Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Informations
Name CVE-2010-0162 First vendor Publication 2010-02-22
Vendor Cve Last vendor Modification 2017-09-19

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Cvss Base Score 4.3 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Mozilla Firefox 3.0.x before 3.0.18 and 3.5.x before 3.5.8, and SeaMonkey before 2.0.3, does not properly support the application/octet-stream content type as a protection mechanism against execution of web script in certain circumstances involving SVG and the EMBED element, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via an embedded SVG document.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0162

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25)

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:10697
 
Oval ID: oval:org.mitre.oval:def:10697
Title: Mozilla Firefox 3.0.x before 3.0.18 and 3.5.x before 3.5.8, and SeaMonkey before 2.0.3, does not properly support the application/octet-stream content type as a protection mechanism against execution of web script in certain circumstances involving SVG and the EMBED element, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via an embedded SVG document.
Description: Mozilla Firefox 3.0.x before 3.0.18 and 3.5.x before 3.5.8, and SeaMonkey before 2.0.3, does not properly support the application/octet-stream content type as a protection mechanism against execution of web script in certain circumstances involving SVG and the EMBED element, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via an embedded SVG document.
Family: unix Class: vulnerability
Reference(s): CVE-2010-0162
 Version: 5
Platform(s): Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
 Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:12877
 
Oval ID: oval:org.mitre.oval:def:12877
Title: USN-896-1 -- firefox-3.5, xulrunner-1.9.1 vulnerabilities
Description: Several flaws were discovered in the browser engine of Firefox. If a user were tricked into viewing a malicious website, a remote attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. Orlando Barrera II discovered a flaw in the Web Workers implementation of Firefox. If a user were tricked into posting to a malicious website, an attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. Alin Rad Pop discovered that Firefox�s HTML parser would incorrectly free memory under certain circumstances. If the browser could be made to access these freed memory objects, an attacker could exploit this to execute arbitrary code with the privileges of the user invoking the program. Hidetake Jo discovered that the showModalDialog in Firefox did not always honor the same-origin policy. An attacker could exploit this to run untrusted JavaScript from other domains. Georgi Guninski discovered that the same-origin check in Firefox could be bypassed by utilizing a crafted SVG image. If a user were tricked into viewing a malicious website, an attacker could exploit this to read data from other domains
Family: unix Class: patch
Reference(s): USN-896-1
CVE-2010-0159
CVE-2010-0160
CVE-2009-1571
CVE-2009-3988
CVE-2010-0162
 Version: 5
Platform(s): Ubuntu 9.10
 Product(s): firefox-3.5
xulrunner-1.9.1
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:13158
 
Oval ID: oval:org.mitre.oval:def:13158
Title: USN-895-1 -- firefox-3.0, xulrunner-1.9 vulnerabilities
Description: Several flaws were discovered in the browser engine of Firefox. If a user were tricked into viewing a malicious website, a remote attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. Orlando Barrera II discovered a flaw in the Web Workers implementation of Firefox. If a user were tricked into posting to a malicious website, an attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. Alin Rad Pop discovered that Firefox�s HTML parser would incorrectly free memory under certain circumstances. If the browser could be made to access these freed memory objects, an attacker could exploit this to execute arbitrary code with the privileges of the user invoking the program. Hidetake Jo discovered that the showModalDialog in Firefox did not always honor the same-origin policy. An attacker could exploit this to run untrusted JavaScript from other domains. Georgi Guninski discovered that the same-origin check in Firefox could be bypassed by utilizing a crafted SVG image. If a user were tricked into viewing a malicious website, an attacker could exploit this to read data from other domains
Family: unix Class: patch
Reference(s): USN-895-1
CVE-2010-0159
CVE-2010-0160
CVE-2009-1571
CVE-2009-3988
CVE-2010-0162
 Version: 5
Platform(s): Ubuntu 8.10
Ubuntu 8.04
Ubuntu 9.04
 Product(s): firefox-3.0
xulrunner-1.9
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:13349
 
