Older Vulnerabilities in Mozilla Products
This page archives security announcements made for older versions of Mozilla projects. Please see the active Known Vulnerabilities page for more recent security advisories.
- Fixed in Firefox Preview Release update (0.10.1)
- Fixed in Firefox Preview Release, Mozilla 1.7.3, Thunderbird 0.8
- Fixed in Mozilla 1.7.2/Firefox 0.9.3/Thunderbird 0.7.3
- Fixed in Mozilla 1.7.1/Firefox 0.9.2/Thunderbird 0.7.2
- Fixed in Mozilla 1.7/Firefox 0.9/Thunderbird 0.7
- Fixed in Mozilla 1.6
- November 2003 Update
- July 2003 Update
- February 2003 Update
- Updates up to December 2002
Fixed in Firefox Preview Release update (0.10.1)
| # | Title | Severity / Risk | Type | Description | Reported by | Date Fixed |
|---|---|---|---|---|---|---|
| 94 | Downloading link deletes files | high / high | dataloss |
Firefox simplifies the task of saving files by automatically using a
filename based on the original link. A specific link format triggers
a bug in this feature and can cause the deletion of files in the
download directory. An attacker would need to convince a victim to
click the "Save" button to download a file from their site. Workaround: Cancel unexpected file save prompts and any from untrusted sites. When saving files, right-click on the link and select "Save link as" from the context menu. |
Alex Vincent | 2004-09-29 |
Fixed in Firefox Preview Release, Mozilla 1.7.3, Thunderbird 0.8
| # | Title | Severity / Risk | Type | Description | Reported by | Date Fixed |
|---|---|---|---|---|---|---|
| 93 | "Send page" heap overrun (258005) | critical / moderate | remote execution | The "send page" function can overrun the heap on very long links. With compelling content that people will want to forward to all their friends and the right link this could be used to execute arbitrary code. | Georgi Guninski | 2004-09-07 |
| 92 | javascript clipboard access (257523) | moderate / high | clipboard leak | Untrusted javascript code can read and write to the clipboard, stealing any sensitive data the user might have copied. Workaround: disable javascript | Wladimir Palant | 2004-09-01 |
| 91 | Privilege request confusion (253942) | critical / low | remote execution | Signed scripts requesting enhanced abilities could construct the request in a way that led to a confusing grant dialog, possibly fooling the user into thinking the privilege requested was inconsequential while actually obtaining explicit permission to run and install software. Workaround: Never grant enhanced abilities of any kind to untrusted web pages. | Jesse Ruderman | 2004-09-01 |
| 90 | Buffer overflow when displaying VCard (257314) | critical / high | remote execution | A stack buffer overrun in VCard display routines could be exploited to run arbitrary code supplied by the attacker. Workaround: Disable in-line display of attachments, don't open VCard attachments. | Georgi Guninski | 2004-08-30 |
| 89 | BMP integer overflow (255067) | critical / high | heap overrun | extremely wide BMP images trigger an integer overflow, leading to heap overruns that are potentially exploitable to run arbitrary code. Workaround: Disable images. | Gael Delalleau | 2004-08-27 |
| 88 | javascript: link dragging (250862) | critical / moderate | cross-domain scripting, possibly remote execution | javascript; links dragged onto another frame or page allows an attacker to steal or modify sensitive information from other sites. The user could be convinced to drag obscurred links in the context of a game or even a fake scrollbar. If the user could be convinced to drag two links in sequence into a separate window (not frame) the attacker would be able to run arbitrary programs. | Jesse Ruderman | 2004-08-26 |
| 87 | non-ascii hostname heap overrun (256316) | critical / high | remote execution | A link with a non-ascii hostname can cause a heap buffer overrun that could potentially be exploited to run arbitrary programs. | Mats Palmgren, Gael Delalleau | 2004-08-24 |
| 86 | Malicious POP3 server III (245066, 226669) | critical / moderate | remote execution | Responses from a malicious POP3 mail server can trigger heap overruns that can be exploited to run arbitrary code. | Gael Delalleau | 2004-08-17 |
| 85 | Wrong file permissions after installing on Linux (231083, 235781) | moderate / low | local exploit | The Linux installers could create files world readable and writable, allowing another local user to replace them with malicious versions. Workaround: chmod the installed files | Daniel Koukola, Andrew Schultz | 2004-08-16 |
