CVE-2011-2486

nspluginwrapper before 1.4.4 does not properly provide access to NPNVprivateModeBool variable settings, which could prevent Firefox plugins from determining if they should run in Private Browsing mode and allow remote attackers to bypass intended access restrictions, as demonstrated using Flash.

CVSS v2.0 5.0 MEDIUM

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:N/I:P/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://lwn.net/Alerts/524725/
http://rhn.redhat.com/errata/RHSA-2012-1459.html
http://www.securitytracker.com/id?1027757	Patch
https://bugzilla.novell.com/show_bug.cgi?id=702034
https://bugzilla.redhat.com/show_bug.cgi?id=715384
https://github.com/davidben/nspluginwrapper/commit/7e4ab8e1189846041f955e6c83f72bc1624e7a98

Configurations

Configuration 1 (hide)

cpe:2.3:a:nspluginwrapper:nspluginwrapper:1.4.2:*:*:*:*:*:*:*

History

No history.

Information

Published : 2012-11-19 12:10

Updated : 2024-02-28 12:00

NVD link : CVE-2011-2486

Mitre link : CVE-2011-2486

CVE.ORG link : CVE-2011-2486

JSON object : View

Products Affected

nspluginwrapper

nspluginwrapper

CWE

CWE-264

Permissions, Privileges, and Access Controls

{"id": "CVE-2011-2486", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2012-11-19T12:10:48.917", "references": [{"url": "http://lwn.net/Alerts/524725/", "source": "secalert@redhat.com"}, {"url": "http://rhn.redhat.com/errata/RHSA-2012-1459.html", "source": "secalert@redhat.com"}, {"url": "http://www.securitytracker.com/id?1027757", "tags": ["Patch"], "source": "secalert@redhat.com"}, {"url": "https://bugzilla.novell.com/show_bug.cgi?id=702034", "source": "secalert@redhat.com"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=715384", "source": "secalert@redhat.com"}, {"url": "https://github.com/davidben/nspluginwrapper/commit/7e4ab8e1189846041f955e6c83f72bc1624e7a98", "source": "secalert@redhat.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-264"}]}], "descriptions": [{"lang": "en", "value": "nspluginwrapper before 1.4.4 does not properly provide access to NPNVprivateModeBool variable settings, which could prevent Firefox plugins from determining if they should run in Private Browsing mode and allow remote attackers to bypass intended access restrictions, as demonstrated using Flash."}, {"lang": "es", "value": "nspluginwrapper antes de v1.4.4 no proporciona adecuadamente acceso a la variable de configuraci\u00f3n NPNVprivateModeBool, lo que podr\u00eda impedir a algunos plugins de Firefox a la hora de determinar si se deben ejecutar en el modo de navegaci\u00f3n privada y permitir de esta forma a atacantes remotos evitar las restricciones de acceso, tal y como se demostr\u00f3 con el uso inapropiado de Flash.\r\n"}], "lastModified": "2013-09-01T06:24:51.890", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nspluginwrapper:nspluginwrapper:1.4.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "87E01B32-8F5C-4327-993B-7C43D1B45E7E"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}