Oval ID: oval:org.mitre.oval:def:13349
Title: DSA-1999-1 xulrunner -- several
Description: Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications, such as the Iceweasel web browser. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-1571 Alin Rad Pop discovered that incorrect memory handling in the HTML parser could lead to the execution of arbitrary code. CVE-2009-3988 Hidetake Jo discovered that the same-origin policy can be bypassed through window.dialogArguments. CVE-2010-0159 Henri Sivonen, Boris Zbarsky, Zack Weinberg, Bob Clary, Martijn Wargers and Paul Nickerson reported crashes in layout engine, which might allow the execution of arbitrary code. CVE-2010-0160 Orlando Barrera II discovered that incorrect memory handling in the implementation of the web worker API could lead to the execution of arbitrary code. CVE-2010-0162 Georgi Guninski discovered that the same origin policy can be bypassed through specially crafted SVG documents. For the stable distribution, these problems have been fixed in version 1.9.0.18-1. For the unstable distribution, these problems have been fixed in version 1.9.1.8-1. We recommend that you upgrade your xulrunner packages.
Family: unix Class: patch
Reference(s): DSA-1999-1
CVE-2009-1571
CVE-2009-3988
CVE-2010-0159
CVE-2010-0160
CVE-2010-0162
 Version: 5
Platform(s): Debian GNU/Linux 5.0
 Product(s): xulrunner
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:7463
 
Oval ID: oval:org.mitre.oval:def:7463
Title: DSA-1999 xulrunner -- several vulnerabilities
Description: Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications, such as the Iceweasel web browser. The Common Vulnerabilities and Exposures project identifies the following problems: Alin Rad Pop discovered that incorrect memory handling in the HTML parser could lead to the execution of arbitrary code. Hidetake Jo discovered that the same-origin policy can be bypassed through window.dialogArguments. Henri Sivonen, Boris Zbarsky, Zack Weinberg, Bob Clary, Martijn Wargers and Paul Nickerson reported crashes in layout engine, which might allow the execution of arbitrary code. Orlando Barrera II discovered that incorrect memory handling in the implementation of the web worker API could lead to the execution of arbitrary code. Georgi Guninski discovered that the same origin policy can be bypassed through specially crafted SVG documents.
Family: unix Class: patch
Reference(s): DSA-1999
CVE-2009-1571
CVE-2009-3988
CVE-2010-0159
CVE-2010-0160
CVE-2010-0162
 Version: 5
Platform(s): Debian GNU/Linux 5.0
 Product(s): xulrunner
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:8631
 
Oval ID: oval:org.mitre.oval:def:8631
Title: Mozilla Firefox and SeaMonkey XSS hazard using SVG document and binary Content-Type
Description: Mozilla Firefox 3.0.x before 3.0.18 and 3.5.x before 3.5.8, and SeaMonkey before 2.0.3, does not properly support the application/octet-stream content type as a protection mechanism against execution of web script in certain circumstances involving SVG and the EMBED element, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via an embedded SVG document.
Family: windows Class: vulnerability
Reference(s): CVE-2010-0162
 Version: 15
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Vista
Microsoft Windows 7
 Product(s): Mozilla Firefox
Mozilla Seamonkey
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 28
Application 39

