CVE-2006-1741

Published Apr 14, 2006

Last updated 12 days ago

CVSS info 4.3

Overview

Description
Mozilla Firefox 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 allows remote attackers to inject arbitrary Javascript into other sites by (1) "using a modal alert to suspend an event handler while a new page is being loaded", (2) using eval(), and using certain variants involving (3) "new Script;" and (4) using window.__proto__ to extend eval, aka "cross-site JavaScript injection".
Source
secalert@redhat.com
NVD status
Modified
Products
firefox, mozilla_suite, seamonkey, ubuntu_linux

Risk scores

CVSS 2.0

Type
Primary
Base score
4.3
Impact score
2.9
Exploitability score
8.6
Vector string
AV:N/AC:M/Au:N/C:N/I:P/A:N

Weaknesses

nvd@nist.gov
CWE-79

Social media

Hype score
Not currently trending

Evaluator

Comment
-
Impact
-
Solution
-

Configurations

Related CVEs

  1. Memory safety bugs present in Firefox 149 and Thunderbird 149. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150 and Thunderbird 150.CVE-2026-6784
  2. Incorrect boundary conditions, integer overflow in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.CVE-2026-6783
  3. Information disclosure in the IP Protection component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.CVE-2026-6782
  4. Denial-of-service in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.CVE-2026-6781
  5. Denial-of-service in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.CVE-2026-6780

References

Sources include official advisories and independent security research.