CVE-2006-2783

Mozilla Firefox and Thunderbird before 1.5.0.4 strip the Unicode Byte-order-Mark (BOM) from a UTF-8 page before the page is passed to the parser, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a BOM sequence in the middle of a dangerous tag such as SCRIPT.

🔗 References (116)

• cve@mitrehttp://lists.apple.com/archives/security-announce/2008//Jul/msg00001.html
• cve@mitrehttp://lists.apple.com/archives/security-announce/2009/jun/msg00002.html
• cve@mitrehttp://rhn.redhat.com/errata/RHSA-2006-0609.html
• cve@mitrehttp://secunia.com/advisories/20376
• cve@mitrehttp://secunia.com/advisories/20382
• cve@mitrehttp://secunia.com/advisories/20561
• cve@mitrehttp://secunia.com/advisories/20709
• cve@mitrehttp://secunia.com/advisories/21134
• cve@mitrehttp://secunia.com/advisories/21176
• cve@mitrehttp://secunia.com/advisories/21178
• cve@mitrehttp://secunia.com/advisories/21183
• cve@mitrehttp://secunia.com/advisories/21188
• cve@mitrehttp://secunia.com/advisories/21210
• cve@mitrehttp://secunia.com/advisories/21269
• cve@mitrehttp://secunia.com/advisories/21270