csaf_redhat - rhsa-2011

rhsa-2011_1439

Vulnerability from csaf_redhat

Published

2011-11-08 21:47

Modified

2024-09-13 07:08

Summary

Red Hat Security Advisory: thunderbird security update

Notes

Topic

An updated thunderbird package that fixes multiple security issues is now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Details

Mozilla Thunderbird is a standalone mail and newsgroup client. A flaw was found in the way Thunderbird handled certain add-ons. Malicious, remote content could cause an add-on to elevate its privileges, which could lead to arbitrary code execution with the privileges of the user running Thunderbird. (CVE-2011-3647) A cross-site scripting (XSS) flaw was found in the way Thunderbird handled certain multibyte character sets. Malicious, remote content could cause Thunderbird to run JavaScript code with the permissions of different remote content. (CVE-2011-3648) A flaw was found in the way Thunderbird handled large JavaScript scripts. Malicious, remote content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2011-3650) All Thunderbird users should upgrade to this updated package, which resolves these issues. All running instances of Thunderbird must be restarted for the update to take effect.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Critical"
    },
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An updated thunderbird package that fixes multiple security issues is now\navailable for Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having critical\nsecurity impact. Common Vulnerability Scoring System (CVSS) base scores,\nwhich give detailed severity ratings, are available for each vulnerability\nfrom the CVE links in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Mozilla Thunderbird is a standalone mail and newsgroup client.\n\nA flaw was found in the way Thunderbird handled certain add-ons. Malicious,\nremote content could cause an add-on to elevate its privileges, which could\nlead to arbitrary code execution with the privileges of the user running\nThunderbird. (CVE-2011-3647)\n\nA cross-site scripting (XSS) flaw was found in the way Thunderbird handled\ncertain multibyte character sets. Malicious, remote content could cause\nThunderbird to run JavaScript code with the permissions of different\nremote content. (CVE-2011-3648)\n\nA flaw was found in the way Thunderbird handled large JavaScript scripts.\nMalicious, remote content could cause Thunderbird to crash or, potentially,\nexecute arbitrary code with the privileges of the user running Thunderbird.\n(CVE-2011-3650)\n\nAll Thunderbird users should upgrade to this updated package, which\nresolves these issues. All running instances of Thunderbird must be\nrestarted for the update to take effect.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat offerings.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2011:1439",
        "url": "https://access.redhat.com/errata/RHSA-2011:1439"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#critical",
        "url": "https://access.redhat.com/security/updates/classification/#critical"
      },
      {
        "category": "external",
        "summary": "751931",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=751931"
      },
      {
        "category": "external",
        "summary": "751932",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=751932"
      },
      {
        "category": "external",
        "summary": "751933",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=751933"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://access.redhat.com/security/data/csaf/v2/advisories/2011/rhsa-2011_1439.json"
      }
    ],
    "title": "Red Hat Security Advisory: thunderbird security update",
    "tracking": {
      "current_release_date": "2024-09-13T07:08:24+00:00",
      "generator": {
        "date": "2024-09-13T07:08:24+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "3.33.3"
        }
      },
      "id": "RHSA-2011:1439",
      "initial_release_date": "2011-11-08T21:47:00+00:00",
      "revision_history": [
        {
          "date": "2011-11-08T21:47:00+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2011-11-08T21:54:25+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-09-13T07:08:24+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux Server Optional (v. 6)",
                "product": {
                  "name": "Red Hat Enterprise Linux Server Optional (v. 6)",
                  "product_id": "6Server-optional-6.1.z",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:6::server"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Enterprise Linux"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "thunderbird-0:3.1.16-2.el6_1.i686",
