4.3
CVE-2012-4201
- EPSS 3.08%
- Veröffentlicht 21.11.2012 12:55:01
- Zuletzt bearbeitet 16.06.2026 23:44:35
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
The evalInSandbox implementation in Mozilla Firefox before 17.0, Firefox ESR 10.x before 10.0.11, Thunderbird before 17.0, Thunderbird ESR 10.x before 10.0.11, and SeaMonkey before 2.14 uses an incorrect context during the handling of JavaScript code that sets the location.href property, which allows remote attackers to conduct cross-site scripting (XSS) attacks or read arbitrary files by leveraging a sandboxed add-on.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Mozilla ≫ Thunderbird Version < 17.0
Mozilla ≫ Thunderbird Esr Version >= 10.0 < 10.0.11
Suse ≫ Linux Enterprise Desktop Version10 Updatesp4
Suse ≫ Linux Enterprise Desktop Version11 Updatesp2
Suse ≫ Linux Enterprise Server Version10 Updatesp4
Suse ≫ Linux Enterprise Server Version11 Updatesp2
Suse ≫ Linux Enterprise Server Version11 Updatesp2 SwPlatformvmware
Suse ≫ Linux Enterprise Software Development Kit Version10 Updatesp4
Suse ≫ Linux Enterprise Software Development Kit Version11 Updatesp2
Redhat ≫ Enterprise Linux Desktop Version5.0
Redhat ≫ Enterprise Linux Desktop Version6.0
Redhat ≫ Enterprise Linux Eus Version6.3
Redhat ≫ Enterprise Linux Server Version5.0
Redhat ≫ Enterprise Linux Server Version6.0
Redhat ≫ Enterprise Linux Workstation Version5.0
Redhat ≫ Enterprise Linux Workstation Version6.0
Canonical ≫ Ubuntu Linux Version10.04 SwEdition-
Canonical ≫ Ubuntu Linux Version11.10
Canonical ≫ Ubuntu Linux Version12.04 SwEditionesm
Canonical ≫ Ubuntu Linux Version12.10
Debian ≫ Debian Linux Version6.0
Debian ≫ Debian Linux Version7.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 3.08% | 0.86 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 4.3 | 8.6 | 2.9 |
AV:N/AC:M/Au:N/C:N/I:P/A:N
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
http://lists.opensuse.org/opensuse-security-announce/2012-11/msg00021.html
http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00022.html
http://lists.opensuse.org/opensuse-updates/2012-11/msg00090.html
http://lists.opensuse.org/opensuse-updates/2012-11/msg00092.html
http://lists.opensuse.org/opensuse-updates/2012-11/msg00093.html
http://osvdb.org/87594
http://rhn.redhat.com/errata/RHSA-2012-1482.html
http://rhn.redhat.com/errata/RHSA-2012-1483.html
http://secunia.com/advisories/51359
http://secunia.com/advisories/51360
http://secunia.com/advisories/51369
http://secunia.com/advisories/51370
http://secunia.com/advisories/51381
http://secunia.com/advisories/51434
http://secunia.com/advisories/51439
http://secunia.com/advisories/51440
http://www.debian.org/security/2012/dsa-2583
http://www.debian.org/security/2012/dsa-2584
http://www.debian.org/security/2012/dsa-2588
http://www.mandriva.com/security/advisories?name=MDVSA-2012:173
http://www.mozilla.org/security/announce/2012/mfsa2012-93.html
http://www.securityfocus.com/bid/56618
http://www.ubuntu.com/usn/USN-1636-1
http://www.ubuntu.com/usn/USN-1638-1
http://www.ubuntu.com/usn/USN-1638-2
http://www.ubuntu.com/usn/USN-1638-3
https://bugzilla.mozilla.org/show_bug.cgi?id=747607
https://exchange.xforce.ibmcloud.com/vulnerabilities/80171
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15995