OpenVAS Exploits

Date Description
2011-08-09 Name : CentOS Update for firefox CESA-2010:0112 centos5 i386
File : nvt/gb_CESA-2010_0112_firefox_centos5_i386.nasl
2010-03-05 Name : SuSE Update for MozillaFirefox,seamonkey SUSE-SA:2010:015
File : nvt/gb_suse_2010_015.nasl
2010-03-02 Name : Fedora Update for kazehakase FEDORA-2010-1936
File : nvt/gb_fedora_2010_1936_kazehakase_fc11.nasl
2010-03-02 Name : Fedora Update for epiphany FEDORA-2010-1936
File : nvt/gb_fedora_2010_1936_epiphany_fc11.nasl
2010-03-02 Name : Fedora Update for evolution-rss FEDORA-2010-1936
File : nvt/gb_fedora_2010_1936_evolution-rss_fc11.nasl
2010-03-02 Name : Fedora Update for firefox FEDORA-2010-1936
File : nvt/gb_fedora_2010_1936_firefox_fc11.nasl
2010-03-02 Name : Fedora Update for galeon FEDORA-2010-1936
File : nvt/gb_fedora_2010_1936_galeon_fc11.nasl
2010-03-02 Name : Fedora Update for gnome-python2-extras FEDORA-2010-1936
File : nvt/gb_fedora_2010_1936_gnome-python2-extras_fc11.nasl
2010-03-02 Name : Fedora Update for gnome-web-photo FEDORA-2010-1936
File : nvt/gb_fedora_2010_1936_gnome-web-photo_fc11.nasl
2010-03-02 Name : Fedora Update for google-gadgets FEDORA-2010-1936
File : nvt/gb_fedora_2010_1936_google-gadgets_fc11.nasl
2010-03-02 Name : Fedora Update for hulahop FEDORA-2010-1936
File : nvt/gb_fedora_2010_1936_hulahop_fc11.nasl
2010-03-02 Name : Fedora Update for eclipse FEDORA-2010-1936
File : nvt/gb_fedora_2010_1936_eclipse_fc11.nasl
2010-03-02 Name : Fedora Update for monodevelop FEDORA-2010-1936
File : nvt/gb_fedora_2010_1936_monodevelop_fc11.nasl
2010-03-02 Name : Fedora Update for mozvoikko FEDORA-2010-1936
File : nvt/gb_fedora_2010_1936_mozvoikko_fc11.nasl
2010-03-02 Name : Fedora Update for pcmanx-gtk2 FEDORA-2010-1936
File : nvt/gb_fedora_2010_1936_pcmanx-gtk2_fc11.nasl
2010-03-02 Name : Fedora Update for perl-Gtk2-MozEmbed FEDORA-2010-1936
File : nvt/gb_fedora_2010_1936_perl-Gtk2-MozEmbed_fc11.nasl
2010-03-02 Name : Fedora Update for ruby-gnome2 FEDORA-2010-1936
File : nvt/gb_fedora_2010_1936_ruby-gnome2_fc11.nasl
2010-03-02 Name : Fedora Update for xulrunner FEDORA-2010-1936
File : nvt/gb_fedora_2010_1936_xulrunner_fc11.nasl
2010-03-02 Name : Fedora Update for epiphany-extensions FEDORA-2010-1936
File : nvt/gb_fedora_2010_1936_epiphany-extensions_fc11.nasl
2010-03-02 Name : Fedora Update for chmsee FEDORA-2010-1936
File : nvt/gb_fedora_2010_1936_chmsee_fc11.nasl
2010-03-02 Name : Fedora Update for blam FEDORA-2010-1936
File : nvt/gb_fedora_2010_1936_blam_fc11.nasl
2010-03-02 Name : Fedora Update for Miro FEDORA-2010-1936
File : nvt/gb_fedora_2010_1936_Miro_fc11.nasl
2010-03-02 Name : Fedora Update for seamonkey FEDORA-2010-1932
File : nvt/gb_fedora_2010_1932_seamonkey_fc12.nasl
2010-03-02 Name : Fedora Update for xulrunner FEDORA-2010-1727
File : nvt/gb_fedora_2010_1727_xulrunner_fc12.nasl
2010-03-02 Name : Fedora Update for perl-Gtk2-MozEmbed FEDORA-2010-1727
File : nvt/gb_fedora_2010_1727_perl-Gtk2-MozEmbed_fc12.nasl
2010-03-02 Name : Fedora Update for mozvoikko FEDORA-2010-1727
File : nvt/gb_fedora_2010_1727_mozvoikko_fc12.nasl
2010-03-02 Name : Fedora Update for gnome-web-photo FEDORA-2010-1727
File : nvt/gb_fedora_2010_1727_gnome-web-photo_fc12.nasl
2010-03-02 Name : Fedora Update for gnome-python2-extras FEDORA-2010-1727
File : nvt/gb_fedora_2010_1727_gnome-python2-extras_fc12.nasl
2010-03-02 Name : Fedora Update for galeon FEDORA-2010-1727
File : nvt/gb_fedora_2010_1727_galeon_fc12.nasl
2010-03-02 Name : Fedora Update for firefox FEDORA-2010-1727
File : nvt/gb_fedora_2010_1727_firefox_fc12.nasl
2010-03-02 Name : Fedora Update for blam FEDORA-2010-1727
File : nvt/gb_fedora_2010_1727_blam_fc12.nasl
2010-03-02 Name : Fedora Update for yelp FEDORA-2010-1936
File : nvt/gb_fedora_2010_1936_yelp_fc11.nasl
2010-02-26 Name : Mozilla Products Multiple Vulnerabilities feb-10 (Win)
File : nvt/secpod_mozilla_prdts_mult_vuln_feb10_win01.nasl
2010-02-26 Name : Mozilla Products Multiple Vulnerabilities feb-10 (Lin)
File : nvt/secpod_mozilla_prdts_mult_vuln_feb10_lin01.nasl
2010-02-25 Name : Debian Security Advisory DSA 1999-1 (xulrunner)
File : nvt/deb_1999_1.nasl
2010-02-22 Name : Mandriva Update for firefox MDVSA-2010:042 (firefox)
File : nvt/gb_mandriva_MDVSA_2010_042.nasl
2010-02-19 Name : RedHat Update for firefox RHSA-2010:0112-01
File : nvt/gb_RHSA-2010_0112-01_firefox.nasl
2010-02-19 Name : CentOS Update for firefox CESA-2010:0112 centos4 i386
File : nvt/gb_CESA-2010_0112_firefox_centos4_i386.nasl
2010-02-19 Name : Ubuntu Update for Firefox 3.0 and Xulrunner 1.9 vulnerabilities USN-895-1
File : nvt/gb_ubuntu_USN_895_1.nasl
2010-02-19 Name : Ubuntu Update for Firefox 3.5 and Xulrunner 1.9.1 vulnerabilities USN-896-1
File : nvt/gb_ubuntu_USN_896_1.nasl
2010-02-18 Name : FreeBSD Ports: firefox
File : nvt/freebsd_firefox44.nasl
2010-01-29 Name : Mandriva Update for urpmi MDVA-2010:042 (urpmi)
File : nvt/gb_mandriva_MDVA_2010_042.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
62426 Mozilla Multiple Browsers SVG Document Binary Content-Type Header XSS Weakness