| 84 | Wrong file permissions in linux archive (254303) | moderate / low | local exploit | File permissions and owner were set wrong in the Linux install .tar.gz archives. If unpacked with an option to ignore the user's umask setting (or with a permissive umask) the resulting files could be secretly replaced with malicious versions by any other user on the system. Workaround: chmod and chown the files after unpacking. | Harald Milz | 2004-08-16 |
Fixed in Mozilla 1.7.2/Firefox 0.9.3/Thunderbird 0.7.3
| # | Title | Severity / Risk | Type | Description | Reported by | Date Fixed |
|---|---|---|---|---|---|---|
| 83 | buffer and integer overflows in libpng (251381) | critical / high | remote execution | Multiple flaws in libpng were announced, the worst of which could lead to remote code execution via buffer overflow. CAN-2004-0597, CAN-2004-0598, CAN-2004-0599 | Chris Evans | 2004-08-03 |
| 82 | lock icon and certificate spoof with onunload document.write (253121) | moderate / moderate | spoof | The lock icon and certificate from a previous secure site can persist if a page is re-written using an onunload handler. Combined with redirects this could be used to spoof secure sites. The location bar, if shown, displays the true URL. CAN-2004-0763 | Emmanouel Kellinis | 2004-07-27 |
| 81 | Malicious certificates can permanently break HTTPS/SSL (249004) | critical / high | persistent DOS | Malicious email certificates could mask built-in Certificate Authority (CA) certificates. Once imported anything signed by the masked CA would not validate, which could be used to permanently block all SSL (https:) sites with certs issued by that CA. CAN-2004-0758 | Marcel Boesch | 2004-07-27 |
Fixed in Mozilla 1.7.1/Firefox 0.9.2/Thunderbird 0.7.2
| # | Title | Severity / Risk | Type | Description | Reported by | Date Fixed |
|---|---|---|---|---|---|---|
| 80 | Windows shell: protocol handler (250180) | critical / high | remote execution | shell: URLs were passed to windows for handling which could result in launching programs. This could theoretically be combined with an unpatched exploit in some default windows filetype handler to run arbitrary code | Keith McCanless | 2004-07-07 |
Fixed in Mozilla 1.7/Firefox 0.9/Thunderbird 0.7
| # | Title | Severity / Risk | Type | Description | Reported by | Date Fixed |
|---|---|---|---|---|---|---|
| 79 | Spoof contents of framed site (246448) | moderate / moderate | spoof | The contents of a frames within a document could be replaced by an attacker with a reference to that window, while leaving the address in the location bar. On a secure site the lock icon would change to broken, but otherwise it could be a successful spoof. | Jesse Ruderman | 2004-06-16 |
| 78 | security dialog popup (162020) | critical / high | remote code execution | An attacker who could lure users into clicking in particular places, or typing specific text, could cause a security permission or software installation dialog to pop up under the user's mouse click, clicking on the grant (or install) button. | Jesse Ruderman | 2004-06-05 |
| 77 | Untrusted content displayed with "chrome" flag (244965) | moderate / low | spoof | Untrusted web content can open windows with the "chrome" style. This suppresses the normal browser frame and makes spoofed dialogs easy (such as the master password dialog). Affects Mozilla 1.6 through 1.7rc2. | James Ross | 2004-06-02 |
| 76 | POP3 mail server heap overrun (229374) | critical / low | heap overrun | A variant of bug 157644 (see #27 below), malicious POP server could overwrite memory and execute arbitrary code. | zen parse | 2004-05-29 |
| 75 | Mac remote code execution via help: and disk: (243699) | critical / high | remote code execution |
lixlpixel reported vulnerabilities in the help: and disk: URI schemes
in some versions of Mac OS X. Web content could access those schemes
through Mozilla. Workaround: install the latest OS patches. |
Mike Calmus | 2004-05-17 |
| 74 | PNG out-of-bounds read (242915) | minor / low | DOS | The libpng project announced a bug that could be exploited as a denial of service attack. See CAN-2004-0421 | Glenn Randers-Pehrson | 2004-05-07 |
| 73 | automatic file upload (241924) | high / moderate | file access |
Regression in Mozilla 1.7-beta only: file upload control value can be
pre-filled using document.write() and innerHTML, allowing attacker to
programmatically submit the form and capture a file at a known location.
