CVE-2011-2993

2011-08-1818:55:00

CWE-264

[email protected]

web.nvd.nist.gov

mozilla

firefox

seamonkey

digital signature

implementation

vulnerability

cve-2011-2993

nvd

9.4 High

AI Score

Confidence

High

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.006 Low

EPSS

Percentile

77.6%

JSON

The implementation of digital signatures for JAR files in Mozilla Firefox 4.x through 5, SeaMonkey 2.x before 2.3, and possibly other products does not prevent calls from unsigned JavaScript code to signed code, which allows remote attackers to bypass the Same Origin Policy and gain privileges via a crafted web site, a different vulnerability than CVE-2008-2801.

CPENameOperatorVersion
mozilla:firefoxmozilla firefoxeq4.0
mozilla:firefoxmozilla firefoxeq5.0
mozilla:firefoxmozilla firefoxeq4.0.1
mozilla:seamonkeymozilla seamonkeyeq2.0.10
mozilla:seamonkeymozilla seamonkeyeq2.0.4
mozilla:seamonkeymozilla seamonkeyeq2.1
mozilla:seamonkeymozilla seamonkeyeq2.0.3
mozilla:seamonkeymozilla seamonkeyeq2.0.2
mozilla:seamonkeymozilla seamonkeyeq2.0
mozilla:seamonkeymozilla seamonkeyeq2.0.8

CPE	Name	Operator	Version
mozilla:firefox	mozilla firefox	eq	4.0
mozilla:firefox	mozilla firefox	eq	5.0
mozilla:firefox	mozilla firefox	eq	4.0.1
mozilla:seamonkey	mozilla seamonkey	eq	2.0.10
mozilla:seamonkey	mozilla seamonkey	eq	2.0.4
mozilla:seamonkey	mozilla seamonkey	eq	2.1
mozilla:seamonkey	mozilla seamonkey	eq	2.0.3
mozilla:seamonkey	mozilla seamonkey	eq	2.0.2
mozilla:seamonkey	mozilla seamonkey	eq	2.0
mozilla:seamonkey	mozilla seamonkey	eq	2.0.8