Permissions, Privileges, and Access Controls in nspluginwrapper - CVE-2011-2486
Published: November 19, 2012 / Updated: August 11, 2020
Vulnerability identifier: #VU43327
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2011-2486
CWE-ID: CWE-264
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: nspluginwrapper.org
Affected software:
nspluginwrapper
nspluginwrapper
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to manipulate data.
nspluginwrapper before 1.4.4 does not properly provide access to NPNVprivateModeBool variable settings, which could prevent Firefox plugins from determining if they should run in Private Browsing mode and allow remote attackers to bypass intended access restrictions, as demonstrated using Flash.
How to mitigate CVE-2011-2486
Install update from vendor's website.
Sources
- http://lwn.net/Alerts/524725/
- http://rhn.redhat.com/errata/RHSA-2012-1459.html
- http://www.securitytracker.com/id?1027757
- https://bugzilla.novell.com/show_bug.cgi?id=702034
- https://bugzilla.redhat.com/show_bug.cgi?id=715384
- https://github.com/davidben/nspluginwrapper/commit/7e4ab8e1189846041f955e6c83f72bc1624e7a98