CVE-2011-2986

Mozilla Firefox 4.x-5 and Thunderbird < 6 - Unauthorized Sensitive Image Data Exposure via Canvas

Title source: llm
STIX 2.1

Description

Mozilla Firefox 4.x through 5, Thunderbird before 6, SeaMonkey 2.x before 2.3, and possibly other products, when the Direct2D (aka D2D) API is used on Windows, allows remote attackers to bypass the Same Origin Policy, and obtain sensitive image data from a different domain, by inserting this data into a canvas.

References (7)

Core 7
Core References
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14497
Issue Tracking x_refsource_confirm
https://bugzilla.mozilla.org/show_bug.cgi?id=655836
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/49055

Scores

EPSS 0.0118
EPSS Percentile 64.1%

Details

CWE
CWE-200
Status published
Products (34)
mozilla/firefox 4.0 (13 CPE variants)
mozilla/firefox 4.0.1
mozilla/firefox 5.0
mozilla/seamonkey 1.0 (3 CPE variants)
mozilla/seamonkey 1.0.1
mozilla/seamonkey 1.0.2
mozilla/seamonkey 1.0.3
mozilla/seamonkey 1.0.4
mozilla/seamonkey 1.0.5
mozilla/seamonkey 1.0.6
... and 24 more
Published Aug 18, 2011
Tracked Since Feb 18, 2026