CVE-2011-2999 | Vulnerability Database | Aqua Security

Mozilla Firefox before 3.6.23 and 4.x through 5, Thunderbird before 6.0, and SeaMonkey before 2.3 do not properly handle location as the name of a frame, which allows remote attackers to bypass the Same Origin Policy via a crafted web site, a different vulnerability than CVE-2010-0170.

Affected Software

Name	Vendor	Start Version	End Version
Firefox	Mozilla	3.6.2	3.6.2
Firefox	Mozilla	3.6.3	3.6.3
Firefox	Mozilla	3.6.15	3.6.15
Firefox	Mozilla	3.6.17	3.6.17
Firefox	Mozilla	3.6.11	3.6.11
Firefox	Mozilla	3.6.8	3.6.8
Firefox	Mozilla	3.6.9	3.6.9
Firefox	Mozilla	3.6.14	3.6.14
Firefox	Mozilla	3.6.12	3.6.12
Firefox	Mozilla	*	3.6.22
Firefox	Mozilla	3.6.6	3.6.6
Firefox	Mozilla	3.6.21	3.6.21
Firefox	Mozilla	3.6.16	3.6.16
Firefox	Mozilla	3.6.10	3.6.10
Firefox	Mozilla	3.6.19	3.6.19
Firefox	Mozilla	3.6.7	3.6.7
Firefox	Mozilla	3.6.4	3.6.4
Firefox	Mozilla	3.6.18	3.6.18
Firefox	Mozilla	3.6.20	3.6.20
Firefox	Mozilla	3.6	3.6
Firefox	Mozilla	3.6.13	3.6.13

References

http://www.mozilla.org/security/announce/2011/mfsa2011-38.html
https://bugzilla.mozilla.org/show_bug.cgi?id=665548
http://www.debian.org/security/2011/dsa-2312
http://www.redhat.com/support/errata/RHSA-2011-1341.html
http://www.mandriva.com/security/advisories?name=MDVSA-2011:139
http://www.debian.org/security/2011/dsa-2313
http://www.debian.org/security/2011/dsa-2317
http://www.mandriva.com/security/advisories?name=MDVSA-2011:140
http://www.mandriva.com/security/advisories?name=MDVSA-2011:141
http://secunia.com/advisories/46315
http://lists.opensuse.org/opensuse-updates/2011-10/msg00002.html
http://lists.opensuse.org/opensuse-security-announce/2011-11/msg00020.html
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14252

NVD	https://nvd.nist.gov/vuln/detail/CVE-2011-2999
CWE	https://cwe.mitre.org/data/definitions/264.html