                "product": {
                  "name": "thunderbird-0:3.1.16-2.el6_1.i686",
                  "product_id": "thunderbird-0:3.1.16-2.el6_1.i686",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/thunderbird@3.1.16-2.el6_1?arch=i686"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "thunderbird-debuginfo-0:3.1.16-2.el6_1.i686",
                "product": {
                  "name": "thunderbird-debuginfo-0:3.1.16-2.el6_1.i686",
                  "product_id": "thunderbird-debuginfo-0:3.1.16-2.el6_1.i686",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/thunderbird-debuginfo@3.1.16-2.el6_1?arch=i686"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "i686"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "thunderbird-0:3.1.16-2.el6_1.ppc64",
                "product": {
                  "name": "thunderbird-0:3.1.16-2.el6_1.ppc64",
                  "product_id": "thunderbird-0:3.1.16-2.el6_1.ppc64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/thunderbird@3.1.16-2.el6_1?arch=ppc64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "thunderbird-debuginfo-0:3.1.16-2.el6_1.ppc64",
                "product": {
                  "name": "thunderbird-debuginfo-0:3.1.16-2.el6_1.ppc64",
                  "product_id": "thunderbird-debuginfo-0:3.1.16-2.el6_1.ppc64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/thunderbird-debuginfo@3.1.16-2.el6_1?arch=ppc64"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "thunderbird-0:3.1.16-2.el6_1.src",
                "product": {
                  "name": "thunderbird-0:3.1.16-2.el6_1.src",
                  "product_id": "thunderbird-0:3.1.16-2.el6_1.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/thunderbird@3.1.16-2.el6_1?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "thunderbird-0:3.1.16-2.el6_1.s390x",
                "product": {
                  "name": "thunderbird-0:3.1.16-2.el6_1.s390x",
                  "product_id": "thunderbird-0:3.1.16-2.el6_1.s390x",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/thunderbird@3.1.16-2.el6_1?arch=s390x"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "thunderbird-debuginfo-0:3.1.16-2.el6_1.s390x",
                "product": {
                  "name": "thunderbird-debuginfo-0:3.1.16-2.el6_1.s390x",
                  "product_id": "thunderbird-debuginfo-0:3.1.16-2.el6_1.s390x",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/thunderbird-debuginfo@3.1.16-2.el6_1?arch=s390x"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "thunderbird-0:3.1.16-2.el6_1.x86_64",
                "product": {
                  "name": "thunderbird-0:3.1.16-2.el6_1.x86_64",
                  "product_id": "thunderbird-0:3.1.16-2.el6_1.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/thunderbird@3.1.16-2.el6_1?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "thunderbird-debuginfo-0:3.1.16-2.el6_1.x86_64",
                "product": {
                  "name": "thunderbird-debuginfo-0:3.1.16-2.el6_1.x86_64",
                  "product_id": "thunderbird-debuginfo-0:3.1.16-2.el6_1.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/thunderbird-debuginfo@3.1.16-2.el6_1?arch=x86_64"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "thunderbird-0:3.1.16-2.el6_1.i686 as a component of Red Hat Enterprise Linux Server Optional (v. 6)",
          "product_id": "6Server-optional-6.1.z:thunderbird-0:3.1.16-2.el6_1.i686"
        },
        "product_reference": "thunderbird-0:3.1.16-2.el6_1.i686",
        "relates_to_product_reference": "6Server-optional-6.1.z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "thunderbird-0:3.1.16-2.el6_1.ppc64 as a component of Red Hat Enterprise Linux Server Optional (v. 6)",
          "product_id": "6Server-optional-6.1.z:thunderbird-0:3.1.16-2.el6_1.ppc64"
        },
        "product_reference": "thunderbird-0:3.1.16-2.el6_1.ppc64",
        "relates_to_product_reference": "6Server-optional-6.1.z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "thunderbird-0:3.1.16-2.el6_1.s390x as a component of Red Hat Enterprise Linux Server Optional (v. 6)",
          "product_id": "6Server-optional-6.1.z:thunderbird-0:3.1.16-2.el6_1.s390x"
        },
        "product_reference": "thunderbird-0:3.1.16-2.el6_1.s390x",
        "relates_to_product_reference": "6Server-optional-6.1.z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "thunderbird-0:3.1.16-2.el6_1.src as a component of Red Hat Enterprise Linux Server Optional (v. 6)",
          "product_id": "6Server-optional-6.1.z:thunderbird-0:3.1.16-2.el6_1.src"
        },
