|Description||Mozilla Firefox 188.8.131.52, and other versions before 184.108.40.206, allows remote attackers to bypass cross-site scripting (XSS) protection mechanisms and conduct XSS attacks via HTML-escaped low surrogate characters that are ignored by the HTML parser, as demonstrated by a "jav�ascript" sequence, aka "HTML escaped low surrogates bug."|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)|
|NVD severity||medium (attack range: remote)|
Vulnerable and fixed packages
The table below lists information on source packages.
|jessie (security), jessie||1:45.8.0-3~deb8u1||fixed|
|iceweasel (PTS)||wheezy (security), wheezy||38.8.0esr-1~deb7u1||fixed|
|xulrunner (PTS)||wheezy (security), wheezy||24.8.1esr-2~deb7u1||fixed|
The information below is based on the following data on fixed versions.
[etch] - iceape <end-of-life> (Etch Packages no longer covered by security support)