CVE-2011-2990

Firefox 4.x-5 and SeaMonkey < 2.3 - Credential Exposure via CSP Violation Report

Title source: llm
STIX 2.1

Description

The implementation of Content Security Policy (CSP) violation reports in Mozilla Firefox 4.x through 5, SeaMonkey 2.x before 2.3, and possibly other products does not remove proxy-authorization credentials from the listed request headers, which allows attackers to obtain sensitive information by reading a report, related to incorrect host resolution that occurs with certain redirects.

References (6)

Core 6
Core References
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14458
Issue Tracking x_refsource_confirm
https://bugzilla.mozilla.org/show_bug.cgi?id=664983
Issue Tracking x_refsource_confirm
https://bugzilla.mozilla.org/show_bug.cgi?id=679588

Scores

EPSS 0.0096
EPSS Percentile 57.6%

Details

CWE
CWE-255
Status published
Products (34)
mozilla/firefox 4.0 (13 CPE variants)
mozilla/firefox 4.0.1
mozilla/firefox 5.0
mozilla/seamonkey 1.0 (3 CPE variants)
mozilla/seamonkey 1.0.1
mozilla/seamonkey 1.0.2
mozilla/seamonkey 1.0.3
mozilla/seamonkey 1.0.4
mozilla/seamonkey 1.0.5
mozilla/seamonkey 1.0.6
... and 24 more
Published Aug 18, 2011
Tracked Since Feb 18, 2026