Workaround: disable Javascript |
Met - Martin Hassman | 2004-04-28 |
| 72 | SSL Certificate Spoof (240053) | high / high | spoof | A malicious page can use redirects to turn on the SSL lock icon and appear secure. This could be used to further phishing scams. | Tolga Tarhan | 2004-04-10 |
| 71 | Stealing secure HTTP Auth passwords via DNS spoof (226278) | high / low | password theft | HTTP auth passwords were cached by site and port but did not store whether the protocol used was secure (SSL) or not. An attacker who could spoof your DNS could wait until you authenticate to a secure site then redirect a later connection to that site and port during that session to a non-SSL machine under their control, thus stealing the secure password. | Christopher Nebergall | 2004-04-07 |
| 70 | non-FQDN cert name matching is insecure (234058) | minor / low | spoof | A non-FQDN URI hostname can match part of a cert name w/out a warning dialog. Could be used for spoofing if an attacker had control of machines on your default DNS search path. | Tim Dierks | 2004-04-07 |
| 69 | remote access to local files through Liveconnect (239122) | high / high | remote reading | Mozilla 1.7beta allowed remote web pages to read local files in known locations using Liveconnect (requires Java; 1.7alpha and earlier are safe) | Darin Fisher | 2004-04-05 |
| 68 | redefine focus()/blur() on another window (86028) | minor / low | DOS | Attacker can replace some functions on windows he opened. Replaced functions run in the attacker's domain so can't steal data, but could interfere with the operation of the other window. | Jesse Ruderman | 2004-03-25 |
| 67 | SOAPParameter overflow (236618) | critical / high | remote code execution |
An integer overflow passing a large js array to the SOAPParameter
constructor results in a controlled overwriting of the heap, which
can be exploited to run arbitary code of the attacker's choice.
Workaround: disable Javascript |
zen parse / iDEFENSE | 2004-03-08 |
| 66 | drag into file upload control (206859) | high / low | file access | A clever attacker might be able to trick a user into dragging disguised text into an obscured file upload control, resulting in the capture of a user's file at a known location. | Jesse Ruderman | 2004-02-11 |
Fixed in Mozilla 1.6
| # | Title | Severity / Risk | Type | Description | Reported by | Date Fixed |
|---|---|---|---|---|---|---|
| 65 | %00 status bar spoof (228176) | minor / low | spoof | %00 in an href truncates the status bar display when you mouse over the link. This could be used to further phishing scams in mail where Javascript is disabled and the status bar might be trusted more than in normal web content. | Secunia | 2004-01-06 |
| 64 | Cross-domain exploit on zombie document with event handlers (227417) | moderate / low | same-origin violation | During page transition it was possible to run event handlers from the old page in the context of the new page. This has been demonstrated to allow cookie stealing, and potentially any sensitive account information displayed by the new site. | Andreas Sandblad | 2003-12-03 |
November 2003 Update
| # | Type | Fixed | Milestones Affected | Severity | Description | Bug Number(s) | Workarounds | Date Fixed |
|---|---|---|---|---|---|---|---|---|
| 63 | heap overflow | 1.5 1.4.2 | through 1.4 | Run arbitrary code | Malicious PPM image can cause a heap overrun, possibly allowing execution of arbitrary code | 220721 | Disable images | 2003-12-16 |
| 62 | JavaScript | 1.5, 1.4.1 | M1 to 1.4 | Run arbitrary code | Script.prototype.freeze/thaw could allow an attacker to run arbitrary code your computer. | 221526 | Disable JavaScript | 2003-10-07 |
