Vulnerability Description
The setTimeout function in Mozilla Firefox before 3.0.12 does not properly preserve object wrapping, which allows remote attackers to execute arbitrary JavaScript with chrome privileges via a crafted call, related to XPCNativeWrapper.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mozilla | Firefox | <= 3.0.11 |
References
- http://lists.opensuse.org/opensuse-security-announce/2009-07/msg00005.html
- http://lists.opensuse.org/opensuse-security-announce/2009-08/msg00002.html
- http://rhn.redhat.com/errata/RHSA-2009-1162.html
- http://secunia.com/advisories/35914Vendor Advisory
- http://secunia.com/advisories/35944PatchVendor Advisory
- http://secunia.com/advisories/36005
- http://secunia.com/advisories/36145
- http://www.mozilla.org/security/announce/2009/mfsa2009-39.htmlVendor Advisory
- http://www.securityfocus.com/bid/35758Patch
- http://www.vupen.com/english/advisories/2009/1972PatchVendor Advisory
- https://bugzilla.mozilla.org/show_bug.cgi?id=460882
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3
- https://www.redhat.com/archives/fedora-package-announce/2009-July/msg01032.html
- http://lists.opensuse.org/opensuse-security-announce/2009-07/msg00005.html
- http://lists.opensuse.org/opensuse-security-announce/2009-08/msg00002.html
FAQ
What is CVE-2009-2471?
CVE-2009-2471 is a vulnerability with a CVSS score of 10.0 (HIGH). The setTimeout function in Mozilla Firefox before 3.0.12 does not properly preserve object wrapping, which allows remote attackers to execute arbitrary JavaScript with chrome privileges via a crafted ...
How severe is CVE-2009-2471?
CVE-2009-2471 has been rated HIGH with a CVSS base score of 10.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2009-2471?
Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Firefox.