CVE-2006-1733

Name	CVE-2006-1733
Description	Mozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 does not properly protect the compilation scope of privileged built-in XBL bindings, which allows remote attackers to execute arbitrary code via the (1) valueOf.call or (2) valueOf.apply methods of an XBL binding, or (3) "by inserting an XBL method into the DOM's document.body prototype chain."
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-1044-1, DSA-1046-1, DSA-1051-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
firefox (PTS)	sid	132.0.2-1	fixed
thunderbird (PTS)	bullseye	1:115.12.0-1~deb11u1	fixed
	bullseye (security)	1:128.4.3esr-1~deb11u1	fixed
	bookworm	1:115.16.0esr-1~deb12u1	fixed
	bookworm (security)	1:128.4.3esr-1~deb12u1	fixed
	sid, trixie	1:128.4.3esr-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
firefox	source	(unstable)	1.5.dfsg+1.5.0.2-2	high
mozilla	source	sarge	2:1.7.8-1sarge5		DSA-1046-1
mozilla	source	(unstable)	2:1.7.13-0.1	high
mozilla-firefox	source	sarge	1.0.4-2sarge6		DSA-1044-1
mozilla-firefox	source	(unstable)	1.5.dfsg+1.5.0.2-2	high
mozilla-thunderbird	source	sarge	1.0.2-2.sarge1.0.8	medium
thunderbird	source	(unstable)	1.5.0.2-1	medium