CVE-2005-1160
Description
The privileged "chrome" UI code in Firefox before 1.0.3 and Mozilla Suite before 1.7.7 allows remote attackers to gain privileges by overriding certain properties or methods of DOM nodes, as demonstrated using multiple attacks involving the eval function or the Script object.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
36cpe:2.3:a:mozilla:firefox:0.10:*:*:*:*:*:*:*+ 11 more
- cpe:2.3:a:mozilla:firefox:0.10:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:0.10.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:0.8:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:0.9:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:0.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:0.9.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:0.9.3:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:0.9:rc:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:1.0.2:*:*:*:*:*:*:*
- (no CPE)range: <1.0.3
cpe:2.3:a:mozilla:mozilla:1.3:*:*:*:*:*:*:*+ 22 more
- cpe:2.3:a:mozilla:mozilla:1.3:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla:1.4:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla:1.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla:1.4:alpha:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla:1.5:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla:1.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla:1.5:alpha:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla:1.5:rc1:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla:1.5:rc2:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla:1.6:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla:1.6:alpha:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla:1.6:beta:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla:1.7:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla:1.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla:1.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla:1.7.3:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla:1.7.5:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla:1.7.6:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla:1.7:alpha:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla:1.7:beta:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla:1.7:rc1:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla:1.7:rc2:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla:1.7:rc3:*:*:*:*:*:*
- Range: <1.7.7
Patches
Vulnerability mechanics
Root cause
"A Script object created by web content executes with chrome privileges when called from chrome JS, allowing privilege escalation via DOM property getter overrides."
Attack vector
A remote attacker can craft a web page that redefines a property getter (e.g., `localName`) on a DOM node to return a `Script` object containing arbitrary JavaScript. When chrome JS code accesses that property (e.g., `event.target.localName.toLowerCase()`), the attacker's script executes with chrome privileges [ref_id=1]. The attack can be triggered without user interaction by using the DOMLinkAdded event [ref_id=1].
Affected code
The vulnerability resides in the privileged "chrome" UI code of Firefox (before 1.0.3) and Mozilla Suite (before 1.7.7). The bug report identifies that a `Script` object created by a web page, when called from chrome JS, executes with chrome privileges [ref_id=1]. The fix ensures that content code in a Script does not receive elevated privileges when called from chrome [ref_id=1].
What the fix does
The patch ensures that when a `Script` object created by web content is called from chrome code, it does not execute with elevated privileges [ref_id=1]. The fix was reviewed and approved (r+sr=brendan) and landed on the trunk as part of bug 281988 [ref_id=1]. No further details of the code change are present in the bundle beyond the description that it prevents content code in a Script from receiving elevated privileges when called from chrome.
Preconditions
- inputThe attacker must serve a malicious web page to the victim's browser.
- configThe victim must use Firefox before 1.0.3 or Mozilla Suite before 1.7.7.
- inputChrome JS code must access a DOM node property that the attacker has overridden.
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
18- secunia.com/advisories/14938nvdPatchVendor Advisory
- secunia.com/advisories/14992nvdPatchVendor Advisory
- www.gentoo.org/security/en/glsa/glsa-200504-18.xmlnvdPatchVendor Advisory
- www.redhat.com/support/errata/RHSA-2005-383.htmlnvdPatchVendor Advisory
- www.redhat.com/support/errata/RHSA-2005-386.htmlnvdPatchVendor Advisory
- bugzilla.mozilla.org/show_bug.cginvdPatch
- bugzilla.mozilla.org/show_bug.cginvdPatch
- bugzilla.mozilla.org/show_bug.cginvdPatch
- www.mozilla.org/security/announce/mfsa2005-41.htmlnvdVendor Advisory
- ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.49/SCOSA-2005.49.txtnvd
- secunia.com/advisories/19823nvd
- www.novell.com/linux/security/advisories/2006_04_25.htmlnvd
- www.redhat.com/support/errata/RHSA-2005-384.htmlnvd
- www.redhat.com/support/errata/RHSA-2005-601.htmlnvd
- www.securityfocus.com/bid/13233nvd
- www.securityfocus.com/bid/15495nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A100017nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11291nvd
News mentions
0No linked articles in our index yet.