The IcedTea-Web plugin before 1.2.3 and 1.3.x before 1.3.2 uses the same class loader for applets with the same codebase path but from different domains, which allows remote attackers to obtain sensitive information or possibly alter other applets via a crafted applet.
icedtea.classpath.org/hg/release/icedtea-web-1.2/file/icedtea-web-1.2.3/NEWS
icedtea.classpath.org/hg/release/icedtea-web-1.2/rev/34b6f60ae586
icedtea.classpath.org/hg/release/icedtea-web-1.3/rev/25dd7c7ac39c
lists.opensuse.org/opensuse-security-announce/2013-05/msg00020.html
lists.opensuse.org/opensuse-security-announce/2013-07/msg00013.html
lists.opensuse.org/opensuse-updates/2013-04/msg00106.html
lists.opensuse.org/opensuse-updates/2013-05/msg00003.html
lists.opensuse.org/opensuse-updates/2013-05/msg00032.html
lists.opensuse.org/opensuse-updates/2013-06/msg00030.html
lists.opensuse.org/opensuse-updates/2013-06/msg00034.html
lists.opensuse.org/opensuse-updates/2013-06/msg00101.html
mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-April/022790.html
osvdb.org/92543
rhn.redhat.com/errata/RHSA-2013-0753.html
secunia.com/advisories/53109
secunia.com/advisories/53117
www.mandriva.com/security/advisories?name=MDVSA-2013:146
www.securityfocus.com/bid/59281
www.ubuntu.com/usn/USN-1804-1
bugzilla.redhat.com/show_bug.cgi?id=916774
exchange.xforce.ibmcloud.com/vulnerabilities/83642
wiki.mageia.org/en/Support/Advisories/MGASA-2013-0123