Firefox 1.5.0.7 and 2.0, and Seamonkey 1.1b, allows remote malicious users to cause a denial of service (crash) by creating a range object using createRange, calling selectNode on a DocType node (DOCUMENT_TYPE_NODE), then calling createContextualFragment on the range, which triggers a null dereference. NOTE: the original Bugtraq post mentioned that code execution was possible, but followup analysis has shown that it is only a null dereference.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
mozilla firefox 2.0 |
||
mozilla seamonkey 1.1 |
||
mozilla firefox 1.5.0.7 |