CVE-2004-1319

Name of the Vulnerable Software and Affected Versions: DHTML Edit Control (dhtmled.ocx) version 6.0.2900.2180

Description: The issue allows remote attackers to inject arbitrary web script into other domains. This is achieved by setting a name for a window, opening a child page whose target is the window with the given name, then injecting the script from the parent into the child using execScript. This has been demonstrated in Internet Explorer.

Recommendations: For version 6.0.2900.2180, consider restricting the use of the DHTML Edit Control to minimize the risk of exploitation. As a temporary workaround, avoid using the execScript function until a patch is available.