        "product_reference": "thunderbird-0:3.1.16-2.el6_1.src",
        "relates_to_product_reference": "6Server-optional-6.1.z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "thunderbird-0:3.1.16-2.el6_1.x86_64 as a component of Red Hat Enterprise Linux Server Optional (v. 6)",
          "product_id": "6Server-optional-6.1.z:thunderbird-0:3.1.16-2.el6_1.x86_64"
        },
        "product_reference": "thunderbird-0:3.1.16-2.el6_1.x86_64",
        "relates_to_product_reference": "6Server-optional-6.1.z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "thunderbird-debuginfo-0:3.1.16-2.el6_1.i686 as a component of Red Hat Enterprise Linux Server Optional (v. 6)",
          "product_id": "6Server-optional-6.1.z:thunderbird-debuginfo-0:3.1.16-2.el6_1.i686"
        },
        "product_reference": "thunderbird-debuginfo-0:3.1.16-2.el6_1.i686",
        "relates_to_product_reference": "6Server-optional-6.1.z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "thunderbird-debuginfo-0:3.1.16-2.el6_1.ppc64 as a component of Red Hat Enterprise Linux Server Optional (v. 6)",
          "product_id": "6Server-optional-6.1.z:thunderbird-debuginfo-0:3.1.16-2.el6_1.ppc64"
        },
        "product_reference": "thunderbird-debuginfo-0:3.1.16-2.el6_1.ppc64",
        "relates_to_product_reference": "6Server-optional-6.1.z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "thunderbird-debuginfo-0:3.1.16-2.el6_1.s390x as a component of Red Hat Enterprise Linux Server Optional (v. 6)",
          "product_id": "6Server-optional-6.1.z:thunderbird-debuginfo-0:3.1.16-2.el6_1.s390x"
        },
        "product_reference": "thunderbird-debuginfo-0:3.1.16-2.el6_1.s390x",
        "relates_to_product_reference": "6Server-optional-6.1.z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "thunderbird-debuginfo-0:3.1.16-2.el6_1.x86_64 as a component of Red Hat Enterprise Linux Server Optional (v. 6)",
          "product_id": "6Server-optional-6.1.z:thunderbird-debuginfo-0:3.1.16-2.el6_1.x86_64"
        },
        "product_reference": "thunderbird-debuginfo-0:3.1.16-2.el6_1.x86_64",
        "relates_to_product_reference": "6Server-optional-6.1.z"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2011-3647",
      "discovery_date": "2011-11-08T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "751931"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "The JSSubScriptLoader in Mozilla Firefox before 3.6.24 and Thunderbird before 3.1.6 does not properly handle XPCNativeWrappers during calls to the loadSubScript method in an add-on, which makes it easier for remote attackers to gain privileges via a crafted web site that leverages certain unwrapping behavior, a related issue to CVE-2011-3004.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Mozilla: Security problem with loadSubScript on 1.9.2 branch (MFSA 2011-46)",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-optional-6.1.z:thunderbird-0:3.1.16-2.el6_1.i686",
          "6Server-optional-6.1.z:thunderbird-0:3.1.16-2.el6_1.ppc64",
          "6Server-optional-6.1.z:thunderbird-0:3.1.16-2.el6_1.s390x",
          "6Server-optional-6.1.z:thunderbird-0:3.1.16-2.el6_1.src",
          "6Server-optional-6.1.z:thunderbird-0:3.1.16-2.el6_1.x86_64",
          "6Server-optional-6.1.z:thunderbird-debuginfo-0:3.1.16-2.el6_1.i686",
          "6Server-optional-6.1.z:thunderbird-debuginfo-0:3.1.16-2.el6_1.ppc64",
          "6Server-optional-6.1.z:thunderbird-debuginfo-0:3.1.16-2.el6_1.s390x",
          "6Server-optional-6.1.z:thunderbird-debuginfo-0:3.1.16-2.el6_1.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2011-3647"
        },
        {
          "category": "external",
          "summary": "RHBZ#751931",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=751931"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2011-3647",
          "url": "https://www.cve.org/CVERecord?id=CVE-2011-3647"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2011-3647",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-3647"
        },
        {
          "category": "external",
          "summary": "http://www.mozilla.org/security/announce/2011/mfsa2011-46.html",
          "url": "http://www.mozilla.org/security/announce/2011/mfsa2011-46.html"
        }
      ],
      "release_date": "2011-11-08T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/kb/docs/DOC-11259",
          "product_ids": [
            "6Server-optional-6.1.z:thunderbird-0:3.1.16-2.el6_1.i686",
            "6Server-optional-6.1.z:thunderbird-0:3.1.16-2.el6_1.ppc64",
            "6Server-optional-6.1.z:thunderbird-0:3.1.16-2.el6_1.s390x",
            "6Server-optional-6.1.z:thunderbird-0:3.1.16-2.el6_1.src",
