CVE-2011-2981

Published: 19 August 2011

The event-management implementation in Mozilla Firefox before 3.6.20, SeaMonkey 2.x, Thunderbird 3.x before 3.1.12, and possibly other products does not properly select the context for script to run in, which allows remote attackers to bypass the Same Origin Policy or execute arbitrary JavaScript code with chrome privileges via a crafted web site.

Priority

Medium

Status

Package Release Status
firefox
Launchpad, Ubuntu, Debian
Upstream
Released (3.6.20)
firefox-3.0
Launchpad, Ubuntu, Debian
Upstream Needs triage
(Ubuntu source uses 3.6.x)
firefox-3.5
Launchpad, Ubuntu, Debian
Upstream Needs triage
(Ubuntu source uses 3.6.x)
seamonkey
Launchpad, Ubuntu, Debian
Upstream Needs triage

thunderbird
Launchpad, Ubuntu, Debian
Upstream
Released (3.1.12)
xulrunner-1.9.2
Launchpad, Ubuntu, Debian
Upstream
Released (1.9.2.20)
xulrunner-2.0
Launchpad, Ubuntu, Debian
Upstream Not vulnerable