CVE-2011-2993

Published: 17 August 2011

The implementation of digital signatures for JAR files in Mozilla Firefox 4.x through 5, SeaMonkey 2.x before 2.3, and possibly other products does not prevent calls from unsigned JavaScript code to signed code, which allows remote attackers to bypass the Same Origin Policy and gain privileges via a crafted web site, a different vulnerability than CVE-2008-2801.

Priority

Medium

Status

Package Release Status
firefox
Launchpad, Ubuntu, Debian
Upstream
Released (6.0)
firefox-3.0
Launchpad, Ubuntu, Debian
Upstream Needs triage
(Ubuntu source uses 3.6.x)
firefox-3.5
Launchpad, Ubuntu, Debian
Upstream Needs triage
(Ubuntu source uses 3.6.x)
seamonkey
Launchpad, Ubuntu, Debian
Upstream Not vulnerable

thunderbird
Launchpad, Ubuntu, Debian
Upstream Not vulnerable

xulrunner-1.9.2
Launchpad, Ubuntu, Debian
Upstream Not vulnerable

xulrunner-2.0
Launchpad, Ubuntu, Debian
Upstream Needed