Mozilla Firefox 1.5, Netscape 8.0.4 and 7.2, and K-Meleon before 0.9.12 allows remote attackers to cause a denial of service (CPU consumption and delayed application startup) via a web site with a large title, which is recorded in history.dat but not processed efficiently during startup. NOTE: despite initial reports, the Mozilla vendor does not believe that this issue can be used to trigger a crash or buffer overflow in Firefox. Also, it has been independently reported that Netscape 8.1 does not have this issue.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| netscape | navigator | 7.2 |
| mozilla | mozilla_suite | * |
| k-meleon_project | k-meleon | 0.7_service_pack_1 |
| k-meleon_project | k-meleon | 0.7 |
| k-meleon_project | k-meleon | 0.8.1 |
| mozilla | firefox | * |
| netscape | navigator | 7.1 |
| netscape | navigator | * |
| k-meleon_project | k-meleon | 0.8 |
| k-meleon_project | k-meleon | 0.8.2 |
| k-meleon_project | k-meleon | * |
Mozilla Firefox 1.5.0.2 and possibly other versions before 1.5.0.4, Netscape 8.1, 8.0.4, and 7.2, and K-Meleon 0.9.13 allows user-assisted remote attackers to open local files via a web page with an IMG element containing a SRC attribute with a non-image file:// URL, then tricking the user into selecting View Image for the broken image, as demonstrated using a .wma file to launch Windows Media Player, or by referencing an "alternate web page."
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| netscape | navigator | 7.2 |
| netscape | navigator | 8.0.40 |
| k-meleon_project | k-meleon | 0.9.13 |
| mozilla | firefox | 1.5.0.2 |
| netscape | navigator | 8.1 |
Concurrency vulnerability in Mozilla Firefox 1.5.0.6 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via multiple Javascript timed events that load a deeply nested XML file, followed by redirecting the browser to another page, which leads to a concurrency failure that causes structures to be freed incorrectly, as demonstrated by (1) ffoxdie and (2) ffoxdie3. NOTE: it has been reported that Netscape 8.1 and K-Meleon 1.0.1 are also affected by ffoxdie. Mozilla confirmed to CVE that ffoxdie and ffoxdie3 trigger the same underlying vulnerability. NOTE: it was later reported that Firefox 2.0 RC2 and 1.5.0.7 are also affected.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mozilla | firefox | 0.9.3 |
| mozilla | firefox | 1.0.1 |
| mozilla | firefox | 1.0.7 |
| mozilla | firefox | 1.5 |
| mozilla | firefox | 0.9 |
| mozilla | firefox | 0.9.1 |
| mozilla | firefox | 1.5.0.5 |
| k-meleon_project | k-meleon | 1.0.1 |
| mozilla | firefox | 1.5.0.2 |
| netscape | navigator | 8.1 |
| mozilla | firefox | 1.0.5 |
| mozilla | firefox | 1.5.0.3 |
| mozilla | firefox | 0.10 |
| mozilla | firefox | 1.0.3 |
| mozilla | firefox | 1.5.0.6 |
| mozilla | firefox | 0.8 |
| mozilla | firefox | 0.10.1 |
| mozilla | firefox | 1.0.2 |
| mozilla | firefox | 1.0.4 |
| mozilla | firefox | 1.5.0.4 |
| mozilla | firefox | 0.9.2 |
| mozilla | firefox | 1.0 |
| mozilla | firefox | 1.0.8 |
| mozilla | firefox | 1.0.6 |
| mozilla | firefox | 1.5.0.1 |