            "6Server-optional-6.1.z:thunderbird-0:3.1.16-2.el6_1.x86_64",
            "6Server-optional-6.1.z:thunderbird-debuginfo-0:3.1.16-2.el6_1.i686",
            "6Server-optional-6.1.z:thunderbird-debuginfo-0:3.1.16-2.el6_1.ppc64",
            "6Server-optional-6.1.z:thunderbird-debuginfo-0:3.1.16-2.el6_1.s390x",
            "6Server-optional-6.1.z:thunderbird-debuginfo-0:3.1.16-2.el6_1.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2011:1439"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.8,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "products": [
            "6Server-optional-6.1.z:thunderbird-0:3.1.16-2.el6_1.i686",
            "6Server-optional-6.1.z:thunderbird-0:3.1.16-2.el6_1.ppc64",
            "6Server-optional-6.1.z:thunderbird-0:3.1.16-2.el6_1.s390x",
            "6Server-optional-6.1.z:thunderbird-0:3.1.16-2.el6_1.src",
            "6Server-optional-6.1.z:thunderbird-0:3.1.16-2.el6_1.x86_64",
            "6Server-optional-6.1.z:thunderbird-debuginfo-0:3.1.16-2.el6_1.i686",
            "6Server-optional-6.1.z:thunderbird-debuginfo-0:3.1.16-2.el6_1.ppc64",
            "6Server-optional-6.1.z:thunderbird-debuginfo-0:3.1.16-2.el6_1.s390x",
            "6Server-optional-6.1.z:thunderbird-debuginfo-0:3.1.16-2.el6_1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Critical"
        }
      ],
      "title": "Mozilla: Security problem with loadSubScript on 1.9.2 branch (MFSA 2011-46)"
    },
    {
      "cve": "CVE-2011-3648",
      "cwe": {
        "id": "CWE-79",
        "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
      },
      "discovery_date": "2011-11-08T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "751932"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 3.6.24 and 4.x through 7.0 and Thunderbird before 3.1.6 and 5.0 through 7.0 allows remote attackers to inject arbitrary web script or HTML via crafted text with Shift JIS encoding.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Mozilla: Universal XSS likely with MultiByte charset (MFSA 2011-47)",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-optional-6.1.z:thunderbird-0:3.1.16-2.el6_1.i686",
          "6Server-optional-6.1.z:thunderbird-0:3.1.16-2.el6_1.ppc64",
          "6Server-optional-6.1.z:thunderbird-0:3.1.16-2.el6_1.s390x",
          "6Server-optional-6.1.z:thunderbird-0:3.1.16-2.el6_1.src",
          "6Server-optional-6.1.z:thunderbird-0:3.1.16-2.el6_1.x86_64",
          "6Server-optional-6.1.z:thunderbird-debuginfo-0:3.1.16-2.el6_1.i686",
          "6Server-optional-6.1.z:thunderbird-debuginfo-0:3.1.16-2.el6_1.ppc64",
          "6Server-optional-6.1.z:thunderbird-debuginfo-0:3.1.16-2.el6_1.s390x",
          "6Server-optional-6.1.z:thunderbird-debuginfo-0:3.1.16-2.el6_1.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2011-3648"
        },
        {
          "category": "external",
          "summary": "RHBZ#751932",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=751932"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2011-3648",
          "url": "https://www.cve.org/CVERecord?id=CVE-2011-3648"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2011-3648",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-3648"
        },
        {
          "category": "external",
          "summary": "http://www.mozilla.org/security/announce/2011/mfsa2011-47.html",
          "url": "http://www.mozilla.org/security/announce/2011/mfsa2011-47.html"
        }
      ],
      "release_date": "2011-11-08T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/kb/docs/DOC-11259",
          "product_ids": [
            "6Server-optional-6.1.z:thunderbird-0:3.1.16-2.el6_1.i686",
            "6Server-optional-6.1.z:thunderbird-0:3.1.16-2.el6_1.ppc64",
            "6Server-optional-6.1.z:thunderbird-0:3.1.16-2.el6_1.s390x",
            "6Server-optional-6.1.z:thunderbird-0:3.1.16-2.el6_1.src",
            "6Server-optional-6.1.z:thunderbird-0:3.1.16-2.el6_1.x86_64",
            "6Server-optional-6.1.z:thunderbird-debuginfo-0:3.1.16-2.el6_1.i686",
            "6Server-optional-6.1.z:thunderbird-debuginfo-0:3.1.16-2.el6_1.ppc64",
            "6Server-optional-6.1.z:thunderbird-debuginfo-0:3.1.16-2.el6_1.s390x",
            "6Server-optional-6.1.z:thunderbird-debuginfo-0:3.1.16-2.el6_1.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2011:1439"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "HIGH",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.1,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "products": [
            "6Server-optional-6.1.z:thunderbird-0:3.1.16-2.el6_1.i686",
