CVE-2011-2362Path Equivalence: 'filename.' (Trailing Dot) in Mozilla Firefox

CWE-2648 documents6 sources
Severity
5.0MEDIUMNVD
EPSS
1.2%
top 20.85%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Mozilla FirefoxMozilla ThunderbirdMozilla Seamonkey
Timeline
PublishedJun 30
Latest updateMay 17

Description

Mozilla Firefox before 3.6.18, Thunderbird before 3.1.11, and SeaMonkey through 2.0.14 do not distinguish between cookies for two domain names that differ only in a trailing dot, which allows remote web servers to bypass the Same Origin Policy via Set-Cookie headers.

CVSS vector

AV:N/AC:L/C:N/I:P/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages3 packages

NVDmozilla/firefox3.6.17+104
NVDmozilla/thunderbird3.1.10+82
NVDmozilla/seamonkey48 versions+47

🔴Vulnerability Details

2
GHSA
GHSA-94rr-f3c7-jj57: Mozilla Firefox before 32022-05-17
CVEList
CVE-2011-2362: Mozilla Firefox before 32011-06-30

📋Vendor Advisories

4
Ubuntu
Thunderbird vulnerabilities2011-07-15
Ubuntu
Firefox regression2011-06-29
Ubuntu
Firefox and Xulrunner vulnerabilities2011-06-22
Red Hat
Mozilla Cookie isolation error (MFSA 2011-24)2011-06-21

💬Community

1
Bugzilla
CVE-2011-2362 Mozilla Cookie isolation error (MFSA 2011-24)2011-06-20
CVE-2011-2362 — Mozilla Firefox vulnerability | cvebase