CVE-2012-4193
medium
CVSS v3
—
CVSS v2
6.8
VIR risk
6.8
Description
Mozilla Firefox before 16.0.1, Firefox ESR 10.x before 10.0.9, Thunderbird before 16.0.1, Thunderbird ESR 10.x before 10.0.9, and SeaMonkey before 2.13.1 omit a security check in the defaultValue function during the unwrapping of security wrappers, which allows remote attackers to bypass the Same Origin Policy and read the properties of a Location object, or execute arbitrary JavaScript code, via a crafted web site.
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: cve@mitre.org — https://bugzilla.mozilla.org/show_bug.cgi?id=720619
Vendor advisory: cve@mitre.org — http://www.mozilla.org/security/announce/2012/mfsa2012-89.html
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| rhel | 5.0 | affected | |
| rhel | 6.0 | affected | |
| rhel | 6.3 | affected | |
| ubuntu | 10.04 | affected | |
| ubuntu | 11.04 | affected | |
| ubuntu | 11.10 | affected | |
| ubuntu | 12.04 | affected | |
| suse | 10 | affected | |
| suse | 11 | affected | |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| mozilla | firefox | {"endExcluding":"16.0.1"} | 16.0.1 |
| mozilla | seamonkey | {"endExcluding":"2.13.1"} | 2.13.1 |
| mozilla | thunderbird | {"endExcluding":"16.0.1"} | 16.0.1 |
| mozilla | thunderbird_esr | {"startIncluding":"10.0","endExcluding":"10.0.9"} | 10.0.9 |
References
- http://lists.opensuse.org/opensuse-security-announce/2012-10/msg00010.html
- http://rhn.redhat.com/errata/RHSA-2012-1361.html
- http://rhn.redhat.com/errata/RHSA-2012-1362.html
- http://secunia.com/advisories/50904
- http://secunia.com/advisories/50906
- http://secunia.com/advisories/50907
- http://secunia.com/advisories/50964
- http://secunia.com/advisories/50984
- http://secunia.com/advisories/55318
- http://www.mozilla.org/security/announce/2012/mfsa2012-89.html
- http://www.ubuntu.com/usn/USN-1611-1
- https://bugzilla.mozilla.org/show_bug.cgi?id=720619
- https://exchange.xforce.ibmcloud.com/vulnerabilities/79211
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16786
- http://lists.opensuse.org/opensuse-security-announce/2012-10/msg00010.html
- http://rhn.redhat.com/errata/RHSA-2012-1361.html
- http://rhn.redhat.com/errata/RHSA-2012-1362.html
- http://secunia.com/advisories/50904
- http://secunia.com/advisories/50906
- http://secunia.com/advisories/50907
- http://secunia.com/advisories/50964
- http://secunia.com/advisories/50984
- http://secunia.com/advisories/55318
- http://www.mozilla.org/security/announce/2012/mfsa2012-89.html
- http://www.ubuntu.com/usn/USN-1611-1
CWEs
CWE-346
Verify integrity in audit chain (admin only). AS-IS.