CVE-2010-0182

medium

Description

The XMLDocument::load function in Mozilla Firefox before 3.5.9 and 3.6.x before 3.6.2, Thunderbird before 3.0.4, and SeaMonkey before 2.0.4 does not perform the expected nsIContentPolicy checks during loading of content by XML documents, which allows attackers to bypass intended access restrictions via crafted content.

References

http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.html

http://secunia.com/advisories/39397

http://support.avaya.com/css/P8/documents/100091069

http://ubuntu.com/usn/usn-921-1

http://www.mandriva.com/security/advisories?name=MDVSA-2010:070

http://www.mozilla.org/security/announce/2010/mfsa2010-24.html

http://www.redhat.com/support/errata/RHSA-2010-0500.html

http://www.redhat.com/support/errata/RHSA-2010-0501.html

http://www.securityfocus.com/bid/39479

http://www.vupen.com/english/advisories/2010/0748

http://www.vupen.com/english/advisories/2010/0849

http://www.vupen.com/english/advisories/2010/1557

https://bugzilla.mozilla.org/show_bug.cgi?id=490790

https://exchange.xforce.ibmcloud.com/vulnerabilities/57396

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7618

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9375

Details

Source: MITRE

Published: 2010-04-05

Updated: 2018-10-30

Type: CWE-20

Risk Information

CVSS v2

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM