Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2011-3659 — Use After Free in Mozilla Firefox

CWE-416 — Use After Free13 documents8 sources

Severity

9.3CRITICALNVD

EPSS

73.1%

top 1.21%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Mozilla Firefox Mozilla Seamonkey Mozilla Thunderbird +4 more

Timeline

PublishedFeb 1

Latest updateMay 13

Description

Use-after-free vulnerability in Mozilla Firefox before 3.6.26 and 4.x through 9.0, Thunderbird before 3.1.18 and 5.0 through 9.0, and SeaMonkey before 2.7 might allow remote attackers to execute arbitrary code via vectors related to incorrect AttributeChildRemoved notifications that affect access to removed nsDOMAttribute child nodes.

CVSS vector

AV:N/AC:M/C:C/I:C/A:CExploitability: 8.6 | Impact: 10.0

Affected Packages7 packages

▶NVDmozilla/firefox4.0 — 10.0+1

▶NVDmozilla/seamonkey< 2.7

▶NVDmozilla/thunderbird5.0 — 10.0+1

▶NVDopensuse/opensuse11.4

▶NVDsuse/linux_enterprise_server10, 11+1

Patches

Patch: bugzilla.mozilla.org ↗Patch: bugzilla.mozilla.org ↗

🔴Vulnerability Details

GHSA

GHSA-6j4m-9ghg-x3p4: Use-after-free vulnerability in Mozilla Firefox before 3↗2022-05-13

▶

CVEList

CVE-2011-3659: Use-after-free vulnerability in Mozilla Firefox before 3↗2012-02-01

▶

💥Exploits & PoCs

Exploit-DB

Mozilla Firefox 8/9 - 'AttributeChildRemoved()' Use-After-Free (Metasploit)↗2012-05-13

▶

Metasploit

Firefox 8/9 AttributeChildRemoved() Use-After-Free↗

▶

📋Vendor Advisories

Ubuntu

Thunderbird vulnerabilities↗2012-02-17

▶

Ubuntu

Thunderbird vulnerabilities↗2012-02-08

▶

Ubuntu

Xulrunnner vulnerabilities↗2012-02-08

▶

Ubuntu

Mozvoikko update↗2012-02-03

▶

Ubuntu

ubufox and webfav update↗2012-02-03

▶

💬Community

Bugzilla

CVE-2011-3659 Mozilla: child nodes from nsDOMAttribute still accessible after removal of nodes (MFSA 2012-04)↗2012-01-31

▶