CVE-2009-0355

Name of the Vulnerable Software and Affected Versions Mozilla Firefox versions prior to 3.0.6

Description The issue allows user-assisted remote attackers to read arbitrary files on a client machine via a crafted INPUT element. This occurs because the nsSessionStore.js component in Mozilla Firefox does not block changes of INPUT elements to type="file" during tab restoration.

Recommendations For versions prior to 3.0.6, update to version 3.0.6 or later to resolve the issue. As a temporary workaround, consider avoiding the restoration of tabs from untrusted sources until a patch is applied. Restrict access to file input elements to minimize the risk of exploitation.