{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/2856?format=json","vulnerability_id":"VCID-ysfu-gcvc-33g9","summary":"David Rees reported that the JSSubScriptLoader (a\nfeature used by some add-ons) was \"unwrapping\" XPCNativeWrappers when they\nwere used as the scope parameter to loadSubScript(). Without\nthe protection of the wrappers the add-on could be vulnerable to privilege\nescalation attacks from malicious web content. Whether any given add-on\nwere vulnerable would depend on how the add-on used the feature\nand whether it interacted directly with web content, but we did find\nat least one vulnerable add-on and presume there are more.\nThe unwrapping behavior was a change introduced during Firefox 4\ndevelopment.  Firefox 3.6 and earlier versions are not affected.","aliases":[{"alias":"CVE-2011-3004"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1082?format=json","purl":"pkg:mozilla/Firefox@7.0.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@7.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/1084?format=json","purl":"pkg:mozilla/SeaMonkey@2.4.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/SeaMonkey@2.4.0"}],"affected_packages":[],"references":[{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3004","reference_id":"CVE-2011-3004","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3004"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2011-43","reference_id":"mfsa2011-43","reference_type":"","scores":[{"value":"critical","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2011-43"}],"weaknesses":[],"exploits":[],"severity_range_score":"9.0 - 10.0","exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ysfu-gcvc-33g9"}