CVE-2011-2981 Information

Description

The event-management implementation in Mozilla Firefox before 3.6.20 SeaMonkey 2.x Thunderbird 3.x before 3.1.12 and possibly other products does not properly select the context for script to run in which allows remote attackers to bypass the Same Origin Policy or execute arbitrary JavaScript code with chrome privileges via a crafted web site.

Reference

http://lists.opensuse.org/opensuse-security-announce/2011-08/msg00023.html http://lists.opensuse.org/opensuse-security-announce/2011-08/msg00027.html http://www.debian.org/security/2011/dsa-2295 http://www.debian.org/security/2011/dsa-2296 http://www.debian.org/security/2011/dsa-2297 http://www.mandriva.com/security/advisories?name=MDVSA-2011:127 http://www.mozilla.org/security/announce/2011/mfsa2011-30.html http://www.redhat.com/support/errata/RHSA-2011-1164.html https://bugzilla.mozilla.org/show_bug.cgi?id=614151 https://bugzilla.mozilla.org/show_bug.cgi?id=643450 https://bugzilla.mozilla.org/show_bug.cgi?id=650252 https://oval.cisecurity.org/repository/search/definition/oval3Aorg.mitre.oval3Adef3A14512