CVE-2008-4066

Mozilla Firefox 2.0.0.14, and other versions before 2.0.0.17, allows remote attackers to bypass cross-site scripting (XSS) protection mechanisms and conduct XSS attacks via HTML-escaped low surrogate characters that are ignored by the HTML parser, as demonstrated by a "jav&#56325ascript" sequence, aka "HTML escaped low surrogates bug."

🔗 References (88)

• secalert@redhathttp://blogs.technet.com/bluehat/archive/2008/08/14/targeted-fuzzing.aspx
• secalert@redhathttp://download.novell.com/Download?buildid=WZXONb-tqBw~
• secalert@redhathttp://jvn.jp/en/jp/JVN96950482/index.html
• secalert@redhathttp://jvndb.jvn.jp/ja/contents/2011/JVNDB-2011-000058.html
• secalert@redhathttp://lists.opensuse.org/opensuse-security-announce/2008-10/msg00005.html
• secalert@redhathttp://secunia.com/advisories/31984
• secalert@redhathttp://secunia.com/advisories/31985
• secalert@redhathttp://secunia.com/advisories/32007
• secalert@redhathttp://secunia.com/advisories/32010
• secalert@redhathttp://secunia.com/advisories/32012
• secalert@redhathttp://secunia.com/advisories/32025
• secalert@redhathttp://secunia.com/advisories/32042
• secalert@redhathttp://secunia.com/advisories/32044
• secalert@redhathttp://secunia.com/advisories/32082
• secalert@redhathttp://secunia.com/advisories/32092