Nessus® Vulnerability Scanner

Date Description
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2010-0112.nasl - Type : ACT_GATHER_INFO
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2010-0113.nasl - Type : ACT_GATHER_INFO
2013-01-08 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201301-01.nasl - Type : ACT_GATHER_INFO
2010-10-11 Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_mozilla-xulrunner190-6866.nasl - Type : ACT_GATHER_INFO
2010-10-11 Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_MozillaFirefox-6867.nasl - Type : ACT_GATHER_INFO
2010-07-01 Name : The remote Fedora host is missing one or more security updates.
File : fedora_2010-1727.nasl - Type : ACT_GATHER_INFO
2010-07-01 Name : The remote Fedora host is missing a security update.
File : fedora_2010-1932.nasl - Type : ACT_GATHER_INFO
2010-07-01 Name : The remote Fedora host is missing one or more security updates.
File : fedora_2010-1936.nasl - Type : ACT_GATHER_INFO
2010-03-11 Name : The remote SuSE system is missing a security patch for MozillaThunderbird
File : suse_11_2_MozillaThunderbird-100305.nasl - Type : ACT_GATHER_INFO
2010-02-25 Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_mozilla-xulrunner190-100219.nasl - Type : ACT_GATHER_INFO
2010-02-25 Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_MozillaFirefox-100219.nasl - Type : ACT_GATHER_INFO
2010-02-25 Name : The remote openSUSE host is missing a security update.
File : suse_11_2_seamonkey-100218.nasl - Type : ACT_GATHER_INFO
2010-02-25 Name : The remote openSUSE host is missing a security update.
File : suse_11_2_MozillaFirefox-100218.nasl - Type : ACT_GATHER_INFO
2010-02-25 Name : The remote openSUSE host is missing a security update.
File : suse_11_1_MozillaFirefox-100223.nasl - Type : ACT_GATHER_INFO
2010-02-25 Name : The remote openSUSE host is missing a security update.
File : suse_11_0_MozillaFirefox-100223.nasl - Type : ACT_GATHER_INFO
2010-02-25 Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_MozillaFirefox-6863.nasl - Type : ACT_GATHER_INFO
2010-02-25 Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_mozilla-xulrunner190-6871.nasl - Type : ACT_GATHER_INFO
2010-02-24 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-1999.nasl - Type : ACT_GATHER_INFO
2010-02-22 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2010-042.nasl - Type : ACT_GATHER_INFO
2010-02-19 Name : The remote FreeBSD host is missing one or more security-related updates.
File : freebsd_pkg_f82c85d81c6e11dfabb2000f20797ede.nasl - Type : ACT_GATHER_INFO
2010-02-18 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-895-1.nasl - Type : ACT_GATHER_INFO
2010-02-18 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-896-1.nasl - Type : ACT_GATHER_INFO
2010-02-18 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2010-0113.nasl - Type : ACT_GATHER_INFO
2010-02-18 Name : The remote Windows host contains a web browser that is affected by multiple v...
File : seamonkey_203.nasl - Type : ACT_GATHER_INFO
2010-02-18 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2010-0112.nasl - Type : ACT_GATHER_INFO
2010-02-18 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2010-0112.nasl - Type : ACT_GATHER_INFO
2010-02-18 Name : The remote Windows host contains a web browser that is affected by multiple v...
File : mozilla_firefox_358.nasl - Type : ACT_GATHER_INFO
2010-02-18 Name : The remote Windows host contains a web browser that is affected by multiple v...
File : mozilla_firefox_3018.nasl - Type : ACT_GATHER_INFO
2010-02-18 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2010-0113.nasl - Type : ACT_GATHER_INFO

