CVE-2011-3670 — Sensitive Information Exposure in Mozilla Firefox

CWE-200 — Sensitive Information Exposure7 documents6 sources

Severity

5.0MEDIUMNVD

EPSS

0.7%

top 27.39%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Seamonkey Mozilla Thunderbird

Timeline

PublishedFeb 1

Latest updateMay 14

Description

Mozilla Firefox before 3.6.26 and 4.x through 6.0, Thunderbird before 3.1.18 and 5.0 through 6.0, and SeaMonkey before 2.4 do not properly enforce the IPv6 literal address syntax, which allows remote attackers to obtain sensitive information by making XMLHttpRequest calls through a proxy and reading the error messages.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages3 packages

▶NVDmozilla/firefox3.6.25+131

▶NVDmozilla/seamonkey2.4+53

▶NVDmozilla/thunderbird3.1.7+87

🔴Vulnerability Details

GHSA

GHSA-4x38-mjhp-qwrf: Mozilla Firefox before 3↗2022-05-14

▶

CVEList

CVE-2011-3670: Mozilla Firefox before 3↗2012-02-01

▶

📋Vendor Advisories

Ubuntu

Thunderbird vulnerabilities↗2012-02-08

▶

Ubuntu

Xulrunnner vulnerabilities↗2012-02-08

▶

Red Hat

Mozilla: Same-origin bypass using IPv6-like hostname syntax (MFSA 2012-02)↗2012-01-31

▶

💬Community

Bugzilla

CVE-2011-3670 Mozilla: Same-origin bypass using IPv6-like hostname syntax (MFSA 2012-02)↗2012-01-29

▶