            "6Server-optional-6.1.z:thunderbird-0:3.1.16-2.el6_1.ppc64",
            "6Server-optional-6.1.z:thunderbird-0:3.1.16-2.el6_1.s390x",
            "6Server-optional-6.1.z:thunderbird-0:3.1.16-2.el6_1.src",
            "6Server-optional-6.1.z:thunderbird-0:3.1.16-2.el6_1.x86_64",
            "6Server-optional-6.1.z:thunderbird-debuginfo-0:3.1.16-2.el6_1.i686",
            "6Server-optional-6.1.z:thunderbird-debuginfo-0:3.1.16-2.el6_1.ppc64",
            "6Server-optional-6.1.z:thunderbird-debuginfo-0:3.1.16-2.el6_1.s390x",
            "6Server-optional-6.1.z:thunderbird-debuginfo-0:3.1.16-2.el6_1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "Mozilla: Universal XSS likely with MultiByte charset (MFSA 2011-47)"
    },
    {
      "cve": "CVE-2011-3650",
      "discovery_date": "2011-11-08T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "751933"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Mozilla Firefox before 3.6.24 and 4.x through 7.0 and Thunderbird before 3.1.6 and 5.0 through 7.0 do not properly handle JavaScript files that contain many functions, which allows user-assisted remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a crafted file that is accessed by debugging APIs, as demonstrated by Firebug.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Mozilla: crash while profiling page with many functions (MFSA 2011-49)",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-optional-6.1.z:thunderbird-0:3.1.16-2.el6_1.i686",
          "6Server-optional-6.1.z:thunderbird-0:3.1.16-2.el6_1.ppc64",
          "6Server-optional-6.1.z:thunderbird-0:3.1.16-2.el6_1.s390x",
          "6Server-optional-6.1.z:thunderbird-0:3.1.16-2.el6_1.src",
          "6Server-optional-6.1.z:thunderbird-0:3.1.16-2.el6_1.x86_64",
          "6Server-optional-6.1.z:thunderbird-debuginfo-0:3.1.16-2.el6_1.i686",
          "6Server-optional-6.1.z:thunderbird-debuginfo-0:3.1.16-2.el6_1.ppc64",
          "6Server-optional-6.1.z:thunderbird-debuginfo-0:3.1.16-2.el6_1.s390x",
          "6Server-optional-6.1.z:thunderbird-debuginfo-0:3.1.16-2.el6_1.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2011-3650"
        },
        {
          "category": "external",
          "summary": "RHBZ#751933",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=751933"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2011-3650",
          "url": "https://www.cve.org/CVERecord?id=CVE-2011-3650"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2011-3650",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-3650"
        },
        {
          "category": "external",
          "summary": "http://www.mozilla.org/security/announce/2011/mfsa2011-49.html",
          "url": "http://www.mozilla.org/security/announce/2011/mfsa2011-49.html"
        }
      ],
      "release_date": "2011-11-08T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/kb/docs/DOC-11259",
          "product_ids": [
            "6Server-optional-6.1.z:thunderbird-0:3.1.16-2.el6_1.i686",
            "6Server-optional-6.1.z:thunderbird-0:3.1.16-2.el6_1.ppc64",
            "6Server-optional-6.1.z:thunderbird-0:3.1.16-2.el6_1.s390x",
            "6Server-optional-6.1.z:thunderbird-0:3.1.16-2.el6_1.src",
            "6Server-optional-6.1.z:thunderbird-0:3.1.16-2.el6_1.x86_64",
            "6Server-optional-6.1.z:thunderbird-debuginfo-0:3.1.16-2.el6_1.i686",
            "6Server-optional-6.1.z:thunderbird-debuginfo-0:3.1.16-2.el6_1.ppc64",
            "6Server-optional-6.1.z:thunderbird-debuginfo-0:3.1.16-2.el6_1.s390x",
            "6Server-optional-6.1.z:thunderbird-debuginfo-0:3.1.16-2.el6_1.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2011:1439"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "HIGH",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.1,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "products": [
            "6Server-optional-6.1.z:thunderbird-0:3.1.16-2.el6_1.i686",
            "6Server-optional-6.1.z:thunderbird-0:3.1.16-2.el6_1.ppc64",
            "6Server-optional-6.1.z:thunderbird-0:3.1.16-2.el6_1.s390x",
            "6Server-optional-6.1.z:thunderbird-0:3.1.16-2.el6_1.src",
            "6Server-optional-6.1.z:thunderbird-0:3.1.16-2.el6_1.x86_64",
            "6Server-optional-6.1.z:thunderbird-debuginfo-0:3.1.16-2.el6_1.i686",
            "6Server-optional-6.1.z:thunderbird-debuginfo-0:3.1.16-2.el6_1.ppc64",
            "6Server-optional-6.1.z:thunderbird-debuginfo-0:3.1.16-2.el6_1.s390x",
            "6Server-optional-6.1.z:thunderbird-debuginfo-0:3.1.16-2.el6_1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "Mozilla: crash while profiling page with many functions (MFSA 2011-49)"
    }
  ]
}

