CVE-2010-1215 - OpenCVE

Mozilla Firefox 3.6.x before 3.6.7 and Thunderbird 3.1.x before 3.1.1 do not properly implement access to a content object through a SafeJSObjectWrapper (aka SJOW) wrapper, which allows remote attackers to execute arbitrary JavaScript code with chrome privileges by leveraging "access to an object from the chrome scope."

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Mozilla	Firefox Thunderbird

Configuration 1 [-]

OR	cpe:2.3:a:mozilla:firefox:3.6.1:::::::*
	cpe:2.3:a:mozilla:firefox:3.6.2:::::::*
	cpe:2.3:a:mozilla:firefox:3.6.3:::::::*
	cpe:2.3:a:mozilla:firefox:3.6.4:::::::*
	cpe:2.3:a:mozilla:firefox:3.6.6:::::::*

Configuration 2 [-]

cpe:2.3:a:mozilla:thunderbird:3.1:*:*:*:*:*:*:*

References

Link	Resource
http://www.mozilla.org/security/announce/2010/mfsa2010-38.html	Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=567069
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11527

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2010-07-30T20:00:00

Updated: 2017-09-18T12:57:01

Reserved: 2010-03-30T00:00:00

Link: CVE-2010-1215

JSON object: View

NVD Information

Status : Modified

Published: 2010-07-30T20:30:01.643

Modified: 2017-09-19T01:30:37.347

Link: CVE-2010-1215

JSON object: View

Redhat Information

No data.

CWE

CWE-94

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2010-07-20T00:00:00", "descriptions": [{"lang": "en", "value": "Mozilla Firefox 3.6.x before 3.6.7 and Thunderbird 3.1.x before 3.1.1 do not properly implement access to a content object through a SafeJSObjectWrapper (aka SJOW) wrapper, which allows remote attackers to execute arbitrary JavaScript code with chrome privileges by leveraging \"access to an object from the chrome scope.\""}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-09-18T12:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=567069"}, {"name": "oval:org.mitre.oval:def:11527", "tags": ["vdb-entry", "signature", "x_refsource_OVAL"], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11527"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.mozilla.org/security/announce/2010/mfsa2010-38.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2010-1215", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Mozilla Firefox 3.6.x before 3.6.7 and Thunderbird 3.1.x before 3.1.1 do not properly implement access to a content object through a SafeJSObjectWrapper (aka SJOW) wrapper, which allows remote attackers to execute arbitrary JavaScript code with chrome privileges by leveraging \"access to an object from the chrome scope.\""}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.mozilla.org/show_bug.cgi?id=567069", "refsource": "CONFIRM", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=567069"}, {"name": "oval:org.mitre.oval:def:11527", "refsource": "OVAL", "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11527"}, {"name": "http://www.mozilla.org/security/announce/2010/mfsa2010-38.html", "refsource": "CONFIRM", "url": "http://www.mozilla.org/security/announce/2010/mfsa2010-38.html"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2010-1215", "datePublished": "2010-07-30T20:00:00", "dateReserved": "2010-03-30T00:00:00", "dateUpdated": "2017-09-18T12:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:3.6.1:*:*:*:*:*:*:*", "matchCriteriaId": "39A968C1-8F61-4A26-A098-84F9A4DD5D3B", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox:3.6.2:*:*:*:*:*:*:*", "matchCriteriaId": "30D47263-03AD-4060-91E3-90F997B3D174", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox:3.6.3:*:*:*:*:*:*:*", "matchCriteriaId": "AFD775DF-277E-4D5B-B980-B8E6E782467D", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox:3.6.4:*:*:*:*:*:*:*", "matchCriteriaId": "C8587BFD-417D-42BE-A5F8-22FDC68FA9E6", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox:3.6.6:*:*:*:*:*:*:*", "matchCriteriaId": "D7364FAB-EEE9-4064-A8AD-6547239F9AB3", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:thunderbird:3.1:*:*:*:*:*:*:*", "matchCriteriaId": "58FC2EFB-CE85-4A65-A7B4-A0779F11B5BA", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Mozilla Firefox 3.6.x before 3.6.7 and Thunderbird 3.1.x before 3.1.1 do not properly implement access to a content object through a SafeJSObjectWrapper (aka SJOW) wrapper, which allows remote attackers to execute arbitrary JavaScript code with chrome privileges by leveraging \"access to an object from the chrome scope.\""}, {"lang": "es", "value": "Mozilla Firefox v3.6.x anteriores a la v3.6.7 y Thunderbird v3.1.x anteriores a la v3.1.1 no implementan apropiadamente el acceso a un objeto de contenido a trav\u00e9s de un \"wrapper\" (encapsulador) SafeJSObjectWrapper (SJOW), lo que permite a atacantes remotos ejecutar c\u00f3digo JavaScript de su elecci\u00f3n con privilegios chrome usando \"acceso a un objeto desde el scope (alcance) chrome\"."}], "id": "CVE-2010-1215", "lastModified": "2017-09-19T01:30:37.347", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2010-07-30T20:30:01.643", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://www.mozilla.org/security/announce/2010/mfsa2010-38.html"}, {"source": "cve@mitre.org", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=567069"}, {"source": "cve@mitre.org", "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11527"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "nvd@nist.gov", "type": "Primary"}]}