CVE-2010-1121
Mozilla Firefox Cross Document DOM Node Moving Remote Code Execution Vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Mozilla Firefox 3.6.x before 3.6.3 does not properly manage the scopes of DOM nodes that are moved from one document to another, which allows remote attackers to conduct use-after-free attacks and execute arbitrary code via unspecified vectors involving improper interaction with garbage collection, as demonstrated by Nils during a Pwn2Own competition at CanSecWest 2010.
Firefox de Mozilla versiones 3.6.x anteriores a 3.6.3, no administra apropiadamente los ámbitos de los nodos DOM que son movidos de un documento a otro, lo que permite a los atacantes remotos conducir ataques de uso de memoria previamente liberada y ejecutar código arbitrario por medio de vectores no especificados que implican una interacción inapropiada con garbage collection, como es demostrado por Nils durante una competencia de Pwn2Own en CanSecWest 2010.
This vulnerability allows remote attackers to bypass specific script execution enforcements on vulnerable installations of Mozilla Firefox. User interaction is required to exploit this vulnerability in that the target must visit a malicious page.
The specific flaw exists when moving DOM nodes in between documents with a specific timing while triggering garbage collection. If timed correctly Firefox will incorrectly reference a previously freed object which can be leveraged by an attacker to execute arbitrary code under the context of the current user.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2010-03-25 CVE Reserved
- 2010-03-25 CVE Published
- 2024-08-07 CVE Updated
- 2024-12-17 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-94: Improper Control of Generation of Code ('Code Injection')
CAPEC
References (26)
| URL | Tag | Source |
|---|---|---|
| http://dvlabs.tippingpoint.com/blog/2010/02/15/pwn2own-2010 | X_refsource_misc | |
| http://news.cnet.com/8301-27080_3-20001126-245.html | X_refsource_misc | |
| http://support.avaya.com/css/P8/documents/100091069 | X_refsource_confirm | |
| http://twitter.com/thezdi/statuses/11005277222 | X_refsource_misc | |
| http://www.securitytracker.com/id?1023817 | Vdb Entry | |
| http://www.vupen.com/english/advisories/2010/1592 | Vdb Entry | |
| https://bugzilla.mozilla.org/show_bug.cgi?id=555109 | X_refsource_confirm | |
| https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10924 | Signature | |
| https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6844 | Signature |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Mozilla Search vendor "Mozilla" | Firefox Search vendor "Mozilla" for product "Firefox" | 3.6 Search vendor "Mozilla" for product "Firefox" and version "3.6" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Firefox Search vendor "Mozilla" for product "Firefox" | 3.6.1 Search vendor "Mozilla" for product "Firefox" and version "3.6.1" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Firefox Search vendor "Mozilla" for product "Firefox" | 3.6.2 Search vendor "Mozilla" for product "Firefox" and version "3.6.2" | - |
Affected
| ||||||