CVE-2012-4195

The nsLocation::CheckURL function in Mozilla Firefox before 16.0.2, Firefox ESR 10.x before 10.0.10, Thunderbird before 16.0.2, Thunderbird ESR 10.x before 10.0.10, and SeaMonkey before 2.13.2 does not properly determine the calling document and principal in its return value, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted web site, and makes it easier for remote attackers to execute arbitrary JavaScript code by leveraging certain add-on behavior.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.3 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 75%
VendorProductVersion
mozillafirefox
𝑥
< 10.0.10
mozillafirefox
𝑥
< 16.0.2
mozillaseamonkey
𝑥
< 2.13.2
mozillathunderbird
𝑥
< 16.0.2
mozillathunderbird_esr
𝑥
< 10.0.10
opensuseopensuse
11.4
opensuseopensuse
12.1
opensuseopensuse
12.2
canonicalubuntu_linux
10.04
canonicalubuntu_linux
11.04
canonicalubuntu_linux
11.10
canonicalubuntu_linux
12.04
canonicalubuntu_linux
12.10
redhatenterprise_linux_desktop
5.0
redhatenterprise_linux_desktop
6.0
redhatenterprise_linux_eus
6.3
redhatenterprise_linux_server
5.0
redhatenterprise_linux_server
6.0
redhatenterprise_linux_workstation
5.0
redhatenterprise_linux_workstation
6.0
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
firefox
saucy
Fixed 17.0~b1+build1-0ubuntu1
released
raring
Fixed 17.0~b1+build1-0ubuntu1
released
quantal
Fixed 16.0.2+build1-0ubuntu0.12.10.1
released
precise
Fixed 16.0.2+build1-0ubuntu0.12.04.1
released
oneiric
Fixed 16.0.2+build1-0ubuntu0.11.10.1
released
natty
Fixed 16.0.2+build1-0ubuntu0.11.04.1
released
lucid
Fixed 16.0.2+build1-0ubuntu0.10.04.1
released
hardy
ignored
seamonkey
saucy
dne
raring
dne
quantal
dne
precise
dne
oneiric
ignored
natty
ignored
lucid
ignored
hardy
ignored
thunderbird
saucy
Fixed 17.0~b3+build1-0ubuntu1
released
raring
Fixed 17.0~b3+build1-0ubuntu1
released
quantal
Fixed 16.0.2+build1-0ubuntu0.12.10.1
released
precise
Fixed 16.0.2+build1-0ubuntu0.12.04.1
released
oneiric
Fixed 16.0.2+build1-0ubuntu0.11.10.1
released
natty
ignored
lucid
Fixed 16.0.2+build1-0ubuntu0.10.04.1
released
hardy
ignored
xulrunner-1.9.2
saucy
dne
raring
dne
quantal
dne
precise
dne
oneiric
dne
natty
ignored
lucid
ignored
hardy
ignored
xulrunner-2.0
saucy
dne
raring
dne
quantal
dne
precise
dne
oneiric
dne
natty
ignored
lucid
dne
hardy
dne
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2012-10/msg00019.html
http://lists.opensuse.org/opensuse-security-announce/2012-10/msg00025.html
http://rhn.redhat.com/errata/RHSA-2012-1407.html
http://rhn.redhat.com/errata/RHSA-2012-1413.html
http://secunia.com/advisories/51121
http://secunia.com/advisories/51123
http://secunia.com/advisories/51127
http://secunia.com/advisories/51144
http://secunia.com/advisories/51146
http://secunia.com/advisories/51147
http://secunia.com/advisories/51165
http://secunia.com/advisories/55318
http://www.mozilla.org/security/announce/2012/mfsa2012-90.html
http://www.securityfocus.com/bid/56302
http://www.ubuntu.com/usn/USN-1620-1
http://www.ubuntu.com/usn/USN-1620-2
https://bugzilla.mozilla.org/show_bug.cgi?id=793121
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16856
http://lists.opensuse.org/opensuse-security-announce/2012-10/msg00019.html
http://lists.opensuse.org/opensuse-security-announce/2012-10/msg00025.html
http://rhn.redhat.com/errata/RHSA-2012-1407.html
http://rhn.redhat.com/errata/RHSA-2012-1413.html
http://secunia.com/advisories/51121
http://secunia.com/advisories/51123
http://secunia.com/advisories/51127
http://secunia.com/advisories/51144
http://secunia.com/advisories/51146
http://secunia.com/advisories/51147
http://secunia.com/advisories/51165
http://secunia.com/advisories/55318
http://www.mozilla.org/security/announce/2012/mfsa2012-90.html
http://www.securityfocus.com/bid/56302
http://www.ubuntu.com/usn/USN-1620-1
http://www.ubuntu.com/usn/USN-1620-2
https://bugzilla.mozilla.org/show_bug.cgi?id=793121
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16856