| 61 | Running Executables | 1.5 1.4.2 | M1 to 1.4.1 | *.hta files could be executed on Windows | *.hta files were not treated as executable, and could be used to gain full access to a user's system | 220257 | Don't open *.hta or application/hta files | 2003-09-29 |
| 60 | Networking |
1.5 1.4.2 | M1 to 1.4.1 | Reading passwords | A malicious website could gain access to a user's authentication credentials to a proxy server. | 220122 | None | 2003-09-24 |
| 59 | JavaScript | firebird 0.7 | Firebird 0.6 | Run arbitrary code | A website could gain chrome privileges by overriding the setter of a property on an HTML link, if the user could be convinced to click on it. | 217195 | Disable JavaScript | 2003-09-23 |
| 58 | 1.5 | M1 to 1.4 | Storing passwords on disk | POP3 account passwords are saved to disk even when the user explicitly requests them not to be. | 217625 | Disable Password Manager | 2003-08-28 | |
| 57 | Cookies | 1.5 1.4.1 | M1 to 1.4 | Read cookies set by another path | By requesting a cookie with a path containing the escape sequence "%2E%2E", a malicious web site would be able to read cookies from different paths. | 213012 | Disable Cookies | 2003-07-28 |
| 56 | JavaScript | 1.4 | M1 to 1.3 | Determine whether a variable exists on a different domain | Cross-domain variable detection is possible using scopes (eval, with) | 158049 | Disable JavaScript | 2003-06-02 |
| 55 | JavaScript | 1.4 | M1 to 1.3 | Cross-domain scripting | Executing custom setters or getters on a different domain is possible. | 92773 | Disable JavaScript | 2003-03-06 |
| 54 | DOM | 1.4 | M1 to 1.3 | Determine whether a URL was visited | A website can use history.goURL to determine whether a URL was previously visited | 163549 | Disable JavaScript | 2003-02-25 |
| 53 | Cookies | 1.3 | M1 to 1.2 | Read cookies set by another path | Cookies set to path "abc" were able to be read by a page with path "abcd" | 155114 | Disable Cookies | 2002-08-11 |
July 2003 Update
| # | Type | Milestones Affected | Severity | Description | Bug Number(s) | Workarounds | Date Fixed |
|---|---|---|---|---|---|---|---|
| 52 | DOM | M1 to 1.3 | Read local JavaScript files | XUL script can read local JavaScript files | 180748 | Disable JavaScript | 2003-06-02 |
| 51 | DOM | M1 to 1.3 | Executing arbitrary JavaScript on a page | IMG tags can be misused to load and run arbitrary JavaScript on a page | 195201 | Disable JavaScript | 2003-05-29 |
| 50 | XBL | M1 to 1.3 | Read local files | A bug in XBL handling, and the feature that external applications create files with known names in well-known locations can be exploited to read local files | 200691 | Disable JavaScript | 2003-05-01 |
| 49 | DOM | M1 to 1.3 | Read data from third-party site | document.domain can be set improperly to gain access to third-party site | 204682 | Disable JavaScript | 2003-05-09 |
| 48 | DOM | M1 to 1.3 | Track URLs as they are visited | javascript: URL return values are converted to strings without security checks | 202994 | Disable JavaScript | 2003-05-02 |
| 47 | XUL | M1 to 1.3 | Reading XML files from known locations | XUL overlays can be loaded from third-party sites | 159450 | None | 2003-05-02 |
| 46 | Spoofing | M1 to 1.3 | Reading passwords | HTTP authentication password prompt could be confused for the mail server password prompt | 51631 | Memorize the real mail server password prompt and do not enter your password if the dialog is not exactly the same | 2003-04-25 |
| 45 | Buffer Overrun | M1 to 1.3 | Run arbitrary code | Reading a maliciously crafted email could cause an exploitable buffer overrun | 202546 | None | 2003-04-25 |
| 44 | Buffer Overrun | M1 to 1.3 | Run arbitrary code | Reading a maliciously crafted email could cause an exploitable buffer overrun | 201547 | None | 2003-04-23 |
