CVE-2011-3658
Mozilla Firefox nsSVGValue Out-of-Bounds Access Remote Code Execution Vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
2Exploited in Wild
-Decision
Descriptions
The SVG implementation in Mozilla Firefox 8.0, Thunderbird 8.0, and SeaMonkey 2.5 does not properly interact with DOMAttrModified event handlers, which allows remote attackers to cause a denial of service (out-of-bounds memory access) or possibly have unspecified other impact via vectors involving removal of SVG elements.
La implementación de SVG en Mozilla Firefox v8.0, Thunderbird v8.0, y SeaMonkey v2.6, no interactua correctamente con los manejadores de eventos DOMAttrModified, lo que permite a atacantes remotos provocar una denegación de servicio (acceso fuera de límites de memoria) o posiblemente tener otro impacto no especificado a través de vectores que implican la eliminación de elementos SVG.
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Mozilla Firefox. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the handling of nsSVGValue observers. A certain method call can be made to loop excessively causing an out-of-bounds memory access. By abusing this behavior an attacker can ensure this memory is under control and leverage the situation to achieve remote code execution under the context of the user running the browser.
USN-1401-1 fixed vulnerabilities in Xulrunner. This update provides the corresponding fixes for Thunderbird. It was discovered that a flaw in the Mozilla SVG implementation could result in an out-of-bounds memory access if SVG elements were removed during a DOMAttrModified event handler. If the user were tricked into opening a specially crafted page, an attacker could exploit this to cause a denial of service via application crash. Atte Kettunen discovered a use-after-free vulnerability in the Gecko Rendering Engine's handling of SVG animations. An attacker could potentially exploit this to execute arbitrary code with the privileges of the user invoking the Xulrunner based application. Atte Kettunen discovered an out of bounds read vulnerability in the Gecko Rendering Engine's handling of SVG Filters. An attacker could potentially exploit this to make data from the user's memory accessible to the page content. Soroush Dalili discovered that the Gecko Rendering Engine did not adequately protect against dropping JavaScript links onto a frame. A remote attacker could, through cross-site scripting (XSS), exploit this to modify the contents of the frame or steal confidential data. Mariusz Mlynski discovered that the Home button accepted JavaScript links to set the browser Home page. An attacker could use this vulnerability to get the script URL loaded in the privileged about:sessionrestore context. Bob Clary, Vincenzo Iozzo, and Willem Pinckaers discovered memory safety issues affecting Firefox. If the user were tricked into opening a specially crafted page, an attacker could exploit these to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Firefox. Various other issues were also addressed.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2011-09-23 CVE Reserved
- 2011-12-21 CVE Published
- 2012-05-08 First Exploit
- 2024-08-06 CVE Updated
- 2025-03-18 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-399: Resource Management Errors
CAPEC
References (22)
| URL | Tag | Source |
|---|---|---|
| http://osvdb.org/77953 | Vdb Entry | |
| http://secunia.com/advisories/47302 | Third Party Advisory | |
| http://secunia.com/advisories/47334 | Third Party Advisory | |
| http://secunia.com/advisories/48495 | Third Party Advisory | |
| http://secunia.com/advisories/48553 | Third Party Advisory | |
| http://secunia.com/advisories/48823 | Third Party Advisory | |
| http://secunia.com/advisories/49055 | Third Party Advisory | |
| http://www.securitytracker.com/id?1026445 | Vdb Entry | |
| http://www.securitytracker.com/id?1026446 | Vdb Entry | |
| http://www.securitytracker.com/id?1026447 | Vdb Entry | |
| https://bugzilla.mozilla.org/show_bug.cgi?id=708186 | X_refsource_confirm | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/71910 | Vdb Entry | |
| https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14664 | Signature |
| URL | Date | SRC |
|---|---|---|
| https://packetstorm.news/files/id/112544 | 2012-05-08 | |
| https://www.exploit-db.com/exploits/18847 | 2012-05-09 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Mozilla Search vendor "Mozilla" | Firefox Search vendor "Mozilla" for product "Firefox" | 8.0 Search vendor "Mozilla" for product "Firefox" and version "8.0" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Seamonkey Search vendor "Mozilla" for product "Seamonkey" | 2.5 Search vendor "Mozilla" for product "Seamonkey" and version "2.5" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Thunderbird Search vendor "Mozilla" for product "Thunderbird" | 8.0 Search vendor "Mozilla" for product "Thunderbird" and version "8.0" | - |
Affected
| ||||||