CVE-2011-3649 — Sensitive Information Exposure in Mozilla Firefox

CWE-200 — Sensitive Information Exposure2 documents2 sources

Severity

2.6LOWNVD

EPSS

0.3%

top 50.41%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Thunderbird

Timeline

PublishedNov 9

Latest updateMay 17

Description

Mozilla Firefox 7.0 and Thunderbird 7.0, when the Direct2D (aka D2D) API is used on Windows in conjunction with the Azure graphics back-end, allow remote attackers to bypass the Same Origin Policy, and obtain sensitive image data from a different domain, by inserting this data into a canvas. NOTE: this issue exists because of a CVE-2011-2986 regression.

CVSS vector

AV:N/AC:H/C:P/I:N/A:NExploitability: 4.9 | Impact: 2.9

Affected Packages2 packages

▶NVDmozilla/firefox7.0

▶NVDmozilla/thunderbird7.0

🔴Vulnerability Details

GHSA

GHSA-rpwr-6r9c-47vr: Mozilla Firefox 7↗2022-05-17

▶