CVE-2011-2366 — Improper Input Validation in Mozilla Firefox

CWE-20 — Improper Input Validation7 documents5 sources

Severity

4.3MEDIUMNVD

EPSS

0.6%

top 30.34%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Gecko Mozilla Thunderbird

Timeline

PublishedJun 30

Latest updateMay 17

Description

Mozilla Gecko before 5.0, as used in Firefox before 5.0 and Thunderbird before 5.0, does not block use of a cross-domain image as a WebGL texture, which allows remote attackers to obtain approximate copies of arbitrary images via a timing attack involving a crafted WebGL fragment shader.

CVSS vector

AV:N/AC:M/C:P/I:N/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages3 packages

▶NVDmozilla/gecko2+6

▶NVDmozilla/firefox4.0.1+116

▶NVDmozilla/thunderbird3.1.11+83

🔴Vulnerability Details

GHSA

GHSA-frmv-64q7-356r: Mozilla Gecko before 5↗2022-05-17

▶

📋Vendor Advisories

Ubuntu

Firefox regression↗2011-06-23

▶

Ubuntu

mozvoikko, ubufox, webfav update↗2011-06-22

▶

Ubuntu

Firefox vulnerabilities↗2011-06-22

▶

Red Hat

Mozilla: WebGL cross-domain image theft↗2011-05-09

▶

💬Community

Bugzilla

CVE-2011-2366 Mozilla: WebGL cross-domain image theft↗2011-09-26

▶