cve-2011-3650

Vulnerability from cvelistv5

Published

2011-11-09 11:00

Modified

2024-08-06 23:46

Severity ?

Summary

Mozilla Firefox before 3.6.24 and 4.x through 7.0 and Thunderbird before 3.1.6 and 5.0 through 7.0 do not properly handle JavaScript files that contain many functions, which allows user-assisted remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a crafted file that is accessed by debugging APIs, as demonstrated by Firebug.

References

▼	URL	Tags
	http://www.mozilla.org/security/announce/2011/mfsa2011-49.html	x_refsource_CONFIRM
	http://www.redhat.com/support/errata/RHSA-2011-1439.html	vendor-advisory, x_refsource_REDHAT
	https://bugzilla.mozilla.org/show_bug.cgi?id=674776	x_refsource_CONFIRM
	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13870	vdb-entry, signature, x_refsource_OVAL
	http://lists.opensuse.org/opensuse-security-announce/2011-11/msg00020.html	vendor-advisory, x_refsource_SUSE

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T23:46:01.358Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.mozilla.org/security/announce/2011/mfsa2011-49.html"
          },
          {
            "name": "RHSA-2011:1439",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://www.redhat.com/support/errata/RHSA-2011-1439.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=674776"
          },
          {
            "name": "oval:org.mitre.oval:def:13870",
            "tags": [
              "vdb-entry",
              "signature",
              "x_refsource_OVAL",
              "x_transferred"
            ],
            "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13870"
          },
          {
            "name": "SUSE-SU-2011:1256",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2011-11/msg00020.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2011-11-08T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Mozilla Firefox before 3.6.24 and 4.x through 7.0 and Thunderbird before 3.1.6 and 5.0 through 7.0 do not properly handle JavaScript files that contain many functions, which allows user-assisted remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a crafted file that is accessed by debugging APIs, as demonstrated by Firebug."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-09-18T12:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.mozilla.org/security/announce/2011/mfsa2011-49.html"
        },
        {
          "name": "RHSA-2011:1439",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://www.redhat.com/support/errata/RHSA-2011-1439.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=674776"
        },
        {
          "name": "oval:org.mitre.oval:def:13870",
          "tags": [
            "vdb-entry",
            "signature",
            "x_refsource_OVAL"
          ],
          "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13870"
        },
        {
          "name": "SUSE-SU-2011:1256",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2011-11/msg00020.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2011-3650",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Mozilla Firefox before 3.6.24 and 4.x through 7.0 and Thunderbird before 3.1.6 and 5.0 through 7.0 do not properly handle JavaScript files that contain many functions, which allows user-assisted remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a crafted file that is accessed by debugging APIs, as demonstrated by Firebug."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://www.mozilla.org/security/announce/2011/mfsa2011-49.html",
              "refsource": "CONFIRM",
              "url": "http://www.mozilla.org/security/announce/2011/mfsa2011-49.html"
            },
            {
              "name": "RHSA-2011:1439",
              "refsource": "REDHAT",
              "url": "http://www.redhat.com/support/errata/RHSA-2011-1439.html"
            },
            {
              "name": "https://bugzilla.mozilla.org/show_bug.cgi?id=674776",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=674776"
            },
            {
              "name": "oval:org.mitre.oval:def:13870",
              "refsource": "OVAL",
              "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13870"
            },
            {
              "name": "SUSE-SU-2011:1256",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2011-11/msg00020.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2011-3650",
    "datePublished": "2011-11-09T11:00:00",
    "dateReserved": "2011-09-23T00:00:00",
    "dateUpdated": "2024-08-06T23:46:01.358Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2011-3648

