Simone Fabiano

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions 4.x through 11.0 Thunderbird versions 5.0 through 11.0 SeaMonkey versions prior to 2.9 **Description** The issue arises from the improper construction of the Origin and Sec-WebSocket-Origin HTTP headers, potentially allowing remote attackers to bypass an IPv6 literal ACL. This could occur through a cross-site (1) XMLHttpRequest or (2) WebSocket operation involving a nonstandard port number and an IPv6 address that contains certain zero fields. **Recommendations** For Mozilla Firefox versions 4.x through 11.0, update to a version outside of this range to resolve the issue. For Thunderbird versions 5.0 through 11.0, update to a version outside of this range to resolve the issue. For SeaMonkey versions prior to 2.9, update to version 2.9 or later to resolve the issue.