CVE-2010-1215 — Code Injection in Mozilla Firefox

CWE-94 — Code Injection8 documents5 sources

Severity

6.8MEDIUMNVD

EPSS

0.5%

top 34.70%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Thunderbird

Timeline

PublishedJul 30

Latest updateMay 2

Description

Mozilla Firefox 3.6.x before 3.6.7 and Thunderbird 3.1.x before 3.1.1 do not properly implement access to a content object through a SafeJSObjectWrapper (aka SJOW) wrapper, which allows remote attackers to execute arbitrary JavaScript code with chrome privileges by leveraging "access to an object from the chrome scope."

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages2 packages

▶NVDmozilla/firefox5 versions+4

▶NVDmozilla/thunderbird3.1

🔴Vulnerability Details

GHSA

GHSA-qpxw-xx5g-34gg: Mozilla Firefox 3↗2022-05-02

▶

📋Vendor Advisories

Ubuntu

Firefox and Xulrunner vulnerability↗2010-07-26

▶

Ubuntu

Firefox and Xulrunner vulnerabilities↗2010-07-23

▶

Ubuntu

ant, apturl, Epiphany, gluezilla, gnome-python-extras, liferea, mozvoikko, OpenJDK, packagekit, ubufox, webfav, yelp update↗2010-07-23

▶

Ubuntu

Firefox and Xulrunner vulnerabilities↗2010-07-23

▶

Red Hat

Mozilla Arbitrary code execution using SJOW and fast native function↗2010-07-20

▶

💬Community

Bugzilla

CVE-2010-1215 Mozilla Arbitrary code execution using SJOW and fast native function↗2010-07-16

▶