CVE-2012-4195

EUVD-2012-4139
The nsLocation::CheckURL function in Mozilla Firefox before 16.0.2, Firefox ESR 10.x before 10.0.10, Thunderbird before 16.0.2, Thunderbird ESR 10.x before 10.0.10, and SeaMonkey before 2.13.2 does not properly determine the calling document and principal in its return value, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted web site, and makes it easier for remote attackers to execute arbitrary JavaScript code by leveraging certain add-on behavior.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.3 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 76%
Affected Products (NVD)
VendorProductVersion
mozillafirefox
𝑥
< 10.0.10
mozillafirefox
𝑥
< 16.0.2
mozillaseamonkey
𝑥
< 2.13.2
mozillathunderbird
𝑥
< 16.0.2
mozillathunderbird_esr
𝑥
< 10.0.10
opensuseopensuse
11.4
opensuseopensuse
12.1
opensuseopensuse
12.2
canonicalubuntu_linux
10.04
canonicalubuntu_linux
11.04
canonicalubuntu_linux
11.10
canonicalubuntu_linux
12.04
canonicalubuntu_linux
12.10
redhatenterprise_linux_desktop
5.0
redhatenterprise_linux_desktop
6.0
redhatenterprise_linux_eus
6.3
redhatenterprise_linux_server
5.0
redhatenterprise_linux_server
6.0
redhatenterprise_linux_workstation
5.0
redhatenterprise_linux_workstation
6.0
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
firefox
hardy
ignored
lucid
Fixed 16.0.2+build1-0ubuntu0.10.04.1
released
natty
Fixed 16.0.2+build1-0ubuntu0.11.04.1
released
oneiric
Fixed 16.0.2+build1-0ubuntu0.11.10.1
released
precise
Fixed 16.0.2+build1-0ubuntu0.12.04.1
released
quantal
Fixed 16.0.2+build1-0ubuntu0.12.10.1
released
raring
Fixed 17.0~b1+build1-0ubuntu1
released
saucy
Fixed 17.0~b1+build1-0ubuntu1
released
seamonkey
hardy
ignored
lucid
ignored
natty
ignored
oneiric
ignored
precise
dne
quantal
dne
raring
dne
saucy
dne
thunderbird
hardy
ignored
lucid
Fixed 16.0.2+build1-0ubuntu0.10.04.1
released
natty
ignored
oneiric
Fixed 16.0.2+build1-0ubuntu0.11.10.1
released
precise
Fixed 16.0.2+build1-0ubuntu0.12.04.1
released
quantal
Fixed 16.0.2+build1-0ubuntu0.12.10.1
released
raring
Fixed 17.0~b3+build1-0ubuntu1
released
saucy
Fixed 17.0~b3+build1-0ubuntu1
released
xulrunner-1.9.2
hardy
ignored
lucid
ignored
natty
ignored
oneiric
dne
precise
dne
quantal
dne
raring
dne
saucy
dne
xulrunner-2.0
hardy
dne
lucid
dne
natty
ignored
oneiric
dne
precise
dne
quantal
dne
raring
dne
saucy
dne
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2012-10/msg00019.html
http://lists.opensuse.org/opensuse-security-announce/2012-10/msg00025.html
http://rhn.redhat.com/errata/RHSA-2012-1407.html
http://rhn.redhat.com/errata/RHSA-2012-1413.html
http://secunia.com/advisories/51121
http://secunia.com/advisories/51123
http://secunia.com/advisories/51127
http://secunia.com/advisories/51144
http://secunia.com/advisories/51146
http://secunia.com/advisories/51147
http://secunia.com/advisories/51165
http://secunia.com/advisories/55318
http://www.mozilla.org/security/announce/2012/mfsa2012-90.html
http://www.securityfocus.com/bid/56302
http://www.ubuntu.com/usn/USN-1620-1
http://www.ubuntu.com/usn/USN-1620-2
https://bugzilla.mozilla.org/show_bug.cgi?id=793121
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16856
http://lists.opensuse.org/opensuse-security-announce/2012-10/msg00019.html
http://lists.opensuse.org/opensuse-security-announce/2012-10/msg00025.html
http://rhn.redhat.com/errata/RHSA-2012-1407.html
http://rhn.redhat.com/errata/RHSA-2012-1413.html
http://secunia.com/advisories/51121
http://secunia.com/advisories/51123
http://secunia.com/advisories/51127
http://secunia.com/advisories/51144
http://secunia.com/advisories/51146
http://secunia.com/advisories/51147
http://secunia.com/advisories/51165
http://secunia.com/advisories/55318
http://www.mozilla.org/security/announce/2012/mfsa2012-90.html
http://www.securityfocus.com/bid/56302
http://www.ubuntu.com/usn/USN-1620-1
http://www.ubuntu.com/usn/USN-1620-2
https://bugzilla.mozilla.org/show_bug.cgi?id=793121
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16856