VYPR
← All advisories
Unrated severityNVD Advisory· Published Jul 13, 2005· Updated Apr 16, 2026

CVE-2005-2261

CVE-2005-2261

Description

Firefox before 1.0.5, Thunderbird before 1.0.5, Mozilla before 1.7.9, Netscape 8.0.2, and K-Meleon 0.9 runs XBL scripts even when Javascript has been disabled, which makes it easier for remote attackers to bypass such protection.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Firefox, Thunderbird, Mozilla, Netscape, and K-Meleon run XBL scripts even when JavaScript is disabled, allowing attackers to bypass script-blocking protections.

Vulnerability

In Firefox before 1.0.5, Thunderbird before 1.0.5, Mozilla before 1.7.9, Netscape 8.0.2, and K-Meleon 0.9, the browser executes XBL (XML Binding Language) scripts even when JavaScript has been explicitly disabled by the user. This occurs because the XBL processing engine does not respect the JavaScript disable setting, allowing remote web pages to load and execute XBL bindings that contain script code.

Exploitation

An attacker can craft a web page that includes XBL bindings with embedded script code. No special network position or authentication is required; the victim simply needs to visit the malicious page using an affected browser. The XBL scripts run automatically, regardless of the user's JavaScript preference, effectively bypassing the intended security control.

Impact

Successful exploitation allows the attacker to execute arbitrary script code in the context of the victim's browser session. This can lead to information disclosure, session hijacking, or other malicious actions that would normally be prevented when JavaScript is disabled. The attacker gains the ability to run scripts without the user's knowledge or consent.

Mitigation

Users should upgrade to the fixed versions: Firefox 1.0.5, Thunderbird 1.0.5, Mozilla 1.7.9, or later. Red Hat released updates for affected products via RHSA-2005-587 [3] and RHSA-2005-601 [4]. No workaround is available other than disabling XBL support entirely, which may break legitimate functionality. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.

References
  1. Support
  2. Support

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

60
  • Mozilla Corporation/Firefox14 versions
    cpe:2.3:a:mozilla:firefox:0.10:*:*:*:*:*:*:*+ 13 more
    • cpe:2.3:a:mozilla:firefox:0.10:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:0.10.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:0.9:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:0.9.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:0.9.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:0.9.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:0.9:rc:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:1.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:1.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:1.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:1.0.4:*:*:*:*:*:*:*
    • (no CPE)range: <1.0.5
  • Mozilla Corporation/Mozilla26 versions
    cpe:2.3:a:mozilla:mozilla:1.3:*:*:*:*:*:*:*+ 25 more
    • cpe:2.3:a:mozilla:mozilla:1.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.4:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.4.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.4:alpha:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.5:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.5.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.5:alpha:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.5:rc1:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.5:rc2:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.6:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.6:alpha:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.6:beta:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.7:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.7.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.7.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.7.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.7.5:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.7.6:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.7.7:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.7.8:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.7:alpha:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.7:beta:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.7:rc1:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.7:rc2:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.7:rc3:*:*:*:*:*:*
    • (no CPE)range: <1.7.9
  • Mozilla Corporation/Thunderbird18 versions
    cpe:2.3:a:mozilla:thunderbird:0.1:*:*:*:*:*:*:*+ 17 more
    • cpe:2.3:a:mozilla:thunderbird:0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:thunderbird:0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:thunderbird:0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:thunderbird:0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:thunderbird:0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:thunderbird:0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:thunderbird:0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:thunderbird:0.7.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:thunderbird:0.7.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:thunderbird:0.7.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:thunderbird:0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:thunderbird:0.9:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:thunderbird:1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:thunderbird:1.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:thunderbird:1.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:thunderbird:1.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:thunderbird:1.0.4:*:*:*:*:*:*:*
    • (no CPE)range: <1.0.5
  • K Meleon Project/K Meleonllm-fuzzy
    Range: =0.9
  • Netscape/Netscapellm-fuzzy
    Range: =8.0.2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

23

News mentions

0

No linked articles in our index yet.