| 43 | DOM | M1 to 1.3 | Read data from third-party sites | Clicking a javascript: links as a page is loading can cause the JavaScript to execute with wrong privileges which can enable reading data from third-party sites | 201839 | Disable JavaScript | 2003-04-18 |
| 42 | DOM | M1 to 1.3 | Read data from third-party sites | It's possible to read small amounts of data from pages from other hosts using the find() command; extremely slow and difficult in practice | 118657 | Disable JavaScript | 2003-04-18 |
| 41 | DOM | M1 to 1.3 | Read data from third-party sites | A malicious script can steal data from third-party sites using event handlers | 201132 | Disable JavaScript | 2003-04-17 |
| 40 | Java | M1 to 1.3 | Read local files | When Sun JRE is installed on the system, Java applets can read local files | 59767 | Disable Java | 2003-04-03 |
| 39 | Buffer Overrun | M1 to 1.3 | Run arbitrary code | When Sun JRE 1.4.1 and earlier is installed on the system it may be possible to cause an exploitable buffer overrun calling from JavaScript into Java | 183092 | Disable Java | 2003-03-31 |
| 38 | DOM | M1 to 1.3 | Reading limited data from 3rd-party websites | Getters/setters on script-defined properties in third-party pages can be read by scripts which allows limited data stealing | 92773 | Disable JavaScript | 2003-03-06 |
| 37 | IRC/Mail | 0.8 to 1.2 | Make user send faked mail without knowing | The IRC protocol could be used to trick an SMTP server into sending mail in the user's name; works only if Chatzilla installed | 190532 | None | 2003-02-04 |
| 36 | Spoofing | M1 to 1.2 | URLbar can display incorrect address | The HTTP 305 redirect command could be used by an attacker to spoof other sites' pages; only works when browsing through a proxy | 187996 | Do not use proxy, or Check the Page Info dialog and lock icon before entering sensitive data on a web page | 2003-01-28 |
| 35 | Configurable Security Policies | M1 to 1.2 | Optional Configurable Security Policies can be bypassed | Using a username section in URL it is possible to bypass the user-created, optional configurable security policies | 189799 | Do not add or change configurable security policies; the defaults are safe | 2003-01-24 |
| 34 | Spoofing | M1 to 1.0.1/1.2 | URLbar can display incorrect address | XUL can be used to make the URL bar display an incorrect address | 171274 | Check the Page Info dialog and lock icon before entering sensitive data on a web page | 2003-01-10 |
| 33 | Networking | M1 to 1.2 | On some platforms use old cached data | Some non-tier1 platforms (BeOS) do not truncate cache files properly which could result in a page that is a mix of old and new, which could result in unwanted purchases | 162588 | Clear cache before going to a page you have visited before | 2002-12-18 |
| 32 | XSLT | 0.8 to 1.2 | Reading XSLT files from known locations within a firewall | An XML file can load an XSLT stylesheet from a different host | 165532 | Disable XSLT | 2002-12-03 |
| 31 | DOM | M1 to 1.0.1/1.1 | Arbitrarily modify or read another document | A script that calls document.write while another page is loading can steal data from a third-party site | 91043 | Disable JavaScript | 2002-11-14 |
February 2003 Update
| # | Type | Milestones Affected | Severity | Description | Bug Number(s) | Workarounds | Date Fixed |
|---|---|---|---|---|---|---|---|
| 30 | M1 to 1.2 | Run arbitrary code | Upon receiving a malicious email message, double-clicking an attachment could allow an attacker to run arbitrary code. | 191817 | Do not open attachments from untrusted sources | 2003-02-06 | |