Vulnerability from cvelistv5

Published

2011-11-09 11:00

Modified

2024-08-06 23:37

Severity ?

Summary

Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 3.6.24 and 4.x through 7.0 and Thunderbird before 3.1.6 and 5.0 through 7.0 allows remote attackers to inject arbitrary web script or HTML via crafted text with Shift JIS encoding.

References

▼	URL	Tags
	http://www.redhat.com/support/errata/RHSA-2011-1439.html	vendor-advisory, x_refsource_REDHAT
	https://bugzilla.mozilla.org/show_bug.cgi?id=690225	x_refsource_CONFIRM
	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14212	vdb-entry, signature, x_refsource_OVAL
	http://lists.opensuse.org/opensuse-security-announce/2011-11/msg00020.html	vendor-advisory, x_refsource_SUSE
	http://www.mozilla.org/security/announce/2011/mfsa2011-47.html	x_refsource_CONFIRM

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T23:37:48.541Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2011:1439",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://www.redhat.com/support/errata/RHSA-2011-1439.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=690225"
          },
          {
            "name": "oval:org.mitre.oval:def:14212",
            "tags": [
              "vdb-entry",
              "signature",
              "x_refsource_OVAL",
              "x_transferred"
            ],
            "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14212"
          },
          {
            "name": "SUSE-SU-2011:1256",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2011-11/msg00020.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.mozilla.org/security/announce/2011/mfsa2011-47.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2011-11-08T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 3.6.24 and 4.x through 7.0 and Thunderbird before 3.1.6 and 5.0 through 7.0 allows remote attackers to inject arbitrary web script or HTML via crafted text with Shift JIS encoding."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-09-18T12:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "RHSA-2011:1439",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://www.redhat.com/support/errata/RHSA-2011-1439.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=690225"
        },
        {
          "name": "oval:org.mitre.oval:def:14212",
          "tags": [
            "vdb-entry",
            "signature",
            "x_refsource_OVAL"
          ],
          "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14212"
        },
        {
          "name": "SUSE-SU-2011:1256",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2011-11/msg00020.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.mozilla.org/security/announce/2011/mfsa2011-47.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2011-3648",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 3.6.24 and 4.x through 7.0 and Thunderbird before 3.1.6 and 5.0 through 7.0 allows remote attackers to inject arbitrary web script or HTML via crafted text with Shift JIS encoding."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "RHSA-2011:1439",
              "refsource": "REDHAT",
              "url": "http://www.redhat.com/support/errata/RHSA-2011-1439.html"
            },
            {
              "name": "https://bugzilla.mozilla.org/show_bug.cgi?id=690225",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=690225"
            },
            {
              "name": "oval:org.mitre.oval:def:14212",
              "refsource": "OVAL",
              "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14212"
            },
            {
              "name": "SUSE-SU-2011:1256",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2011-11/msg00020.html"
            },
            {
              "name": "http://www.mozilla.org/security/announce/2011/mfsa2011-47.html",
              "refsource": "CONFIRM",
              "url": "http://www.mozilla.org/security/announce/2011/mfsa2011-47.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2011-3648",
    "datePublished": "2011-11-09T11:00:00",
    "dateReserved": "2011-09-23T00:00:00",
    "dateUpdated": "2024-08-06T23:37:48.541Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2011-3647

Vulnerability from cvelistv5

Published

2011-11-09 11:00

Modified

2024-08-06 23:37

Severity ?