Sources (Detail)

Source Url
CONFIRM http://www.mozilla.org/security/announce/2010/mfsa2010-05.html
https://bugzilla.mozilla.org/show_bug.cgi?id=455472
DEBIAN http://www.debian.org/security/2010/dsa-1999
FEDORA http://lists.fedoraproject.org/pipermail/package-announce/2010-February/03534...
http://lists.fedoraproject.org/pipermail/package-announce/2010-February/03536...
http://lists.fedoraproject.org/pipermail/package-announce/2010-February/03542...
MANDRIVA http://www.mandriva.com/security/advisories?name=MDVSA-2010:042
OVAL https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.ova...
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.ova...
REDHAT http://www.redhat.com/support/errata/RHSA-2010-0112.html
SECUNIA http://secunia.com/advisories/37242
http://secunia.com/advisories/38847
SUSE http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00001.html
UBUNTU http://www.ubuntu.com/usn/USN-895-1
http://www.ubuntu.com/usn/USN-896-1
VUPEN http://www.vupen.com/english/advisories/2010/0405
XF https://exchange.xforce.ibmcloud.com/vulnerabilities/56363

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
Date Informations
2024-02-02 01:12:28
  • Multiple Updates
2024-02-01 12:03:27
  • Multiple Updates
2023-09-05 12:11:43
  • Multiple Updates
2023-09-05 01:03:18
  • Multiple Updates
2023-09-02 12:11:46
  • Multiple Updates
2023-09-02 01:03:20
  • Multiple Updates
2023-08-12 12:13:55
  • Multiple Updates
2023-08-12 01:03:20
  • Multiple Updates
2023-08-11 12:11:49
  • Multiple Updates
2023-08-11 01:03:28
  • Multiple Updates
2023-08-06 12:11:21
  • Multiple Updates
2023-08-06 01:03:22
  • Multiple Updates
2023-08-04 12:11:26
  • Multiple Updates
2023-08-04 01:03:23
  • Multiple Updates
2023-07-14 12:11:23
  • Multiple Updates
2023-07-14 01:03:21
  • Multiple Updates
2023-03-29 01:13:04
  • Multiple Updates
2023-03-28 12:03:27
  • Multiple Updates
2022-10-11 12:10:09
  • Multiple Updates
2022-10-11 01:03:09
  • Multiple Updates
2021-05-04 12:10:57
  • Multiple Updates
2021-04-22 01:11:32
  • Multiple Updates
2020-05-23 00:25:06
  • Multiple Updates
2017-09-19 09:23:35
  • Multiple Updates
2017-08-17 09:22:53
  • Multiple Updates
2016-04-26 19:30:50
  • Multiple Updates
2014-02-17 10:53:19
  • Multiple Updates
2013-05-10 23:16:28
  • Multiple Updates