CVE-2011-3866 - Permissions, Privileges, and Access Control vulnerability in Mozilla Firefox and Seamonkey

Publication

2011-09-29

Last modification

2018-11-29

Summary

Mozilla Firefox before 7.0 and SeaMonkey before 2.4 do not properly restrict availability of motion data events, which makes it easier for remote attackers to read keystrokes by leveraging JavaScript code running in a background tab.

Classification

CWE-264 - Permissions, Privileges, and Access Control

Risk level (CVSS AV:N/AC:M/Au:N/C:P/I:N/A:N)

Medium

4.3

Access Vector

  • Network
  • Adjacent Network
  • Local

Access Complexity

  • Low
  • Medium
  • High

Authentication

  • None
  • Single
  • Multiple

Confident. Impact

  • Complete
  • Partial
  • None

Integrity Impact

  • Complete
  • Partial
  • None

OVAL definition

{
    "accepted": "2014-10-06T04:00:55.969-04:00",
    "class": "vulnerability",
    "contributors": [
        {
            "name": "Scott Quint",
            "organization": "DTCC"
        },
        {
            "name": "Scott Quint",
            "organization": "DTCC"
        },
        {
            "name": "Sergey Artykhov",
            "organization": "ALTX-SOFT"
        },
        {
            "name": "Sergey Artykhov",
            "organization": "ALTX-SOFT"
        },
        {
            "name": "Maria Kedovskaya",
            "organization": "ALTX-SOFT"
        },
        {
            "name": "Shane Shaffer",
            "organization": "G2, Inc."
        },
        {
            "name": "Maria Kedovskaya",
            "organization": "ALTX-SOFT"
        },
        {
            "name": "Evgeniy Pavlov",
            "organization": "ALTX-SOFT"
        },
        {
            "name": "Evgeniy Pavlov",
            "organization": "ALTX-SOFT"
        },
        {
            "name": "Evgeniy Pavlov",
            "organization": "ALTX-SOFT"
        }
    ],
    "definition_extensions": [
        {
            "comment": "Mozilla Seamonkey is installed",
            "oval": "oval:org.mitre.oval:def:6372"
        },
        {
            "comment": "Mozilla Seamonkey is installed",
            "oval": "oval:org.mitre.oval:def:6372"
        },
        {
            "comment": "Mozilla Firefox Mainline release is installed",
            "oval": "oval:org.mitre.oval:def:22259"
        },
        {
            "comment": "Mozilla Firefox Mainline release is installed",
            "oval": "oval:org.mitre.oval:def:22259"
        },
        {
            "comment": "Mozilla Firefox Mainline release is installed",
            "oval": "oval:org.mitre.oval:def:22259"
        },
        {
            "comment": "Mozilla Firefox Mainline release is installed",
            "oval": "oval:org.mitre.oval:def:22259"
        }
    ],
    "description": "Mozilla Firefox before 7.0 and SeaMonkey before 2.4 do not properly restrict availability of motion data events, which makes it easier for remote attackers to read keystrokes by leveraging JavaScript code running in a background tab.",
    "family": "windows",
    "id": "oval:org.mitre.oval:def:13954",
    "status": "accepted",
    "submitted": "2011-11-25T18:27:34.000-05:00",
    "title": "Mozilla Firefox before 7.0 and SeaMonkey before 2.4 do not properly restrict availability of motion data events, which makes it easier for remote attackers to read keystrokes by leveraging JavaScript code running in a background tab.",
    "version": "33"
}

Affected Products