CVE-2012-4195

Sažetak

The nsLocation::CheckURL function in Mozilla Firefox before 16.0.2, Firefox ESR 10.x before 10.0.10, Thunderbird before 16.0.2, Thunderbird ESR 10.x before 10.0.10, and SeaMonkey before 2.13.2 does not properly determine the calling document and principal in its return value, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted web site, and makes it easier for remote attackers to execute arbitrary JavaScript code by leveraging certain add-on behavior.

Reference

http://lists.opensuse.org/opensuse-security-announce/2012-10/msg00019.html
http://lists.opensuse.org/opensuse-security-announce/2012-10/msg00025.html
http://rhn.redhat.com/errata/RHSA-2012-1407.html
http://rhn.redhat.com/errata/RHSA-2012-1413.html
http://secunia.com/advisories/51121
http://secunia.com/advisories/51123
http://secunia.com/advisories/51127
http://secunia.com/advisories/51144
http://secunia.com/advisories/51146
http://secunia.com/advisories/51147
http://secunia.com/advisories/51165
http://secunia.com/advisories/55318
http://www.mozilla.org/security/announce/2012/mfsa2012-90.html
http://www.securityfocus.com/bid/56302
http://www.ubuntu.com/usn/USN-1620-1
http://www.ubuntu.com/usn/USN-1620-2
https://bugzilla.mozilla.org/show_bug.cgi?id=793121
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16856

CVSS

Base:	4.3
Impact:	2.9
Exploitability:	8.6

Pristup

Vektor	Složenost	Autentikacija
NETWORK	MEDIUM	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
NONE	PARTIAL	NONE

CVSS vektor

AV:N/AC:M/Au:N/C:N/I:P/A:N

Zadnje važnije ažuriranje

21-10-2024 - 13:55

Objavljeno

29-10-2012 - 18:55