CVE-2012-1956

Mozilla Firefox < 14.0 - XSS

Title source: rule

Description

Mozilla Firefox before 15.0, Thunderbird before 15.0, and SeaMonkey before 2.12 do not prevent use of the Object.defineProperty method to shadow the location object (aka window.location), which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via vectors involving a plugin.

References (10)

[Mailing List] http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00028.html

[Mailing List] http://lists.opensuse.org/opensuse-security-announce/2012-09/msg00011.html

[Mailing List] http://lists.opensuse.org/opensuse-security-announce/2012-09/msg00014.html

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2012-1351.html

[Vendor Advisory] http://www.mozilla.org/security/announce/2012/mfsa2012-59.html

[Vendor Advisory] http://www.ubuntu.com/usn/USN-1548-1

[Vendor Advisory] http://www.ubuntu.com/usn/USN-1548-2

[Issue Tracking] https://bugzilla.mozilla.org/show_bug.cgi?id=756719

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/55260

[Third Party Advisory, VDB Entry] https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16367

Scores

EPSS 0.0074

EPSS Percentile 72.8%

Classification

CWE

CWE-79

Status published

Affected Products (50)

mozilla/firefox < 14.0

mozilla/firefox

mozilla/firefox

mozilla/firefox

mozilla/firefox

mozilla/firefox

mozilla/firefox

mozilla/firefox

mozilla/firefox

mozilla/firefox

mozilla/firefox

mozilla/firefox

mozilla/firefox

mozilla/firefox

mozilla/firefox

... and 35 more

Timeline

Published Aug 29, 2012

Tracked Since Feb 18, 2026