JVN#63304072
MouseoverDictionary vulnerable to arbitrary script execution
Overview
MouseoverDictionary, an add-on for Mozilla Firefox, contains a vulnerability that allows an attacker to execute an arbitrary script.
Products Affected
- Version 0.6.1 and earlier
Description
MouseoverDictionary, an add-on mouseover English-Japanese dictionary for Mozilla Firefox, contains a vulnerability that allows an attacker to execute an arbitrary script on the user's web browser as it does not handle the sidebar HTML page properly.
Impact
An attacker could execute an arbitrary script in Mozilla Firefox when the user uses MouseoverDictionary. Depending on the script, the attacker may be able to view arbitrary files on the client PC.
Solution
Update the Software
Apply the latest updates provided by the developer.
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Analyzed on 2007.10.12
| Measures | Conditions | Severity |
|---|---|---|
| Access Required | Routed - can be attacked over the Internet using packets |
|
| Authentication | None - anonymous or no authentication (IP addresses do not count) |
|
| User Interaction Required | Simple - the user must be convinced to take a standard action that does not feel harmful to most users, such as click on a link or view a file |
|
| Exploit Complexity | Low - little to no expertise and/or luck required to exploit (cross-site scripting) |
|
Credit
Sen UENO of Tricorder Co.Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the vendors under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory | |
| CPNI Advisory | |
| TRnotes | |
| CVE | |
| JVN iPedia |
JVNDB-2007-000779 |