CVE-2011-2993

Mozilla Firefox 4.x-5 and SeaMonkey < 2.3 - Same Origin Policy Bypass via Unsigned JavaScript

Title source: llm
STIX 2.1

Description

The implementation of digital signatures for JAR files in Mozilla Firefox 4.x through 5, SeaMonkey 2.x before 2.3, and possibly other products does not prevent calls from unsigned JavaScript code to signed code, which allows remote attackers to bypass the Same Origin Policy and gain privileges via a crafted web site, a different vulnerability than CVE-2008-2801.

References (5)

Core 5
Core References
Issue Tracking x_refsource_confirm
https://bugzilla.mozilla.org/show_bug.cgi?id=657267
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14055

Scores

EPSS 0.0125
EPSS Percentile 66.1%

Details

CWE
CWE-264
Status published
Products (16)
mozilla/firefox 4.0 (13 CPE variants)
mozilla/firefox 4.0.1
mozilla/firefox 5.0
mozilla/seamonkey 2.0 (8 CPE variants)
mozilla/seamonkey 2.0.1
mozilla/seamonkey 2.0.2
mozilla/seamonkey 2.0.3
mozilla/seamonkey 2.0.4
mozilla/seamonkey 2.0.5
mozilla/seamonkey 2.0.6
... and 6 more
Published Aug 18, 2011
Tracked Since Feb 18, 2026