Summary

The JSSubScriptLoader in Mozilla Firefox before 3.6.24 and Thunderbird before 3.1.6 does not properly handle XPCNativeWrappers during calls to the loadSubScript method in an add-on, which makes it easier for remote attackers to gain privileges via a crafted web site that leverages certain unwrapping behavior, a related issue to CVE-2011-3004.

References

▼	URL	Tags
	https://bugzilla.mozilla.org/show_bug.cgi?id=680880	x_refsource_CONFIRM
	http://www.redhat.com/support/errata/RHSA-2011-1439.html	vendor-advisory, x_refsource_REDHAT
	http://www.mozilla.org/security/announce/2011/mfsa2011-46.html	x_refsource_CONFIRM
	http://lists.opensuse.org/opensuse-security-announce/2011-11/msg00020.html	vendor-advisory, x_refsource_SUSE
	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13550	vdb-entry, signature, x_refsource_OVAL

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T23:37:48.659Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=680880"
          },
          {
            "name": "RHSA-2011:1439",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://www.redhat.com/support/errata/RHSA-2011-1439.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.mozilla.org/security/announce/2011/mfsa2011-46.html"
          },
          {
            "name": "SUSE-SU-2011:1256",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2011-11/msg00020.html"
          },
          {
            "name": "oval:org.mitre.oval:def:13550",
            "tags": [
              "vdb-entry",
              "signature",
              "x_refsource_OVAL",
              "x_transferred"
            ],
            "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13550"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2011-11-08T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The JSSubScriptLoader in Mozilla Firefox before 3.6.24 and Thunderbird before 3.1.6 does not properly handle XPCNativeWrappers during calls to the loadSubScript method in an add-on, which makes it easier for remote attackers to gain privileges via a crafted web site that leverages certain unwrapping behavior, a related issue to CVE-2011-3004."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-09-18T12:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=680880"
        },
        {
          "name": "RHSA-2011:1439",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://www.redhat.com/support/errata/RHSA-2011-1439.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.mozilla.org/security/announce/2011/mfsa2011-46.html"
        },
        {
          "name": "SUSE-SU-2011:1256",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2011-11/msg00020.html"
        },
        {
          "name": "oval:org.mitre.oval:def:13550",
          "tags": [
            "vdb-entry",
            "signature",
            "x_refsource_OVAL"
          ],
          "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13550"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2011-3647",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The JSSubScriptLoader in Mozilla Firefox before 3.6.24 and Thunderbird before 3.1.6 does not properly handle XPCNativeWrappers during calls to the loadSubScript method in an add-on, which makes it easier for remote attackers to gain privileges via a crafted web site that leverages certain unwrapping behavior, a related issue to CVE-2011-3004."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.mozilla.org/show_bug.cgi?id=680880",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=680880"
            },
            {
              "name": "RHSA-2011:1439",
              "refsource": "REDHAT",
              "url": "http://www.redhat.com/support/errata/RHSA-2011-1439.html"
            },
            {
              "name": "http://www.mozilla.org/security/announce/2011/mfsa2011-46.html",
              "refsource": "CONFIRM",
              "url": "http://www.mozilla.org/security/announce/2011/mfsa2011-46.html"
            },
            {
              "name": "SUSE-SU-2011:1256",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2011-11/msg00020.html"
            },
            {
              "name": "oval:org.mitre.oval:def:13550",
              "refsource": "OVAL",
              "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13550"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2011-3647",
    "datePublished": "2011-11-09T11:00:00",
    "dateReserved": "2011-09-23T00:00:00",
    "dateUpdated": "2024-08-06T23:37:48.659Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Action not permitted

rhsa-2011_1439

Vulnerability from csaf_redhat

cve-2011-3650

Vulnerability from cvelistv5

cve-2011-3648

Vulnerability from cvelistv5

cve-2011-3647

Vulnerability from cvelistv5

Tags