CVE-2012-1944

Firefox 4.x-12.0 and ESR 10.x < 10.0.5 - Cross-Site Scripting via Inline Event Handlers

Title source: llm
STIX 2.1

Description

The Content Security Policy (CSP) implementation in Mozilla Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5, Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.5, and SeaMonkey before 2.10 does not block inline event handlers, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted HTML document.

References (9)

Core 9
Core References
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2012-0710.html
Permissions Required third-party-advisory x_refsource_secunia
http://secunia.com/advisories/49981
Vendor Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2012:088
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A17005
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2012-0715.html
Issue Tracking x_refsource_confirm
https://bugzilla.mozilla.org/show_bug.cgi?id=751422

Scores

EPSS 0.0185
EPSS Percentile 76.7%

Details

CWE
CWE-79
Status published
Products (33)
mozilla/firefox 4.0 (13 CPE variants)
mozilla/firefox 4.0.1
mozilla/firefox 5.0
mozilla/firefox 5.0.1
mozilla/firefox 6.0
mozilla/firefox 6.0.1
mozilla/firefox 6.0.2
mozilla/firefox 7.0
mozilla/firefox 7.0.1
mozilla/firefox 8.0
... and 23 more
Published Jun 05, 2012
Tracked Since Feb 18, 2026