CVE-2011-2986 — Sensitive Information Exposure in Mozilla Thunderbird

CWE-200 — Sensitive Information Exposure6 documents3 sources

Severity

5.0MEDIUMNVD

NVD2.6

EPSS

0.4%

top 40.54%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Thunderbird Mozilla Firefox Mozilla Seamonkey

Timeline

PublishedAug 18

Latest updateMay 17

Description

Mozilla Firefox 4.x through 5, Thunderbird before 6, SeaMonkey 2.x before 2.3, and possibly other products, when the Direct2D (aka D2D) API is used on Windows, allows remote attackers to bypass the Same Origin Policy, and obtain sensitive image data from a different domain, by inserting this data into a canvas.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages3 packages

▶NVDmozilla/thunderbird5.0+81

▶NVDmozilla/firefox4 versions+3

▶NVDmozilla/seamonkey46 versions+45

🔴Vulnerability Details

GHSA

GHSA-w28f-6ggv-2vjv: Mozilla Firefox 4↗2022-05-17

▶

GHSA

GHSA-rpwr-6r9c-47vr: Mozilla Firefox 7↗2022-05-17

▶

CVEList

CVE-2011-3649: Mozilla Firefox 7↗2011-11-09

▶

CVEList

CVE-2011-2986: Mozilla Firefox 4↗2011-08-18

▶