CVE-2011-2993
Mozilla Firefox 4.x-5 and SeaMonkey < 2.3 - Same Origin Policy Bypass via Unsigned JavaScript
Title source: llmDescription
The implementation of digital signatures for JAR files in Mozilla Firefox 4.x through 5, SeaMonkey 2.x before 2.3, and possibly other products does not prevent calls from unsigned JavaScript code to signed code, which allows remote attackers to bypass the Same Origin Policy and gain privileges via a crafted web site, a different vulnerability than CVE-2008-2801.
References (5)
Core 5
Core References
Various Sources x_refsource_confirm
http://www.mozilla.org/security/announce/2011/mfsa2011-33.html
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2011-08/msg00023.html
Issue Tracking x_refsource_confirm
https://bugzilla.mozilla.org/show_bug.cgi?id=657267
Vendor Advisory x_refsource_confirm
http://www.mozilla.org/security/announce/2011/mfsa2011-29.html
Third Party Advisory, VDB Entry vdb-entry
signature
x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14055
Scores
EPSS
0.0125
EPSS Percentile
66.1%
Details
CWE
CWE-264
Status
published
Products (16)
mozilla/firefox
4.0 (13 CPE variants)
mozilla/firefox
4.0.1
mozilla/firefox
5.0
mozilla/seamonkey
2.0 (8 CPE variants)
mozilla/seamonkey
2.0.1
mozilla/seamonkey
2.0.2
mozilla/seamonkey
2.0.3
mozilla/seamonkey
2.0.4
mozilla/seamonkey
2.0.5
mozilla/seamonkey
2.0.6
... and 6 more
Published
Aug 18, 2011
Tracked Since
Feb 18, 2026