| 29 | Networking | 0.9.1 to 1.2 | Reading files from known locations within a firewall | By sending a "305 Redirect" message in response to a request, a malicious Web server can read files from within a firewall. | 187996 | None | 2003-01-28 |
| 28 | Networking | M1 to 1.2 | Run arbitrary code | Following a link to a maliciously crafted .jar archive file could allow an attacker to run arbitrary code. | 164695 | None | 2002-10-30 |
| 27 | M1 to 1.2 | Run arbitrary code | Connecting to a maliciously modified POP3 mail server could allow an attacker to run arbitrary code your computer. | 157644 | Do not connect to untrusted POP3 mail servers | 2002-10-21 | |
| 26 | Spoofing | 0.9.9 to 1.2 | Mistaking a malicious website for a legitimate one | wyciwyg:// URLs may be used to "spoof" the URL bar, causing it to display an incorrect URL | 159659 | Check the Page Info dialog and lock icon before entering sensitive data on a web page | 2002-09-20 |
Updates up to December 2002
| # | Type | Milestones Affected | Severity | Description | Bug Number(s) | Workarounds | Date Fixed |
|---|---|---|---|---|---|---|---|
| 1 | DOM | Through 1.0 RC1 | Local File Read | If a user visits a web site maintained by a hostile attacker, the attacker's web site can cause Mozilla to be redirected to a local file (or files) on the user's system in a way that allows the attacker to read file contents. | 141061 | Disable JavaScript | 1-May-2002 |
| 2 | DOM | Through 0.9.5 | Read User Input (keystrokes) | If a user visits a web site maintained by a hostile attacker, the attacker's page can eavesdrop on keyboard events occurring in other windows. | 18553 | Disable JavaScript | 4-Oct-2001 |
| 3 | Cookies | Through 1.0.1 | Read cookies set by another site | Various attacks involving the insertion of illegal characters into cookie data can cause other cookies set by a legitimate server to be sent to an attacker's server. Some of these attacks work only when browsing through a proxy server. | 104495, 146094 | Disable Cookies | 22-May-2002 |
| 4 | Script Insertion | Through 1.0.1 | Run arbitrary code | Various attacks involving the introduction of malicious scripts into dialogs that display information about the current page. When scripts from thes pages are inserted into dialogs, the scripts run with full system privileges. | 143420, 144704, 149777, 123383 |
Do not click on "javascript:" links in dialogs, or bookmark them | 21-May-2002 |
| 5 | DOM | Through 0.9.5 | Modify browser settings | A malicious Web page can create key events which are interpreted by the browser as menu commands. | 108104 | Disable JavaScript | 11-Mar-2002 |
| 6 | Networking | Through 1.0.1 | Modify or delete mail | A malicious Web page or mail message can contain an imap:// URL which can be used to issue arbitrary commands to an IMAP mail server | 127702 | Disable JavaScript and do not click on imap: links | 20-May-2002 |
| 7 | Buffer Overrun | Through 1.0.1 | Run arbitrary code | Attaching a specially formatted file to a message can cause an exploitable buffer overrun | 140133 | Do not attach files of unknown content to mail/news messages | 25-Apr-2002 |
| 8 | Networking | Through 1.0.1 | Denial of Access to Mail Account | Downloading a malicious email message can cause all future POP message downloads to fail, effectively denying access to a POP mail account until the malicious message ie removed by other means. | 144228 | Do not use POP mail | 5-Jun-2002 |
| 9 | Buffer Overrun | Through 1.0.1 | Run arbitrary code | Viewing several types of malformed image files from a malicious web page could cause exploitable heap corruption | 155222, 157989 | Turn off images | 10-Jul-2002 |
