CVE-2011-2605Code Injection in Mozilla Firefox

CWE-94Code Injection4 documents4 sources
Severity
4.3MEDIUMNVD
EPSS
0.3%
top 42.79%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mozilla FirefoxMozilla Thunderbird
Timeline
PublishedJun 30
Latest updateMay 17

Description

CRLF injection vulnerability in the nsCookieService::SetCookieStringInternal function in netwerk/cookie/nsCookieService.cpp in Mozilla Firefox before 3.6.18 and 4.x through 4.0.1, and Thunderbird before 3.1.11, allows remote attackers to bypass intended access restrictions via a string containing a \n (newline) character, which is not properly handled in a JavaScript "document.cookie =" expression, a different vulnerability than CVE-2011-2374.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages2 packages

NVDmozilla/firefox3.6.17+106
NVDmozilla/thunderbird3.1.10+82

Patches

Patch: bugzilla.mozilla.orgPatch: bugzilla.mozilla.org

🔴Vulnerability Details

1
GHSA
GHSA-m4ch-8pc5-rpx2: CRLF injection vulnerability in the nsCookieService::SetCookieStringInternal function in netwerk/cookie/nsCookieService2022-05-17

📋Vendor Advisories

1
Red Hat
Mozilla Miscellaneous memory safety hazards (MFSA 2011-19)2011-06-21

💬Community

1
Bugzilla
CVE-2011-2364 CVE-2011-2365 CVE-2011-2374 CVE-2011-2375 CVE-2011-2376 CVE-2011-2605 Mozilla Miscellaneous memory safety hazards (MFSA 2011-19)2011-06-20