CVE-2010-2763

Mozilla Firefox <3.5.12, Thunderbird <3.0.7, SeaMonkey <2.0.7 - XSS

Title source: llm

Description

The XPCSafeJSObjectWrapper class in the SafeJSObjectWrapper (aka SJOW) implementation in Mozilla Firefox before 3.5.12, Thunderbird before 3.0.7, and SeaMonkey before 2.0.7 does not properly restrict scripted functions, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via a crafted function.

References (8)

[Mailing List] http://lists.opensuse.org/opensuse-security-announce/2010-10/msg00002.html

[Vendor Advisory] http://www.mozilla.org/security/announce/2010/mfsa2010-60.html

[Issue Tracking] https://bugzilla.mozilla.org/show_bug.cgi?id=585284

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/61665

[Mailing List, Third Party Advisory] http://lists.fedoraproject.org/pipermail/package-announce/2010-September/047282.html

[Third Party Advisory] http://www.debian.org/security/2010/dsa-2106

[Third Party Advisory, VDB Entry] https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12114

[Third Party Advisory] http://www.vupen.com/english/advisories/2010/2323

Scores

EPSS 0.0053

EPSS Percentile 66.9%

Classification

CWE

CWE-79

Status published

Affected Products (50)

mozilla/seamonkey < 2.0.6

mozilla/seamonkey

mozilla/seamonkey

mozilla/seamonkey

mozilla/seamonkey

mozilla/seamonkey

mozilla/seamonkey

mozilla/seamonkey

mozilla/seamonkey

mozilla/seamonkey

mozilla/seamonkey

mozilla/seamonkey

mozilla/seamonkey

mozilla/seamonkey

mozilla/seamonkey

... and 35 more

Timeline

Published Sep 09, 2010

Tracked Since Feb 18, 2026