| 10 | DOM | Through 1.0.1 | Modify arbitrary files | Viewing a malicious page could cause an install operation to occur when the space bar is pressed. | 161721 | Disable JavaScript | 8-Aug-2002 |
| 11 | DOM | Through 1.0.2, 1.2 | Tracking of browsing | A malicious page can determine the URL of the page visited after it | 145579 | Disable JavaScript | 17-Sep-2002 |
| 12 | DOM | Through 1.0.1 | Reading data from 3rd-party websites | A malicious page can read data from a third-party webpage (perhaps inside a firewall) using the XMLSerializer interface | 147754 | Disable JavaScript | 14-Jun-2002 |
| 13 | DOM | 0.9.6 to 1.0.1/1.2 | Reading data from 3rd-party websites | A malicious page can read data from a third-party webpage using the DOM TreeWalker interface | 156452 | Disable JavaScript | 1-Aug-2002 |
| 14 | DOM | 0.9.5 to 1.0.1/1.2 | Reading data from 3rd-party websites | A malicious page can read data from a third-party webpage (perhaps inside a firewall) using the XMLSerializer interface | 169982 147754 | Disable JavaScript | 30-Sep-2002 |
| 15 | Networking | M17 to 1.0.1/1.2 | Deleting local files / run arbitrary code | Visiting a malicious URL with the vbscript: or vnd: protocol exposes Windows security problems and could be used to run arbitrary code. | 161357, 163648 | Disable JavaScript, do not visit vbscript: or vnd: URLs from untrusted sources | 10-Oct-2002 |
| 16 | Networking | 0.9.7 to 1.0.1/1.2 | Minor - saving sensitive data locally | A webpage created by a document.write command in a script on a secure page is stored in the browser cache even though the original page is not. This could cause private information to be saved on the local disk (the information is not accessible by a third party on the network) | 151478 | Disable JavaScript | 21-Oct-2002 |
| 17 | DOM | M1 to 1.0.1/1.2 | Reading data from 3rd-party websites | A malicious Java applet can read data from a third-party webpage | 168316 | Disable Java | 29-Oct-2002 |
| 18 | Networking | M1 to 1.0.1/1.2 | Reading passwords | "Princeton Attack" DNS spoofing can be used to steal passwords. The exploit requires many preconditions and is probably impractical for real use. | 162520 | Do not store passwords | 30-Oct-2002 |
| 19 | Spoofing | M1 to 1.0.1/1.2 | Incorrect URL in URL bar | A malicious page can display a misleading URL in the browser URL bar | 171274 | None | 4-Nov-2002 |
| 20 | DOM | 0.9.7 to 1.0.1/1.2 | Reading data from 3rd-party websites | A mailcious page can insert scripts or other content into a 3rd-party page and read or modify information. | 91043 | Disable JavaScript | 14-Nov-2002 |
| 21 | XSLT | 0.9.1 to 1.0.1/1.2 | Reading XML files from 3rd party sites | A malicious page can read XML data from third-party websites using the XSLT processor | 113351 | Disable JavaScript | 14-Jun-2002 |
| 22 | Password Mgr | M1 to 1.0.1/1.2 | Reading passwords | A malicious page can use a specially crafted javascript: URL to steal passwords the user has stored for other sites | 159484 | Disable JavaScript | 30-Jul-2002 |
| 23 | DOM/Forms | M1 to 1.0.1/1.2 | Reading local files from known locations | Using a specially crafted form element name, a malicious page can set the value of a file upload form control, causing a file to be uploaded from the user's disk. | 162409 | Disable JavaScript | 14-Aug-2002 |
| 24 | DOM/Forms | M1 to 1.0.1/1.2 | Reading local files from known locations | Using a specially crafted event object, a malicious page can set the value of a file upload form control, causing a file to be uploaded from the user's disk. | 164086, 164023, 163598 | Disable JavaScript | 28-Aug-2002 |
| 25 | HTML | M1 to 1.0.1/1.2 | Loss of browser preferences | A malicious page can corrupt the Mozilla preferences file, causing user settings to be lost | 143459 | None | 13-Sep-2002 |