VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 30, 2011· Updated Apr 29, 2026

CVE-2011-2369

CVE-2011-2369

Description

Cross-site scripting (XSS) vulnerability in Mozilla Firefox 4.x through 4.0.1 allows remote attackers to inject arbitrary web script or HTML via an SVG element containing an HTML-encoded entity.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cross-site scripting vulnerability in Firefox 4.x through 4.0.1 due to improper decoding of HTML-encoded entities in SVG elements.

Vulnerability

A cross-site scripting (XSS) vulnerability exists in Mozilla Firefox 4.x through 4.0.1 and SeaMonkey 2.1, where the inline SVG feature improperly decodes HTML-encoded entities. The bug resides in the SVG innerHTML getter, which fails to encode entities, allowing script injection. The affected versions are those that introduced inline SVG support in the browser engine [1][2].

Exploitation

An attacker can exploit this by crafting an SVG element containing an HTML-encoded entity. No authentication or special privileges are required; the attacker only needs to deliver the malicious content to a victim, for example via a web page or email. When the browser processes the SVG element and calls the innerHTML getter, the entities are decoded, enabling arbitrary script execution [1][2].

Impact

Successful exploitation allows an attacker to inject arbitrary web script or HTML into the context of the victim's session. This can lead to information disclosure, session hijacking, or other malicious actions. The impact is rated as moderate by Mozilla [2].

Mitigation

The vulnerability is fixed in Firefox 5 and SeaMonkey 2.2, released on June 21, 2011. Users should upgrade to these versions. No workarounds are documented. Earlier versions of Firefox (3.x and below) are not affected [2]. This CVE is not listed on the CISA Known Exploited Vulnerabilities catalog.

References
  1. 650001 - (CVE-2011-2369) SVG innerHTML getter doesn't encode entities, enabling XSS
  2. XSS encoding hazard with inline SVG

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

17
  • Mozilla Corporation/Firefox15 versions
    cpe:2.3:a:mozilla:firefox:4.0:*:*:*:*:*:*:*+ 14 more
    • cpe:2.3:a:mozilla:firefox:4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:4.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:4.0:beta1:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:4.0:beta10:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:4.0:beta11:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:4.0:beta12:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:4.0:beta2:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:4.0:beta3:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:4.0:beta4:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:4.0:beta5:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:4.0:beta6:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:4.0:beta7:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:4.0:beta8:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:4.0:beta9:*:*:*:*:*:*
    • (no CPE)range: >=4.0, <=4.0.1
  • osv-coords2 versions
    pkg:rpm/opensuse/firefox-esr&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/MozillaFirefox&distro=openSUSE%20Tumbleweed
    < 128.5.1-1.1+ 1 more
    • (no CPE)range: < 128.5.1-1.1
    • (no CPE)range: < 50.1.0-1.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.