org/security/announce/2006/mfsa2006-16.html
Accessing XBL compilation scope via valueOf.call() — MozillaPatch;Vendor Advisory
-
http://secunia.com/advisories/19811
About Secunia Research | FlexeraVendor Advisory
-
http://secunia.com/advisories/19823
About Secunia Research | FlexeraVendor Advisory
-
https://usn.ubuntu.com/271-1/
404: Page not found | Ubuntu
-
http://www.redhat.com/support/errata/RHSA-2006-0330.html
Support
-
http://www.debian.org/security/2006/dsa-1051
[SECURITY] [DSA 1051-1] New Mozilla Thunderbird packages fix several vulnerabilities
-
http://secunia.com/advisories/19631
About Secunia Research | FlexeraVendor Advisory
-
http://secunia.com/advisories/19729
About Secunia Research | Flexera
-
http://secunia.com/advisories/19852
About Secunia Research | FlexeraVendor Advisory
-
http://secunia.com/advisories/21033
About Secunia Research | FlexeraVendor Advisory
-
http://www.redhat.com/archives/fedora-announce-list/2006-April/msg00154.html
[SECURITY] Fedora Core 5 Update: firefox-1.5.0.2-1.1.fc5
-
http://secunia.com/advisories/19714
About Secunia Research | FlexeraVendor Advisory
-
http://secunia.com/advisories/19794
About Secunia Research | FlexeraVendor Advisory
-
http://www.gentoo.org/security/en/glsa/glsa-200604-12.xml
Mozilla Firefox: Multiple vulnerabilities (GLSA 200604-12) — Gentoo security
-
http://secunia.com/advisories/19863
About Secunia Research | FlexeraVendor Advisory
-
http://www.redhat.com/archives/fedora-announce-list/2006-April/msg00153.html
[SECURITY] Fedora Core 4 Update: firefox-1.0.8-1.1.fc4
-
http://www.redhat.com/support/errata/RHSA-2006-0329.html
Support
-
http://www.securityfocus.com/archive/1/438730/100/0/threaded
-
http://secunia.com/advisories/19696
About Secunia Research | Flexera
-
http://www.mandriva.com/security/advisories?name=MDKSA-2006:078
Mandriva
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10815
404 Not Found
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2020
404 Not Found
-
http://www.gentoo.org/security/en/glsa/glsa-200605-09.xml
Mozilla Thunderbird: Multiple vulnerabilities (GLSA 200605-09) — Gentoo security
-
http://secunia.com/advisories/19746
About Secunia Research | FlexeraVendor Advisory
-
http://www.vupen.com/english/advisories/2006/1356
Site en construction
-
http://secunia.com/advisories/19950
About Secunia Research | FlexeraVendor Advisory
-
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2006.26/SCOSA-2006.26.txt
-
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102550-1
-
http://sunsolve.sun.com/search/document.do?assetkey=1-26-228526-1
-
http://www.mandriva.com/security/advisories?name=MDKSA-2006:076
Mandriva
-
http://secunia.com/advisories/19941
About Secunia Research | FlexeraVendor Advisory
-
http://www.securityfocus.com/archive/1/436296/100/0/threaded
-
http://www.kb.cert.org/vuls/id/488774
VU#488774 - Mozilla XBL binding vulnerabilityUS Government Resource
-
http://www.us-cert.gov/cas/techalerts/TA06-107A.html
Page Not Found | CISAUS Government Resource
-
http://secunia.com/advisories/20051
About Secunia Research | Flexera
-
http://www.debian.org/security/2006/dsa-1046
[SECURITY] [DSA 1046-1] New Mozilla packages fix several vulnerabilities
-
http://secunia.com/advisories/19721
About Secunia Research | FlexeraVendor Advisory
-
http://secunia.com/advisories/21622
About Secunia Research | FlexeraVendor Advisory
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/25817
Multiple Mozilla products XBL binding valueOf.call and valueOf.apply code execution CVE-2006-1733 Vulnerability Report
-
http://lists.suse.com/archive/suse-security-announce/2006-Apr/0003.html
Object not found!
-
http://secunia.com/advisories/19780
About Secunia Research | Flexera
-
ftp://patches.sgi.com/support/free/security/advisories/20060404-01-U.asc
Patch
-
https://usn.ubuntu.com/276-1/
404: Page not found | Ubuntu
-
http://www.securityfocus.com/bid/17516
-
http://www.securityfocus.com/archive/1/436338/100/0/threaded
-
https://usn.ubuntu.com/275-1/
404: Page not found | Ubuntu
-
http://www.redhat.com/support/errata/RHSA-2006-0328.html
Support
-
http://secunia.com/advisories/19902
About Secunia Research | FlexeraVendor Advisory
-
http://www.mandriva.com/security/advisories?name=MDKSA-2006:075
Mandriva
-
http://www.debian.org/security/2006/dsa-1044
[SECURITY] [DSA 1044-1] New Mozilla Firefox packages fix several vulnerabilities
-
http://www.gentoo.org/security/en/glsa/glsa-200604-18.xml
Mozilla Suite: Multiple vulnerabilities (GLSA 200604-18) — Gentoo security
Jump to